Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MT103-7543324334.exe

Overview

General Information

Sample name:MT103-7543324334.exe
Analysis ID:1465305
MD5:6d16dcf1423b30677d2918ae11fe2bc3
SHA1:e1fc54fb00530ab8e07c11b4cc16785858f1917c
SHA256:b6f0586d835acff8c86c02904729023d95b10d879a066a9eeca973deaf582e07
Tags:exe
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses dynamic DNS services
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • MT103-7543324334.exe (PID: 3696 cmdline: "C:\Users\user\Desktop\MT103-7543324334.exe" MD5: 6D16DCF1423B30677D2918AE11FE2BC3)
    • powershell.exe (PID: 968 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MT103-7543324334.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MT103-7543324334.exe (PID: 6768 cmdline: "C:\Users\user\Desktop\MT103-7543324334.exe" MD5: 6D16DCF1423B30677D2918AE11FE2BC3)
      • QQ.exe (PID: 2404 cmdline: "C:\Users\user\AppData\Roaming\QQ\QQ.exe" MD5: 6D16DCF1423B30677D2918AE11FE2BC3)
        • powershell.exe (PID: 4512 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QQ\QQ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • WmiPrvSE.exe (PID: 5076 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
          • conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • QQ.exe (PID: 5628 cmdline: "C:\Users\user\AppData\Roaming\QQ\QQ.exe" MD5: 6D16DCF1423B30677D2918AE11FE2BC3)
  • QQ.exe (PID: 7812 cmdline: "C:\Users\user\AppData\Roaming\QQ\QQ.exe" MD5: 6D16DCF1423B30677D2918AE11FE2BC3)
    • QQ.exe (PID: 7880 cmdline: "C:\Users\user\AppData\Roaming\QQ\QQ.exe" MD5: 6D16DCF1423B30677D2918AE11FE2BC3)
  • QQ.exe (PID: 8064 cmdline: "C:\Users\user\AppData\Roaming\QQ\QQ.exe" MD5: 6D16DCF1423B30677D2918AE11FE2BC3)
    • QQ.exe (PID: 8128 cmdline: "C:\Users\user\AppData\Roaming\QQ\QQ.exe" MD5: 6D16DCF1423B30677D2918AE11FE2BC3)
  • QQ.exe (PID: 6048 cmdline: "C:\Users\user\AppData\Roaming\QQ\QQ.exe" MD5: 6D16DCF1423B30677D2918AE11FE2BC3)
    • QQ.exe (PID: 6796 cmdline: "C:\Users\user\AppData\Roaming\QQ\QQ.exe" MD5: 6D16DCF1423B30677D2918AE11FE2BC3)
    • QQ.exe (PID: 4640 cmdline: "C:\Users\user\AppData\Roaming\QQ\QQ.exe" MD5: 6D16DCF1423B30677D2918AE11FE2BC3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "ollar23.duckdns.org:3984:1milliondollar23backup.duckdns.org:3984:1", "Assigned name": "ChinaLinkedIn", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "QQ.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R6CJUW", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000001B.00000002.1548659538.0000000000E9B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6c4a8:$a1: Remcos restarted by watchdog!
          • 0x6ca20:$a3: %02i:%02i:%02i:%03i
          00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
          • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
          • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x6656c:$str_b2: Executing file:
          • 0x675ec:$str_b3: GetDirectListeningPort
          • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x67118:$str_b7: \update.vbs
          • 0x66594:$str_b9: Downloaded file:
          • 0x66580:$str_b10: Downloading file:
          • 0x66624:$str_b12: Failed to upload file:
          • 0x675b4:$str_b13: StartForward
          • 0x675d4:$str_b14: StopForward
          • 0x67070:$str_b15: fso.DeleteFile "
          • 0x67004:$str_b16: On Error Resume Next
          • 0x670a0:$str_b17: fso.DeleteFolder "
          • 0x66614:$str_b18: Uploaded file:
          • 0x665d4:$str_b19: Unable to delete:
          • 0x67038:$str_b20: while fso.FileExists("
          • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
          Click to see the 50 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          23.2.QQ.exe.3c31ae8.1.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            23.2.QQ.exe.3c31ae8.1.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              23.2.QQ.exe.3c31ae8.1.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x690a8:$a1: Remcos restarted by watchdog!
              • 0x69620:$a3: %02i:%02i:%02i:%03i
              23.2.QQ.exe.3c31ae8.1.unpackREMCOS_RAT_variantsunknownunknown
              • 0x630fc:$str_a1: C:\Windows\System32\cmd.exe
              • 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x6316c:$str_b2: Executing file:
              • 0x641ec:$str_b3: GetDirectListeningPort
              • 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x63d18:$str_b7: \update.vbs
              • 0x63194:$str_b9: Downloaded file:
              • 0x63180:$str_b10: Downloading file:
              • 0x63224:$str_b12: Failed to upload file:
              • 0x641b4:$str_b13: StartForward
              • 0x641d4:$str_b14: StopForward
              • 0x63c70:$str_b15: fso.DeleteFile "
              • 0x63c04:$str_b16: On Error Resume Next
              • 0x63ca0:$str_b17: fso.DeleteFolder "
              • 0x63214:$str_b18: Uploaded file:
              • 0x631d4:$str_b19: Unable to delete:
              • 0x63c38:$str_b20: while fso.FileExists("
              • 0x636b1:$str_c0: [Firefox StoredLogins not found]
              23.2.QQ.exe.3c31ae8.1.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
              • 0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
              • 0x62f7c:$s1: CoGetObject
              • 0x62f90:$s1: CoGetObject
              • 0x62fac:$s1: CoGetObject
              • 0x6cf38:$s1: CoGetObject
              • 0x62f3c:$s2: Elevation:Administrator!new:
              Click to see the 86 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MT103-7543324334.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MT103-7543324334.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MT103-7543324334.exe", ParentImage: C:\Users\user\Desktop\MT103-7543324334.exe, ParentProcessId: 3696, ParentProcessName: MT103-7543324334.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MT103-7543324334.exe", ProcessId: 968, ProcessName: powershell.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\QQ\QQ.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\MT103-7543324334.exe, ProcessId: 6768, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-R6CJUW
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MT103-7543324334.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MT103-7543324334.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MT103-7543324334.exe", ParentImage: C:\Users\user\Desktop\MT103-7543324334.exe, ParentProcessId: 3696, ParentProcessName: MT103-7543324334.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MT103-7543324334.exe", ProcessId: 968, ProcessName: powershell.exe
              Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\QQ\QQ.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\MT103-7543324334.exe, ProcessId: 6768, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-R6CJUW
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MT103-7543324334.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MT103-7543324334.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MT103-7543324334.exe", ParentImage: C:\Users\user\Desktop\MT103-7543324334.exe, ParentProcessId: 3696, ParentProcessName: MT103-7543324334.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MT103-7543324334.exe", ProcessId: 968, ProcessName: powershell.exe

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\QQ\QQ.exe, ProcessId: 5628, TargetFilename: C:\ProgramData\remcos\logs.dat

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 0000001B.00000002.1548659538.0000000000E9B000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "ollar23.duckdns.org:3984:1milliondollar23backup.duckdns.org:3984:1", "Assigned name": "ChinaLinkedIn", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "QQ.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R6CJUW", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeReversingLabs: Detection: 71%
              Multi AV Scanner detection for submitted file
              Source: MT103-7543324334.exeReversingLabs: Detection: 71%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 23.2.QQ.exe.3c31ae8.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.QQ.exe.3f41930.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.MT103-7543324334.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.MT103-7543324334.exe.3e30ab8.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.QQ.exe.42c3d90.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.QQ.exe.3d5a1b0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.QQ.exe.3bb8ec8.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.MT103-7543324334.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.QQ.exe.3ec8d10.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.QQ.exe.3e112b0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.QQ.exe.3c31ae8.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.QQ.exe.3f41930.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.MT103-7543324334.exe.3e30ab8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.QQ.exe.42c3d90.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.MT103-7543324334.exe.3db7e98.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.QQ.exe.3d5a1b0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.QQ.exe.3e112b0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.MT103-7543324334.exe.3db7e98.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.QQ.exe.3ec8d10.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.QQ.exe.3bb8ec8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001B.00000002.1548659538.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.3700500743.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.1465639102.0000000001478000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1580860250.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1274790008.0000000003DB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000015.00000002.1385310551.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1301342473.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.1496790759.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.3707534940.0000000002B0F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1254234461.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.1418482659.00000000042BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1580860250.0000000003E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: MT103-7543324334.exe PID: 3696, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MT103-7543324334.exe PID: 6768, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 2404, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 5628, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 7812, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 7880, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 8064, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 8128, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 6048, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 4640, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: MT103-7543324334.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,4_2_00433837
              Source: MT103-7543324334.exe, 00000001.00000002.1274790008.0000000003DB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_2e38b30b-9

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 23.2.QQ.exe.3c31ae8.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.QQ.exe.3f41930.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.MT103-7543324334.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.MT103-7543324334.exe.3e30ab8.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.QQ.exe.42c3d90.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.QQ.exe.3d5a1b0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.QQ.exe.3bb8ec8.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.MT103-7543324334.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.QQ.exe.3ec8d10.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.QQ.exe.3e112b0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.QQ.exe.3c31ae8.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.QQ.exe.3f41930.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.MT103-7543324334.exe.3e30ab8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.QQ.exe.42c3d90.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.MT103-7543324334.exe.3db7e98.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.QQ.exe.3d5a1b0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.QQ.exe.3e112b0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.MT103-7543324334.exe.3db7e98.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.QQ.exe.3ec8d10.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.QQ.exe.3bb8ec8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1580860250.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1274790008.0000000003DB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1301342473.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.1496790759.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.1418482659.00000000042BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1580860250.0000000003E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: MT103-7543324334.exe PID: 3696, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MT103-7543324334.exe PID: 6768, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 2404, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 7812, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 8064, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 6048, type: MEMORYSTR

              Privilege Escalation

              barindex
              Contains functionality to bypass UAC (CMSTPLUA)
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_004074FD _wcslen,CoGetObject,4_2_004074FD
              Source: MT103-7543324334.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: MT103-7543324334.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00409253
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_2_0041C291
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,4_2_0040C34D
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00409665
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0044E879 FindFirstFileExA,4_2_0044E879
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,4_2_0040880C
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0040783C FindFirstFileW,FindNextFileW,4_2_0040783C
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,4_2_00419AF5
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,4_2_0040BB30
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,4_2_0040BD37
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,4_2_00407C97
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4x nop then jmp 07121F22h1_2_07122070
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4x nop then jmp 07121F22h1_2_0712232C
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 4x nop then jmp 07951F22h6_2_07952070
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 4x nop then jmp 07951F22h6_2_0795232C
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 4x nop then jmp 079A17AAh20_2_079A18F8
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 4x nop then jmp 079A17AAh20_2_079A1BB4
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 4x nop then jmp 06EA17AAh23_2_06EA18F8
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 4x nop then jmp 06EA17AAh23_2_06EA1BB4
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 4x nop then jmp 073F17AAh25_2_073F18F8
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 4x nop then jmp 073F17AAh25_2_073F1BB4

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: ollar23.duckdns.org
              Uses dynamic DNS services
              Source: unknownDNS query: name: milliondollar23.duckdns.org
              Source: unknownDNS query: name: milliondollar23backup.duckdns.org
              Source: global trafficTCP traffic: 192.168.2.7:49703 -> 138.201.150.244:3984
              Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,4_2_0041B380
              Source: global trafficDNS traffic detected: DNS query: milliondollar23.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: milliondollar23backup.duckdns.org
              Source: MT103-7543324334.exeString found in binary or memory: http://geoplugin.net/json.gp
              Source: MT103-7543324334.exe, 00000001.00000002.1274790008.0000000003DB7000.00000004.00000800.00020000.00000000.sdmp, MT103-7543324334.exe, 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, QQ.exe, 00000006.00000002.1301342473.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, QQ.exe, 00000014.00000002.1418482659.00000000042BA000.00000004.00000800.00020000.00000000.sdmp, QQ.exe, 00000017.00000002.1496790759.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, QQ.exe, 00000019.00000002.1580860250.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, QQ.exe, 00000019.00000002.1580860250.0000000003E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: MT103-7543324334.exe, 00000001.00000002.1271398062.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, QQ.exe, 00000006.00000002.1296460638.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, QQ.exe, 00000014.00000002.1408801876.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, QQ.exe, 00000017.00000002.1488168688.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, QQ.exe, 00000019.00000002.1569302206.0000000002D96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: MT103-7543324334.exe, QQ.exe.4.drString found in binary or memory: http://tempuri.org/AukcionDBDataSet.xsd

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to register a low level keyboard hook
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000004_2_0040A2B8
              Installs a global keyboard hook
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\QQ\QQ.exe
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,4_2_0040B70E
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,4_2_004168C1
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,4_2_0040B70E
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,4_2_0040A3E0

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 23.2.QQ.exe.3c31ae8.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.QQ.exe.3f41930.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.MT103-7543324334.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.MT103-7543324334.exe.3e30ab8.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.QQ.exe.42c3d90.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.QQ.exe.3d5a1b0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.QQ.exe.3bb8ec8.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.MT103-7543324334.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.QQ.exe.3ec8d10.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.QQ.exe.3e112b0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.QQ.exe.3c31ae8.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.QQ.exe.3f41930.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.MT103-7543324334.exe.3e30ab8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.QQ.exe.42c3d90.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.MT103-7543324334.exe.3db7e98.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.QQ.exe.3d5a1b0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.QQ.exe.3e112b0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.MT103-7543324334.exe.3db7e98.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.QQ.exe.3ec8d10.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.QQ.exe.3bb8ec8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001B.00000002.1548659538.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.3700500743.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.1465639102.0000000001478000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1580860250.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1274790008.0000000003DB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000015.00000002.1385310551.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1301342473.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.1496790759.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.3707534940.0000000002B0F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1254234461.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.1418482659.00000000042BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1580860250.0000000003E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: MT103-7543324334.exe PID: 3696, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MT103-7543324334.exe PID: 6768, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 2404, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 5628, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 7812, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 7880, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 8064, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 8128, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 6048, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 4640, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0041C9E2 SystemParametersInfoW,4_2_0041C9E2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 23.2.QQ.exe.3c31ae8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 23.2.QQ.exe.3c31ae8.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 23.2.QQ.exe.3c31ae8.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 6.2.QQ.exe.3f41930.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 6.2.QQ.exe.3f41930.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 6.2.QQ.exe.3f41930.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 4.2.MT103-7543324334.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 4.2.MT103-7543324334.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 4.2.MT103-7543324334.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 1.2.MT103-7543324334.exe.3e30ab8.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 1.2.MT103-7543324334.exe.3e30ab8.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 1.2.MT103-7543324334.exe.3e30ab8.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 20.2.QQ.exe.42c3d90.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 20.2.QQ.exe.42c3d90.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 20.2.QQ.exe.42c3d90.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 25.2.QQ.exe.3d5a1b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 25.2.QQ.exe.3d5a1b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 23.2.QQ.exe.3bb8ec8.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 23.2.QQ.exe.3bb8ec8.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 23.2.QQ.exe.3bb8ec8.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 4.2.MT103-7543324334.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 4.2.MT103-7543324334.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 4.2.MT103-7543324334.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 6.2.QQ.exe.3ec8d10.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 6.2.QQ.exe.3ec8d10.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 25.2.QQ.exe.3e112b0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 6.2.QQ.exe.3ec8d10.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 25.2.QQ.exe.3e112b0.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 25.2.QQ.exe.3e112b0.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 23.2.QQ.exe.3c31ae8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 23.2.QQ.exe.3c31ae8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 6.2.QQ.exe.3f41930.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 6.2.QQ.exe.3f41930.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 1.2.MT103-7543324334.exe.3e30ab8.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 1.2.MT103-7543324334.exe.3e30ab8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 20.2.QQ.exe.42c3d90.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 20.2.QQ.exe.42c3d90.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 1.2.MT103-7543324334.exe.3db7e98.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 1.2.MT103-7543324334.exe.3db7e98.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 1.2.MT103-7543324334.exe.3db7e98.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 25.2.QQ.exe.3d5a1b0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 25.2.QQ.exe.3d5a1b0.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 25.2.QQ.exe.3d5a1b0.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 25.2.QQ.exe.3e112b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 25.2.QQ.exe.3e112b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 1.2.MT103-7543324334.exe.3db7e98.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 1.2.MT103-7543324334.exe.3db7e98.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 6.2.QQ.exe.3ec8d10.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 6.2.QQ.exe.3ec8d10.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 23.2.QQ.exe.3bb8ec8.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 23.2.QQ.exe.3bb8ec8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000019.00000002.1580860250.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000001.00000002.1274790008.0000000003DB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000017.00000002.1496790759.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000006.00000002.1301342473.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000014.00000002.1418482659.00000000042BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000019.00000002.1580860250.0000000003E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: MT103-7543324334.exe PID: 3696, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: MT103-7543324334.exe PID: 6768, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: QQ.exe PID: 2404, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: QQ.exe PID: 7812, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: QQ.exe PID: 8064, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: QQ.exe PID: 6048, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              .NET source code contains very large array initializations
              Source: MT103-7543324334.exe, TableAdapter.csLarge array initialization: : array initializer size 864054
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,4_2_004167B4
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_0140E6341_2_0140E634
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_071234881_2_07123488
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_07121D191_2_07121D19
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_071257E81_2_071257E8
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_07121D191_2_07121D19
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_07C7E7681_2_07C7E768
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_07C7F2B01_2_07C7F2B0
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_07C77B671_2_07C77B67
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_07C77B781_2_07C77B78
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_07C7DA781_2_07C7DA78
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_07C7E9D81_2_07C7E9D8
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_08FABE211_2_08FABE21
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_08FA00401_2_08FA0040
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_08FAE9D11_2_08FAE9D1
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_08FAEE381_2_08FAEE38
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_08FAEE281_2_08FAEE28
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_08FAF2701_2_08FAF270
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_08FAF2601_2_08FAF260
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0043E0CC4_2_0043E0CC
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0041F0FA4_2_0041F0FA
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_004541594_2_00454159
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_004381684_2_00438168
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_004461F04_2_004461F0
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0043E2FB4_2_0043E2FB
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0045332B4_2_0045332B
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0042739D4_2_0042739D
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_004374E64_2_004374E6
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0043E5584_2_0043E558
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_004387704_2_00438770
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_004378FE4_2_004378FE
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_004339464_2_00433946
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0044D9C94_2_0044D9C9
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00427A464_2_00427A46
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0041DB624_2_0041DB62
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00427BAF4_2_00427BAF
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00437D334_2_00437D33
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00435E5E4_2_00435E5E
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00426E0E4_2_00426E0E
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0043DE9D4_2_0043DE9D
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00413FCA4_2_00413FCA
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00436FEA4_2_00436FEA
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_0137E6346_2_0137E634
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_0788E7686_2_0788E768
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_0788F2B06_2_0788F2B0
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_07887B676_2_07887B67
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_07887B786_2_07887B78
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_0788DA786_2_0788DA78
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_0788E9D86_2_0788E9D8
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_07951D196_2_07951D19
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_079514906_2_07951490
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_079557E86_2_079557E8
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_07951D196_2_07951D19
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_090BBE216_2_090BBE21
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_090B00406_2_090B0040
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_090BE9D16_2_090BE9D1
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_090BEE286_2_090BEE28
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_090BEE386_2_090BEE38
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_090BF2606_2_090BF260
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_090BF2706_2_090BF270
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_0316E63420_2_0316E634
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_078EE76820_2_078EE768
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_078EF2B020_2_078EF2B0
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_078E7B6720_2_078E7B67
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_078E7B7820_2_078E7B78
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_078EDA7820_2_078EDA78
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_078EE9D820_2_078EE9D8
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_079A15A920_2_079A15A9
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_079A311020_2_079A3110
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_079A15A920_2_079A15A9
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_079A547020_2_079A5470
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_079B004020_2_079B0040
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_079BBE2120_2_079BBE21
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_079BF27020_2_079BF270
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_079BF26020_2_079BF260
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_079BEE3820_2_079BEE38
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_079BEE2820_2_079BEE28
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_079BE9C020_2_079BE9C0
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 23_2_00E7E63423_2_00E7E634
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 23_2_06EA15A923_2_06EA15A9
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 23_2_06EA311023_2_06EA3110
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 23_2_06EA547023_2_06EA5470
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 23_2_06EA15A923_2_06EA15A9
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 23_2_06EB004023_2_06EB0040
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 23_2_06EBBE2123_2_06EBBE21
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 23_2_06EBF26023_2_06EBF260
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 23_2_06EBF27023_2_06EBF270
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 23_2_06EBEE2823_2_06EBEE28
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 23_2_06EBEE3823_2_06EBEE38
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 23_2_07ACE76823_2_07ACE768
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 23_2_07ACF2B023_2_07ACF2B0
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 23_2_07AC7B6723_2_07AC7B67
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 23_2_07AC7B7823_2_07AC7B78
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 23_2_07ACDA7823_2_07ACDA78
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 23_2_07ACE9D823_2_07ACE9D8
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 25_2_010EE63425_2_010EE634
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 25_2_0524069025_2_05240690
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 25_2_0524068125_2_05240681
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 25_2_0733E76825_2_0733E768
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 25_2_0733F2B025_2_0733F2B0
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 25_2_07337B7825_2_07337B78
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 25_2_07337B6725_2_07337B67
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 25_2_0733DA7825_2_0733DA78
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 25_2_0733E9D825_2_0733E9D8
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 25_2_073F27B825_2_073F27B8
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 25_2_073F15A925_2_073F15A9
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 25_2_073F15A925_2_073F15A9
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 25_2_073F553025_2_073F5530
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 25_2_0740004025_2_07400040
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 25_2_0740BE2125_2_0740BE21
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 25_2_0740F26025_2_0740F260
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 25_2_0740F27025_2_0740F270
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 25_2_0740EE2825_2_0740EE28
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 25_2_0740EE3825_2_0740EE38
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 25_2_0740E9C025_2_0740E9C0
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: String function: 00434E10 appears 54 times
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: String function: 00402093 appears 50 times
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: String function: 00434770 appears 41 times
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: String function: 00401E65 appears 34 times
              Source: MT103-7543324334.exe, 00000001.00000002.1271398062.0000000002D51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs MT103-7543324334.exe
              Source: MT103-7543324334.exe, 00000001.00000000.1231934460.0000000000A68000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesizf.exe" vs MT103-7543324334.exe
              Source: MT103-7543324334.exe, 00000001.00000002.1289869609.0000000008FB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs MT103-7543324334.exe
              Source: MT103-7543324334.exe, 00000001.00000002.1289681837.0000000008F00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs MT103-7543324334.exe
              Source: MT103-7543324334.exe, 00000001.00000002.1269594813.0000000000E6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs MT103-7543324334.exe
              Source: MT103-7543324334.exe, 00000004.00000002.1254234461.0000000000FCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesizf.exe" vs MT103-7543324334.exe
              Source: MT103-7543324334.exeBinary or memory string: OriginalFilenamesizf.exe" vs MT103-7543324334.exe
              Source: MT103-7543324334.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 23.2.QQ.exe.3c31ae8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 23.2.QQ.exe.3c31ae8.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 23.2.QQ.exe.3c31ae8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 6.2.QQ.exe.3f41930.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 6.2.QQ.exe.3f41930.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 6.2.QQ.exe.3f41930.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 4.2.MT103-7543324334.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 4.2.MT103-7543324334.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 4.2.MT103-7543324334.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 1.2.MT103-7543324334.exe.3e30ab8.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 1.2.MT103-7543324334.exe.3e30ab8.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 1.2.MT103-7543324334.exe.3e30ab8.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 20.2.QQ.exe.42c3d90.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 20.2.QQ.exe.42c3d90.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 20.2.QQ.exe.42c3d90.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 25.2.QQ.exe.3d5a1b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 25.2.QQ.exe.3d5a1b0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 23.2.QQ.exe.3bb8ec8.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 23.2.QQ.exe.3bb8ec8.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 23.2.QQ.exe.3bb8ec8.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 4.2.MT103-7543324334.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 4.2.MT103-7543324334.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 4.2.MT103-7543324334.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 6.2.QQ.exe.3ec8d10.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 6.2.QQ.exe.3ec8d10.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 25.2.QQ.exe.3e112b0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 6.2.QQ.exe.3ec8d10.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 25.2.QQ.exe.3e112b0.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 25.2.QQ.exe.3e112b0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 23.2.QQ.exe.3c31ae8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 23.2.QQ.exe.3c31ae8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 6.2.QQ.exe.3f41930.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 6.2.QQ.exe.3f41930.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 1.2.MT103-7543324334.exe.3e30ab8.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 1.2.MT103-7543324334.exe.3e30ab8.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 20.2.QQ.exe.42c3d90.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 20.2.QQ.exe.42c3d90.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 1.2.MT103-7543324334.exe.3db7e98.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 1.2.MT103-7543324334.exe.3db7e98.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 1.2.MT103-7543324334.exe.3db7e98.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 25.2.QQ.exe.3d5a1b0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 25.2.QQ.exe.3d5a1b0.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 25.2.QQ.exe.3d5a1b0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 25.2.QQ.exe.3e112b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 25.2.QQ.exe.3e112b0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 1.2.MT103-7543324334.exe.3db7e98.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 1.2.MT103-7543324334.exe.3db7e98.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 6.2.QQ.exe.3ec8d10.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 6.2.QQ.exe.3ec8d10.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 23.2.QQ.exe.3bb8ec8.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 23.2.QQ.exe.3bb8ec8.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000019.00000002.1580860250.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000001.00000002.1274790008.0000000003DB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000017.00000002.1496790759.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000006.00000002.1301342473.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000014.00000002.1418482659.00000000042BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000019.00000002.1580860250.0000000003E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: MT103-7543324334.exe PID: 3696, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: MT103-7543324334.exe PID: 6768, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: QQ.exe PID: 2404, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: QQ.exe PID: 7812, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: QQ.exe PID: 8064, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: QQ.exe PID: 6048, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, hNn7Ww8yTbd0RVtrHi.csSecurity API names: _0020.SetAccessControl
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, hNn7Ww8yTbd0RVtrHi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, hNn7Ww8yTbd0RVtrHi.csSecurity API names: _0020.AddAccessRule
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, hNn7Ww8yTbd0RVtrHi.csSecurity API names: _0020.SetAccessControl
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, hNn7Ww8yTbd0RVtrHi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, hNn7Ww8yTbd0RVtrHi.csSecurity API names: _0020.AddAccessRule
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, hNn7Ww8yTbd0RVtrHi.csSecurity API names: _0020.SetAccessControl
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, hNn7Ww8yTbd0RVtrHi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, hNn7Ww8yTbd0RVtrHi.csSecurity API names: _0020.AddAccessRule
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, qTt1jD6uLAiQcCaLfX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, qTt1jD6uLAiQcCaLfX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, qTt1jD6uLAiQcCaLfX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@25/14@27/1
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,4_2_00417952
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,4_2_0040F474
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,4_2_0041B4A8
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,4_2_0041AA4A
              Source: C:\Users\user\Desktop\MT103-7543324334.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MT103-7543324334.exe.logJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMutant created: \Sessions\1\BaseNamedObjects\RIgZWhx
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMutant created: NULL
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-R6CJUW
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1540:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_03
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hgiwqtjo.usc.ps1Jump to behavior
              Source: MT103-7543324334.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: MT103-7543324334.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\MT103-7543324334.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: MT103-7543324334.exeReversingLabs: Detection: 71%
              Source: C:\Users\user\Desktop\MT103-7543324334.exeFile read: C:\Users\user\Desktop\MT103-7543324334.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\MT103-7543324334.exe "C:\Users\user\Desktop\MT103-7543324334.exe"
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MT103-7543324334.exe"
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess created: C:\Users\user\Desktop\MT103-7543324334.exe "C:\Users\user\Desktop\MT103-7543324334.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MT103-7543324334.exe"Jump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess created: C:\Users\user\Desktop\MT103-7543324334.exe "C:\Users\user\Desktop\MT103-7543324334.exe"Jump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe" Jump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QQ\QQ.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: rstrtmgr.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: ncrypt.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: ntasn1.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: mswsock.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: dnsapi.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: rasadhlp.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: fwpuclnt.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: dwrite.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: amsi.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: msasn1.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: gpapi.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: textshaping.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: windowscodecs.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: rstrtmgr.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: ncrypt.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: ntasn1.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: dwrite.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: amsi.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: msasn1.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: gpapi.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: textshaping.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: windowscodecs.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: rstrtmgr.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: ncrypt.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: ntasn1.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: dwrite.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: amsi.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: msasn1.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: gpapi.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: textshaping.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: windowscodecs.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: rstrtmgr.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: ncrypt.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: ntasn1.dll
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\Desktop\MT103-7543324334.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\MT103-7543324334.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: MT103-7543324334.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: MT103-7543324334.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: MT103-7543324334.exeStatic file information: File size 1601536 > 1048576
              Source: MT103-7543324334.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x185200
              Source: MT103-7543324334.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, hNn7Ww8yTbd0RVtrHi.cs.Net Code: VMJ7OpDTZf System.Reflection.Assembly.Load(byte[])
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, hNn7Ww8yTbd0RVtrHi.cs.Net Code: VMJ7OpDTZf System.Reflection.Assembly.Load(byte[])
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, hNn7Ww8yTbd0RVtrHi.cs.Net Code: VMJ7OpDTZf System.Reflection.Assembly.Load(byte[])
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_0041CB50
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_079247BC push 8B03D598h; iretd 1_2_079247C1
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_0792530B push 8B03D597h; iretd 1_2_07925310
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_07925B51 push 8B03D597h; iretd 1_2_07925B56
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_0792450B push 8B03D597h; iretd 1_2_07924510
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_079260EA push 8B03D597h; iretd 1_2_079260EF
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 1_2_08FA429B push ebx; ret 1_2_08FA42DA
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00457106 push ecx; ret 4_2_00457119
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0045B11A push esp; ret 4_2_0045B141
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0045E54D push esi; ret 4_2_0045E556
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00457A28 push eax; ret 4_2_00457A46
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00434E56 push ecx; ret 4_2_00434E69
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_075347BC push 8B03E698h; iretd 6_2_075347C1
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_0753450B push 8B03E697h; iretd 6_2_07534510
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_0753530B push 8B03E697h; iretd 6_2_07535310
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_075360EA push 8B03E697h; iretd 6_2_075360EF
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_07535B51 push 8B03E697h; iretd 6_2_07535B56
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 6_2_090B420D push ebx; ret 6_2_090B42DA
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_0589A370 push esp; ret 20_2_0589A371
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_0589B9D8 push eax; mov dword ptr [esp], ecx20_2_0589B9DC
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_075847BC push 8B041E98h; iretd 20_2_075847C1
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_0758450B push 8B041E97h; iretd 20_2_07584510
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_07585B51 push 8B041E97h; iretd 20_2_07585B56
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_0758530B push 8B041E97h; iretd 20_2_07585310
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_075860EA push 8B041E97h; iretd 20_2_075860EF
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_079A2E12 push 0000005Dh; ret 20_2_079A2E41
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_079B7485 push edi; iretd 20_2_079B7486
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_079B74D6 push edi; iretd 20_2_079B74D8
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_079BAA30 push ds; iretd 20_2_079BAA31
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_079BA993 push ds; iretd 20_2_079BA999
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_079BA97C push ds; iretd 20_2_079BA982
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeCode function: 20_2_079BA968 push ds; iretd 20_2_079BA96E
              Source: MT103-7543324334.exeStatic PE information: section name: .text entropy: 7.374820869707466
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, KiPOYpdaIIK4pENo3x.csHigh entropy of concatenated method names: 'd9T9BtR4XS', 'cWK9yXaDLw', 'B4m9E1JUZX', 'a7lEQHlqqp', 'dLFEzpr4MV', 'lJy9ZKpE18', 'jqh92LVRS9', 'Gut9ILMmNi', 'fKr9gJES5F', 'G8n97lo0Mb'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, NEwbaxH4bE424CAeU6.csHigh entropy of concatenated method names: 'yT3Enqbmsj', 'qKmE07JSYX', 'QXTEv0v6WI', 'ofnE95R9hp', 'AnaE88T4mA', 'GECvix0qmC', 'atVvhrUngt', 'nYavUjO7f5', 'Crfv4PeAC1', 'KnKvPfvWPx'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, ni5L2byy9tC0iqpQ7q.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'zyWIPbWQay', 'u3wIQ79aQA', 'pjyIzIcvSk', 'CVKgZWXZhK', 'xfOg21C4Fd', 'wbygIZJRiO', 'LUIggPdqJ7', 'g9Au7TzWaEG2csZ5aH'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, AKRqW57fOOyNUQDal0.csHigh entropy of concatenated method names: 'XBV29Tt1jD', 'ELA28iQcCa', 'PCE2ToagwN', 'Y4V2kSiEOi', 'pUh2ar5YEw', 'Aax2G4bE42', 'PFD9WpYnr3FuIZPbLb', 'uoeSkrxjyL0bdns3Qi', 'p3e22GdcYy', 'WMZ2gOhhqZ'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, hNn7Ww8yTbd0RVtrHi.csHigh entropy of concatenated method names: 'JaKgnBvNv6', 'QsFgBGPleq', 'Kr8g0iXiDp', 'HeYgyJPPcK', 'VTXgv5yOUV', 'HG7gEDgKgl', 'Seeg9LhBFG', 'nc0g8cMZv5', 'KGjgAKXobi', 'SAEgTr857v'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, ptmZsD0c5ki7aUr4IH.csHigh entropy of concatenated method names: 'Dispose', 'zpw2Ph0NeX', 'sq9IfGlS7R', 'IpvnngaIxp', 'J4b2QdAKjV', 'iMB2z4yui9', 'ProcessDialogKey', 'pPtIZdvmek', 'maeI2EmR64', 'tGdIInTZ1V'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, JpXWks56wHO9kFhpni.csHigh entropy of concatenated method names: 'p9Vq6Kixcf', 'DfMquAepHB', 'yeTqHuN8q0', 'ps9qfd9cbT', 'e0SqwbRpXu', 'heSqRh3rNn', 'WpMqd0PeHI', 'AN8qmdCWFy', 'eFGqYxci7Z', 'mw4qN1EtVc'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, FtjdyUz7cvYIQV6IoY.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FntFqkOcPH', 'hK6FatyNKK', 'jXxFGSsGR9', 'Sk1Fe5iGYX', 'YYYFVA7dPD', 'G6kFFWlrKr', 'E99FStqUWp'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, xEXANMIj5vpvyqnQ0E.csHigh entropy of concatenated method names: 'C1FOeMxvl', 'ifAojYH9e', 'm0mXYw9YU', 'OnVCkjhTv', 'rZAudxu90', 'UcWpC7XTO', 'fjiUyb6oa9w23wdmsd', 'CS7TOsNPOrKjk7h3E9', 'BBaVNFVXR', 'nUESqkjcb'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, gbAZR1haQsmIomgqNg.csHigh entropy of concatenated method names: 'KFve4EcOOP', 'KWXeQlq80s', 'mgiVZPKU1w', 'Fk8V27a9N8', 'VyCeNpB9mY', 'KpReMvMIkv', 'IJTe5QEaae', 'BJcesgoge3', 'Iu5ecH03Dw', 'tlDejgecTH'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, MnGi3hsDga2OlVgbWv.csHigh entropy of concatenated method names: 'wuRaYIGuQ8', 'MGXaMH3VGD', 'Qp9aseKIKt', 'vd5acknXho', 'FI1afyHrLI', 'BfHatO6ag5', 'DQEawcDtCA', 't5LaRufyAS', 'UMra167pbn', 'VYtadsNxqb'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, dSVgjZ2gRcPFXjQx5GS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'b4DSstfftH', 'wOKSc5NWpi', 'OaVSjnnwvo', 'I3ySWyt9gi', 'pR5SibpaTf', 'p2wShkUUd9', 'kNySUT1Q8b'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, qTt1jD6uLAiQcCaLfX.csHigh entropy of concatenated method names: 'koK0sQ1STw', 'hN20cF2YFd', 'rbs0jhcQpH', 'jJi0WxO4Sd', 'G9V0iRvC5U', 'VYl0hKCDQk', 'lA70UwOAp6', 'MJp0401pbs', 'BJc0POiXIZ', 'XoM0QyZLjK'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, WbdAKj4VEMB4yui9GP.csHigh entropy of concatenated method names: 'y3VVBAa7tJ', 'Px4V0ppOYd', 'V7aVyRe87y', 'y4YVvCrYjI', 'tCkVEErYKQ', 'CwBV9uT7Uq', 'p5WV8y6Axe', 'YOhVAXgZl4', 'K3eVT3oRE8', 'fkUVkWZbAQ'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, TkWgOMuCEoagwNQ4VS.csHigh entropy of concatenated method names: 'QpRyoLn8SQ', 'CQByX1uQVJ', 'Epuy6hWs0h', 'HBfyuTrfES', 'Bs7yacesKW', 'CmDyGYMSoP', 'bDEyeVQwAh', 'WGNyVwRHIH', 'KymyF0noch', 'p6PySa53NZ'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, z21JwtjvTtu9KXPZuG.csHigh entropy of concatenated method names: 'ToString', 'JJyGNa5LXK', 'bQAGfCLYQN', 'iHFGt4XnTZ', 'DbqGwl384F', 'gs2GReFWsn', 'XeRG1Qe5Zt', 'CmEGdYjNCh', 'x3UGmsN9HX', 'QFcGKbGEEo'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, HdvmekPkaeEmR64SGd.csHigh entropy of concatenated method names: 'Bn5VHWxxCE', 'vFOVftMoH7', 'qvSVtS7iWO', 'ty8Vw299TX', 'Nr9Vs8rrCa', 'ErNVRuExhX', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, IqwdBWcr38ouV1FXyq.csHigh entropy of concatenated method names: 'RWDaUbFLwl', 'zoOa4P7LWC', 'yyDaPQMxxp', 'irjaQTw7s2', 'SJSHDdcCT1G78EApZ82', 'e0mrgXcP1M4OYcbryID', 'kqVp52ckVH6VVc6ElXd'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, UpmDKJ1ZWtji5WUrhh.csHigh entropy of concatenated method names: 'AAmEjIaK2D', 'uItEWrpWcG', 'zIaEi6mtBb', 'ToString', 'PLFEhREG95', 'qe7EULwctr', 'Hs720aGOxqA92O4NYMY', 'BNdkjNGovZYSIYTYP3i', 'BXOK68GSIZsd6YQlOhf'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, TlqPA1K8kwXgfAsvBM.csHigh entropy of concatenated method names: 'Wcu9DwKA5Q', 'eji9riVMCc', 'Sc19Ogt7Cw', 'YYO9o8s3IE', 'vGR9bsbXQd', 'w2m9XXP99r', 'MVs9C9492v', 'Um496PUrNr', 'xrh9u9W3D2', 'yd59pP9UmP'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, pS1VxMWZJHL4v5mmTQ.csHigh entropy of concatenated method names: 't0beTS80xo', 'OyFekoQ77W', 'ToString', 'To3eBiY3m8', 'Ww7e0iI4dv', 'ziUeyPGqKK', 'Dmfev0PKuM', 'hHaeEoDUR7', 'eTDe9tEKNG', 'LWTe8USfsr'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, kNprGw2ZiZwM3sepa2o.csHigh entropy of concatenated method names: 'Ow0FDOTJ1w', 'MEtFrUqxVC', 'OsWFObgaf8', 'tSbFoajkrR', 'zHXFbqrQo8', 'kxWFX4KlEB', 'jAfFCWArIr', 'yx4F6S0V2P', 'gFMFuZIAEP', 'RVsFpVw5MM'
              Source: 1.2.MT103-7543324334.exe.4226410.1.raw.unpack, eTZ1V5QYHFhQyLXdL9.csHigh entropy of concatenated method names: 'FD6F2qoxOV', 'yqiFglMbu8', 'EZGF7j1DDu', 'IvwFB1lg9j', 'lIKF0ntmZh', 'ikFFvTy4jt', 'a6iFEbxUho', 'O60VUgQ8op', 'wVmV4i6nM7', 'wCdVP8YW8a'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, KiPOYpdaIIK4pENo3x.csHigh entropy of concatenated method names: 'd9T9BtR4XS', 'cWK9yXaDLw', 'B4m9E1JUZX', 'a7lEQHlqqp', 'dLFEzpr4MV', 'lJy9ZKpE18', 'jqh92LVRS9', 'Gut9ILMmNi', 'fKr9gJES5F', 'G8n97lo0Mb'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, NEwbaxH4bE424CAeU6.csHigh entropy of concatenated method names: 'yT3Enqbmsj', 'qKmE07JSYX', 'QXTEv0v6WI', 'ofnE95R9hp', 'AnaE88T4mA', 'GECvix0qmC', 'atVvhrUngt', 'nYavUjO7f5', 'Crfv4PeAC1', 'KnKvPfvWPx'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, ni5L2byy9tC0iqpQ7q.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'zyWIPbWQay', 'u3wIQ79aQA', 'pjyIzIcvSk', 'CVKgZWXZhK', 'xfOg21C4Fd', 'wbygIZJRiO', 'LUIggPdqJ7', 'g9Au7TzWaEG2csZ5aH'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, AKRqW57fOOyNUQDal0.csHigh entropy of concatenated method names: 'XBV29Tt1jD', 'ELA28iQcCa', 'PCE2ToagwN', 'Y4V2kSiEOi', 'pUh2ar5YEw', 'Aax2G4bE42', 'PFD9WpYnr3FuIZPbLb', 'uoeSkrxjyL0bdns3Qi', 'p3e22GdcYy', 'WMZ2gOhhqZ'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, hNn7Ww8yTbd0RVtrHi.csHigh entropy of concatenated method names: 'JaKgnBvNv6', 'QsFgBGPleq', 'Kr8g0iXiDp', 'HeYgyJPPcK', 'VTXgv5yOUV', 'HG7gEDgKgl', 'Seeg9LhBFG', 'nc0g8cMZv5', 'KGjgAKXobi', 'SAEgTr857v'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, ptmZsD0c5ki7aUr4IH.csHigh entropy of concatenated method names: 'Dispose', 'zpw2Ph0NeX', 'sq9IfGlS7R', 'IpvnngaIxp', 'J4b2QdAKjV', 'iMB2z4yui9', 'ProcessDialogKey', 'pPtIZdvmek', 'maeI2EmR64', 'tGdIInTZ1V'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, JpXWks56wHO9kFhpni.csHigh entropy of concatenated method names: 'p9Vq6Kixcf', 'DfMquAepHB', 'yeTqHuN8q0', 'ps9qfd9cbT', 'e0SqwbRpXu', 'heSqRh3rNn', 'WpMqd0PeHI', 'AN8qmdCWFy', 'eFGqYxci7Z', 'mw4qN1EtVc'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, FtjdyUz7cvYIQV6IoY.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FntFqkOcPH', 'hK6FatyNKK', 'jXxFGSsGR9', 'Sk1Fe5iGYX', 'YYYFVA7dPD', 'G6kFFWlrKr', 'E99FStqUWp'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, xEXANMIj5vpvyqnQ0E.csHigh entropy of concatenated method names: 'C1FOeMxvl', 'ifAojYH9e', 'm0mXYw9YU', 'OnVCkjhTv', 'rZAudxu90', 'UcWpC7XTO', 'fjiUyb6oa9w23wdmsd', 'CS7TOsNPOrKjk7h3E9', 'BBaVNFVXR', 'nUESqkjcb'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, gbAZR1haQsmIomgqNg.csHigh entropy of concatenated method names: 'KFve4EcOOP', 'KWXeQlq80s', 'mgiVZPKU1w', 'Fk8V27a9N8', 'VyCeNpB9mY', 'KpReMvMIkv', 'IJTe5QEaae', 'BJcesgoge3', 'Iu5ecH03Dw', 'tlDejgecTH'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, MnGi3hsDga2OlVgbWv.csHigh entropy of concatenated method names: 'wuRaYIGuQ8', 'MGXaMH3VGD', 'Qp9aseKIKt', 'vd5acknXho', 'FI1afyHrLI', 'BfHatO6ag5', 'DQEawcDtCA', 't5LaRufyAS', 'UMra167pbn', 'VYtadsNxqb'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, dSVgjZ2gRcPFXjQx5GS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'b4DSstfftH', 'wOKSc5NWpi', 'OaVSjnnwvo', 'I3ySWyt9gi', 'pR5SibpaTf', 'p2wShkUUd9', 'kNySUT1Q8b'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, qTt1jD6uLAiQcCaLfX.csHigh entropy of concatenated method names: 'koK0sQ1STw', 'hN20cF2YFd', 'rbs0jhcQpH', 'jJi0WxO4Sd', 'G9V0iRvC5U', 'VYl0hKCDQk', 'lA70UwOAp6', 'MJp0401pbs', 'BJc0POiXIZ', 'XoM0QyZLjK'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, WbdAKj4VEMB4yui9GP.csHigh entropy of concatenated method names: 'y3VVBAa7tJ', 'Px4V0ppOYd', 'V7aVyRe87y', 'y4YVvCrYjI', 'tCkVEErYKQ', 'CwBV9uT7Uq', 'p5WV8y6Axe', 'YOhVAXgZl4', 'K3eVT3oRE8', 'fkUVkWZbAQ'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, TkWgOMuCEoagwNQ4VS.csHigh entropy of concatenated method names: 'QpRyoLn8SQ', 'CQByX1uQVJ', 'Epuy6hWs0h', 'HBfyuTrfES', 'Bs7yacesKW', 'CmDyGYMSoP', 'bDEyeVQwAh', 'WGNyVwRHIH', 'KymyF0noch', 'p6PySa53NZ'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, z21JwtjvTtu9KXPZuG.csHigh entropy of concatenated method names: 'ToString', 'JJyGNa5LXK', 'bQAGfCLYQN', 'iHFGt4XnTZ', 'DbqGwl384F', 'gs2GReFWsn', 'XeRG1Qe5Zt', 'CmEGdYjNCh', 'x3UGmsN9HX', 'QFcGKbGEEo'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, HdvmekPkaeEmR64SGd.csHigh entropy of concatenated method names: 'Bn5VHWxxCE', 'vFOVftMoH7', 'qvSVtS7iWO', 'ty8Vw299TX', 'Nr9Vs8rrCa', 'ErNVRuExhX', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, IqwdBWcr38ouV1FXyq.csHigh entropy of concatenated method names: 'RWDaUbFLwl', 'zoOa4P7LWC', 'yyDaPQMxxp', 'irjaQTw7s2', 'SJSHDdcCT1G78EApZ82', 'e0mrgXcP1M4OYcbryID', 'kqVp52ckVH6VVc6ElXd'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, UpmDKJ1ZWtji5WUrhh.csHigh entropy of concatenated method names: 'AAmEjIaK2D', 'uItEWrpWcG', 'zIaEi6mtBb', 'ToString', 'PLFEhREG95', 'qe7EULwctr', 'Hs720aGOxqA92O4NYMY', 'BNdkjNGovZYSIYTYP3i', 'BXOK68GSIZsd6YQlOhf'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, TlqPA1K8kwXgfAsvBM.csHigh entropy of concatenated method names: 'Wcu9DwKA5Q', 'eji9riVMCc', 'Sc19Ogt7Cw', 'YYO9o8s3IE', 'vGR9bsbXQd', 'w2m9XXP99r', 'MVs9C9492v', 'Um496PUrNr', 'xrh9u9W3D2', 'yd59pP9UmP'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, pS1VxMWZJHL4v5mmTQ.csHigh entropy of concatenated method names: 't0beTS80xo', 'OyFekoQ77W', 'ToString', 'To3eBiY3m8', 'Ww7e0iI4dv', 'ziUeyPGqKK', 'Dmfev0PKuM', 'hHaeEoDUR7', 'eTDe9tEKNG', 'LWTe8USfsr'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, kNprGw2ZiZwM3sepa2o.csHigh entropy of concatenated method names: 'Ow0FDOTJ1w', 'MEtFrUqxVC', 'OsWFObgaf8', 'tSbFoajkrR', 'zHXFbqrQo8', 'kxWFX4KlEB', 'jAfFCWArIr', 'yx4F6S0V2P', 'gFMFuZIAEP', 'RVsFpVw5MM'
              Source: 1.2.MT103-7543324334.exe.8fb0000.8.raw.unpack, eTZ1V5QYHFhQyLXdL9.csHigh entropy of concatenated method names: 'FD6F2qoxOV', 'yqiFglMbu8', 'EZGF7j1DDu', 'IvwFB1lg9j', 'lIKF0ntmZh', 'ikFFvTy4jt', 'a6iFEbxUho', 'O60VUgQ8op', 'wVmV4i6nM7', 'wCdVP8YW8a'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, KiPOYpdaIIK4pENo3x.csHigh entropy of concatenated method names: 'd9T9BtR4XS', 'cWK9yXaDLw', 'B4m9E1JUZX', 'a7lEQHlqqp', 'dLFEzpr4MV', 'lJy9ZKpE18', 'jqh92LVRS9', 'Gut9ILMmNi', 'fKr9gJES5F', 'G8n97lo0Mb'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, NEwbaxH4bE424CAeU6.csHigh entropy of concatenated method names: 'yT3Enqbmsj', 'qKmE07JSYX', 'QXTEv0v6WI', 'ofnE95R9hp', 'AnaE88T4mA', 'GECvix0qmC', 'atVvhrUngt', 'nYavUjO7f5', 'Crfv4PeAC1', 'KnKvPfvWPx'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, ni5L2byy9tC0iqpQ7q.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'zyWIPbWQay', 'u3wIQ79aQA', 'pjyIzIcvSk', 'CVKgZWXZhK', 'xfOg21C4Fd', 'wbygIZJRiO', 'LUIggPdqJ7', 'g9Au7TzWaEG2csZ5aH'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, AKRqW57fOOyNUQDal0.csHigh entropy of concatenated method names: 'XBV29Tt1jD', 'ELA28iQcCa', 'PCE2ToagwN', 'Y4V2kSiEOi', 'pUh2ar5YEw', 'Aax2G4bE42', 'PFD9WpYnr3FuIZPbLb', 'uoeSkrxjyL0bdns3Qi', 'p3e22GdcYy', 'WMZ2gOhhqZ'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, hNn7Ww8yTbd0RVtrHi.csHigh entropy of concatenated method names: 'JaKgnBvNv6', 'QsFgBGPleq', 'Kr8g0iXiDp', 'HeYgyJPPcK', 'VTXgv5yOUV', 'HG7gEDgKgl', 'Seeg9LhBFG', 'nc0g8cMZv5', 'KGjgAKXobi', 'SAEgTr857v'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, ptmZsD0c5ki7aUr4IH.csHigh entropy of concatenated method names: 'Dispose', 'zpw2Ph0NeX', 'sq9IfGlS7R', 'IpvnngaIxp', 'J4b2QdAKjV', 'iMB2z4yui9', 'ProcessDialogKey', 'pPtIZdvmek', 'maeI2EmR64', 'tGdIInTZ1V'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, JpXWks56wHO9kFhpni.csHigh entropy of concatenated method names: 'p9Vq6Kixcf', 'DfMquAepHB', 'yeTqHuN8q0', 'ps9qfd9cbT', 'e0SqwbRpXu', 'heSqRh3rNn', 'WpMqd0PeHI', 'AN8qmdCWFy', 'eFGqYxci7Z', 'mw4qN1EtVc'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, FtjdyUz7cvYIQV6IoY.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FntFqkOcPH', 'hK6FatyNKK', 'jXxFGSsGR9', 'Sk1Fe5iGYX', 'YYYFVA7dPD', 'G6kFFWlrKr', 'E99FStqUWp'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, xEXANMIj5vpvyqnQ0E.csHigh entropy of concatenated method names: 'C1FOeMxvl', 'ifAojYH9e', 'm0mXYw9YU', 'OnVCkjhTv', 'rZAudxu90', 'UcWpC7XTO', 'fjiUyb6oa9w23wdmsd', 'CS7TOsNPOrKjk7h3E9', 'BBaVNFVXR', 'nUESqkjcb'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, gbAZR1haQsmIomgqNg.csHigh entropy of concatenated method names: 'KFve4EcOOP', 'KWXeQlq80s', 'mgiVZPKU1w', 'Fk8V27a9N8', 'VyCeNpB9mY', 'KpReMvMIkv', 'IJTe5QEaae', 'BJcesgoge3', 'Iu5ecH03Dw', 'tlDejgecTH'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, MnGi3hsDga2OlVgbWv.csHigh entropy of concatenated method names: 'wuRaYIGuQ8', 'MGXaMH3VGD', 'Qp9aseKIKt', 'vd5acknXho', 'FI1afyHrLI', 'BfHatO6ag5', 'DQEawcDtCA', 't5LaRufyAS', 'UMra167pbn', 'VYtadsNxqb'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, dSVgjZ2gRcPFXjQx5GS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'b4DSstfftH', 'wOKSc5NWpi', 'OaVSjnnwvo', 'I3ySWyt9gi', 'pR5SibpaTf', 'p2wShkUUd9', 'kNySUT1Q8b'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, qTt1jD6uLAiQcCaLfX.csHigh entropy of concatenated method names: 'koK0sQ1STw', 'hN20cF2YFd', 'rbs0jhcQpH', 'jJi0WxO4Sd', 'G9V0iRvC5U', 'VYl0hKCDQk', 'lA70UwOAp6', 'MJp0401pbs', 'BJc0POiXIZ', 'XoM0QyZLjK'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, WbdAKj4VEMB4yui9GP.csHigh entropy of concatenated method names: 'y3VVBAa7tJ', 'Px4V0ppOYd', 'V7aVyRe87y', 'y4YVvCrYjI', 'tCkVEErYKQ', 'CwBV9uT7Uq', 'p5WV8y6Axe', 'YOhVAXgZl4', 'K3eVT3oRE8', 'fkUVkWZbAQ'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, TkWgOMuCEoagwNQ4VS.csHigh entropy of concatenated method names: 'QpRyoLn8SQ', 'CQByX1uQVJ', 'Epuy6hWs0h', 'HBfyuTrfES', 'Bs7yacesKW', 'CmDyGYMSoP', 'bDEyeVQwAh', 'WGNyVwRHIH', 'KymyF0noch', 'p6PySa53NZ'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, z21JwtjvTtu9KXPZuG.csHigh entropy of concatenated method names: 'ToString', 'JJyGNa5LXK', 'bQAGfCLYQN', 'iHFGt4XnTZ', 'DbqGwl384F', 'gs2GReFWsn', 'XeRG1Qe5Zt', 'CmEGdYjNCh', 'x3UGmsN9HX', 'QFcGKbGEEo'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, HdvmekPkaeEmR64SGd.csHigh entropy of concatenated method names: 'Bn5VHWxxCE', 'vFOVftMoH7', 'qvSVtS7iWO', 'ty8Vw299TX', 'Nr9Vs8rrCa', 'ErNVRuExhX', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, IqwdBWcr38ouV1FXyq.csHigh entropy of concatenated method names: 'RWDaUbFLwl', 'zoOa4P7LWC', 'yyDaPQMxxp', 'irjaQTw7s2', 'SJSHDdcCT1G78EApZ82', 'e0mrgXcP1M4OYcbryID', 'kqVp52ckVH6VVc6ElXd'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, UpmDKJ1ZWtji5WUrhh.csHigh entropy of concatenated method names: 'AAmEjIaK2D', 'uItEWrpWcG', 'zIaEi6mtBb', 'ToString', 'PLFEhREG95', 'qe7EULwctr', 'Hs720aGOxqA92O4NYMY', 'BNdkjNGovZYSIYTYP3i', 'BXOK68GSIZsd6YQlOhf'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, TlqPA1K8kwXgfAsvBM.csHigh entropy of concatenated method names: 'Wcu9DwKA5Q', 'eji9riVMCc', 'Sc19Ogt7Cw', 'YYO9o8s3IE', 'vGR9bsbXQd', 'w2m9XXP99r', 'MVs9C9492v', 'Um496PUrNr', 'xrh9u9W3D2', 'yd59pP9UmP'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, pS1VxMWZJHL4v5mmTQ.csHigh entropy of concatenated method names: 't0beTS80xo', 'OyFekoQ77W', 'ToString', 'To3eBiY3m8', 'Ww7e0iI4dv', 'ziUeyPGqKK', 'Dmfev0PKuM', 'hHaeEoDUR7', 'eTDe9tEKNG', 'LWTe8USfsr'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, kNprGw2ZiZwM3sepa2o.csHigh entropy of concatenated method names: 'Ow0FDOTJ1w', 'MEtFrUqxVC', 'OsWFObgaf8', 'tSbFoajkrR', 'zHXFbqrQo8', 'kxWFX4KlEB', 'jAfFCWArIr', 'yx4F6S0V2P', 'gFMFuZIAEP', 'RVsFpVw5MM'
              Source: 1.2.MT103-7543324334.exe.416bbf0.3.raw.unpack, eTZ1V5QYHFhQyLXdL9.csHigh entropy of concatenated method names: 'FD6F2qoxOV', 'yqiFglMbu8', 'EZGF7j1DDu', 'IvwFB1lg9j', 'lIKF0ntmZh', 'ikFFvTy4jt', 'a6iFEbxUho', 'O60VUgQ8op', 'wVmV4i6nM7', 'wCdVP8YW8a'
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00406EB0 ShellExecuteW,URLDownloadToFileW,4_2_00406EB0
              Source: C:\Users\user\Desktop\MT103-7543324334.exeFile created: C:\Users\user\AppData\Roaming\QQ\QQ.exeJump to dropped file

              Boot Survival

              barindex
              Creates autostart registry keys with suspicious names
              Source: C:\Users\user\Desktop\MT103-7543324334.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-R6CJUWJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,4_2_0041AA4A
              Source: C:\Users\user\Desktop\MT103-7543324334.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-R6CJUWJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-R6CJUWJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-R6CJUWJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-R6CJUWJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_0041CB50
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: MT103-7543324334.exe PID: 3696, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 7812, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 8064, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 6048, type: MEMORYSTR
              Delayed program exit found
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0040F7A7 Sleep,ExitProcess,4_2_0040F7A7
              Source: C:\Users\user\Desktop\MT103-7543324334.exeMemory allocated: 13C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeMemory allocated: 2D50000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeMemory allocated: 4D50000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeMemory allocated: 9170000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeMemory allocated: A170000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeMemory allocated: A380000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeMemory allocated: B380000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: 1370000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: 2E60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: 4E60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: 9280000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: A280000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: A490000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: B490000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: 3120000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: 31E0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: 51E0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: 95D0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: A5D0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: A7E0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: B7E0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: E50000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: 2B50000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: 2A60000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: 8F00000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: 9F00000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: A110000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: B110000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: 10E0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: 2D30000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: 4D30000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: 9380000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: 7AE0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: A380000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory allocated: B380000 memory reserve | memory write watch
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,4_2_0041A748
              Source: C:\Users\user\Desktop\MT103-7543324334.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6563Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2011Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7033Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 905Jump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeWindow / User API: threadDelayed 9332
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeWindow / User API: foregroundWindowGot 1749
              Source: C:\Users\user\Desktop\MT103-7543324334.exeEvaded block: after key decisiongraph_4-47650
              Source: C:\Users\user\Desktop\MT103-7543324334.exeEvaded block: after key decisiongraph_4-47673
              Source: C:\Users\user\Desktop\MT103-7543324334.exeAPI coverage: 6.3 %
              Source: C:\Users\user\Desktop\MT103-7543324334.exe TID: 5764Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4640Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2684Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exe TID: 6648Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1260Thread sleep count: 7033 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7212Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5296Thread sleep count: 905 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7176Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exe TID: 6396Thread sleep count: 252 > 30
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exe TID: 6396Thread sleep time: -126000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exe TID: 7068Thread sleep count: 148 > 30
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exe TID: 7068Thread sleep time: -444000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exe TID: 7068Thread sleep count: 9332 > 30
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exe TID: 7068Thread sleep time: -27996000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exe TID: 7836Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exe TID: 8088Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exe TID: 4904Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00409253
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_2_0041C291
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,4_2_0040C34D
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00409665
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0044E879 FindFirstFileExA,4_2_0044E879
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,4_2_0040880C
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0040783C FindFirstFileW,FindNextFileW,4_2_0040783C
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,4_2_00419AF5
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,4_2_0040BB30
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,4_2_0040BD37
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,4_2_00407C97
              Source: C:\Users\user\Desktop\MT103-7543324334.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeThread delayed: delay time: 922337203685477
              Source: MT103-7543324334.exe, 00000004.00000002.1254234461.0000000000FA1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: MT103-7543324334.exe, 00000004.00000002.1254234461.0000000000FA1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y?
              Source: MT103-7543324334.exe, 00000001.00000002.1284268739.0000000007AD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
              Source: QQ.exe, 0000000B.00000002.3700500743.0000000000F4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_004349F9
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_0041CB50
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_004432B5 mov eax, dword ptr fs:[00000030h]4_2_004432B5
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00412077 GetProcessHeap,HeapFree,4_2_00412077
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_004349F9
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00434B47 SetUnhandledExceptionFilter,4_2_00434B47
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0043BB22
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00434FDC
              Source: C:\Users\user\Desktop\MT103-7543324334.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MT103-7543324334.exe"
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MT103-7543324334.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QQ\QQ.exe"Jump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\MT103-7543324334.exeMemory written: C:\Users\user\Desktop\MT103-7543324334.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory written: C:\Users\user\AppData\Roaming\QQ\QQ.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory written: C:\Users\user\AppData\Roaming\QQ\QQ.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory written: C:\Users\user\AppData\Roaming\QQ\QQ.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMemory written: C:\Users\user\AppData\Roaming\QQ\QQ.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe4_2_004120F7
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00419627 mouse_event,4_2_00419627
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MT103-7543324334.exe"Jump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess created: C:\Users\user\Desktop\MT103-7543324334.exe "C:\Users\user\Desktop\MT103-7543324334.exe"Jump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe" Jump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QQ\QQ.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeProcess created: C:\Users\user\AppData\Roaming\QQ\QQ.exe "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
              Source: QQ.exe, 0000000B.00000002.3700500743.0000000000F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager(
              Source: QQ.exe, 0000000B.00000002.3700500743.0000000000F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: QQ.exe, 0000000B.00000002.3700500743.0000000000F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerUW\
              Source: QQ.exe, 0000000B.00000002.3700500743.0000000000F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager!
              Source: QQ.exe, 0000000B.00000002.3700500743.0000000000F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerB
              Source: QQ.exe, 0000000B.00000002.3700500743.0000000000F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerO
              Source: QQ.exe, 0000000B.00000002.3700500743.0000000000F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerP
              Source: QQ.exe, 0000000B.00000002.3700500743.0000000000F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerM
              Source: QQ.exe, 0000000B.00000002.3700500743.0000000000F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageri
              Source: QQ.exe, 0000000B.00000002.3700500743.0000000000F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerV
              Source: QQ.exe, 0000000B.00000002.3700500743.0000000000F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager4
              Source: QQ.exe, 0000000B.00000002.3700500743.0000000000F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr
              Source: QQ.exe, 0000000B.00000002.3700500743.0000000000F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager?
              Source: QQ.exe, 0000000B.00000002.3700500743.0000000000F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager{
              Source: QQ.exe, 0000000B.00000002.3700500743.0000000000F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager[
              Source: QQ.exe, 0000000B.00000002.3700500743.0000000000F4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerUW\QQ
              Source: QQ.exe, 0000000B.00000002.3700500743.0000000000F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager|
              Source: QQ.exe, 0000000B.00000002.3700500743.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, QQ.exe, 0000000B.00000002.3700500743.0000000000F64000.00000004.00000020.00020000.00000000.sdmp, logs.dat.11.drBinary or memory string: [Program Manager]
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00434C52 cpuid 4_2_00434C52
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: EnumSystemLocalesW,4_2_00452036
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_004520C3
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: GetLocaleInfoW,4_2_00452313
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: EnumSystemLocalesW,4_2_00448404
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_0045243C
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: GetLocaleInfoW,4_2_00452543
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_00452610
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: GetLocaleInfoA,4_2_0040F8D1
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: GetLocaleInfoW,4_2_004488ED
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_2_00451CD8
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: EnumSystemLocalesW,4_2_00451F50
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: EnumSystemLocalesW,4_2_00451F9B
              Source: C:\Users\user\Desktop\MT103-7543324334.exeQueries volume information: C:\Users\user\Desktop\MT103-7543324334.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MT103-7543324334.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Users\user\AppData\Roaming\QQ\QQ.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Users\user\AppData\Roaming\QQ\QQ.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Users\user\AppData\Roaming\QQ\QQ.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Users\user\AppData\Roaming\QQ\QQ.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0040B164 GetLocalTime,wsprintfW,4_2_0040B164
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_0041B60D GetUserNameW,4_2_0041B60D
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: 4_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,4_2_00449190
              Source: C:\Users\user\Desktop\MT103-7543324334.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 23.2.QQ.exe.3c31ae8.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.QQ.exe.3f41930.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.MT103-7543324334.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.MT103-7543324334.exe.3e30ab8.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.QQ.exe.42c3d90.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.QQ.exe.3d5a1b0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.QQ.exe.3bb8ec8.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.MT103-7543324334.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.QQ.exe.3ec8d10.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.QQ.exe.3e112b0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.QQ.exe.3c31ae8.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.QQ.exe.3f41930.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.MT103-7543324334.exe.3e30ab8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.QQ.exe.42c3d90.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.MT103-7543324334.exe.3db7e98.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.QQ.exe.3d5a1b0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.QQ.exe.3e112b0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.MT103-7543324334.exe.3db7e98.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.QQ.exe.3ec8d10.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.QQ.exe.3bb8ec8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001B.00000002.1548659538.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.3700500743.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.1465639102.0000000001478000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1580860250.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1274790008.0000000003DB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000015.00000002.1385310551.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1301342473.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.1496790759.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.3707534940.0000000002B0F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1254234461.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.1418482659.00000000042BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1580860250.0000000003E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: MT103-7543324334.exe PID: 3696, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MT103-7543324334.exe PID: 6768, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 2404, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 5628, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 7812, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 7880, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 8064, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 8128, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 6048, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 4640, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data4_2_0040BA12
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\4_2_0040BB30
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: \key3.db4_2_0040BB30

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Users\user\Desktop\MT103-7543324334.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-R6CJUWJump to behavior
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-R6CJUW
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-R6CJUW
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-R6CJUW
              Source: C:\Users\user\AppData\Roaming\QQ\QQ.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-R6CJUW
              Yara detected Remcos RAT
              Source: Yara matchFile source: 23.2.QQ.exe.3c31ae8.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.QQ.exe.3f41930.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.MT103-7543324334.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.MT103-7543324334.exe.3e30ab8.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.QQ.exe.42c3d90.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.QQ.exe.3d5a1b0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.QQ.exe.3bb8ec8.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.MT103-7543324334.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.QQ.exe.3ec8d10.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.QQ.exe.3e112b0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.QQ.exe.3c31ae8.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.QQ.exe.3f41930.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.MT103-7543324334.exe.3e30ab8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.QQ.exe.42c3d90.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.MT103-7543324334.exe.3db7e98.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.QQ.exe.3d5a1b0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.QQ.exe.3e112b0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.MT103-7543324334.exe.3db7e98.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.QQ.exe.3ec8d10.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.QQ.exe.3bb8ec8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001B.00000002.1548659538.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.3700500743.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.1465639102.0000000001478000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1580860250.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1274790008.0000000003DB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000015.00000002.1385310551.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1301342473.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.1496790759.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.3707534940.0000000002B0F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1254234461.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.1418482659.00000000042BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1580860250.0000000003E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: MT103-7543324334.exe PID: 3696, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MT103-7543324334.exe PID: 6768, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 2404, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 5628, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 7812, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 7880, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 8064, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 8128, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 6048, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: QQ.exe PID: 4640, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Source: C:\Users\user\Desktop\MT103-7543324334.exeCode function: cmd.exe4_2_0040569A

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		11
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Command and Scripting Interpreter              		1
              Windows Service              		1
              Bypass User Account Control              		1
              Deobfuscate/Decode Files or Information              		211
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol211
              Input Capture              		2
              Encrypted Channel              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts2
              Service Execution              		11
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		4
              Obfuscated Files or Information              		2
              Credentials In Files              		1
              System Service Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Windows Service              		11
              Software Packing              		NTDS3
              File and Directory Discovery              		Distributed Component Object ModelInput Capture1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script122
              Process Injection              		1
              DLL Side-Loading              		LSA Secrets33
              System Information Discovery              		SSHKeylogging1
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
              Registry Run Keys / Startup Folder              		1
              Bypass User Account Control              		Cached Domain Credentials121
              Security Software Discovery              		VNCGUI Input Capture21
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Masquerading              		DCSync31
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
              Virtualization/Sandbox Evasion              		Proc Filesystem3
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              Access Token Manipulation              		/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron122
              Process Injection              		Network Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465305 Sample: MT103-7543324334.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 58 milliondollar23backup.duckdns.org 2->58 60 milliondollar23.duckdns.org 2->60 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Multi AV Scanner detection for submitted file 2->76 80 10 other signatures 2->80 10 MT103-7543324334.exe 4 2->10         started        14 QQ.exe 2->14         started        16 QQ.exe 2->16         started        18 QQ.exe 2->18         started        signatures3 78 Uses dynamic DNS services 60->78 process4 file5 56 C:\Users\user\...\MT103-7543324334.exe.log, ASCII 10->56 dropped 94 Contains functionality to bypass UAC (CMSTPLUA) 10->94 96 Contains functionalty to change the wallpaper 10->96 98 Contains functionality to steal Chrome passwords or cookies 10->98 102 4 other signatures 10->102 20 MT103-7543324334.exe 2 4 10->20         started        24 powershell.exe 23 10->24         started        100 Injects a PE file into a foreign processes 14->100 26 QQ.exe 14->26         started        28 QQ.exe 14->28         started        30 QQ.exe 16->30         started        32 QQ.exe 18->32         started        signatures6 process7 file8 50 C:\Users\user\AppData\Roaming\QQ\QQ.exe, PE32 20->50 dropped 52 C:\Users\user\...\QQ.exe:Zone.Identifier, ASCII 20->52 dropped 82 Detected Remcos RAT 20->82 84 Creates autostart registry keys with suspicious names 20->84 34 QQ.exe 4 20->34         started        86 Loading BitLocker PowerShell Module 24->86 37 conhost.exe 24->37         started        signatures9 process10 signatures11 64 Multi AV Scanner detection for dropped file 34->64 66 Machine Learning detection for dropped file 34->66 68 Adds a directory exclusion to Windows Defender 34->68 70 Injects a PE file into a foreign processes 34->70 39 QQ.exe 34->39         started        44 powershell.exe 23 34->44         started        process12 dnsIp13 62 milliondollar23.duckdns.org 138.201.150.244, 3984, 49703, 49712 HETZNER-ASDE Germany 39->62 54 C:\ProgramData\remcos\logs.dat, data 39->54 dropped 88 Detected Remcos RAT 39->88 90 Installs a global keyboard hook 39->90 92 Loading BitLocker PowerShell Module 44->92 46 WmiPrvSE.exe 44->46         started        48 conhost.exe 44->48         started        file14 signatures15 process16

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              MT103-7543324334.exe71%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
              MT103-7543324334.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\QQ\QQ.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\QQ\QQ.exe71%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://geoplugin.net/json.gp0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://tempuri.org/AukcionDBDataSet.xsd0%Avira URL Cloudsafe
              ollar23.duckdns.org0%Avira URL Cloudsafe
              http://geoplugin.net/json.gp/C0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              milliondollar23.duckdns.org
              		138.201.150.244
              		truetrue
                		unknown
                milliondollar23backup.duckdns.org
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  ollar23.duckdns.orgtrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://geoplugin.net/json.gpMT103-7543324334.exefalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/AukcionDBDataSet.xsdMT103-7543324334.exe, QQ.exe.4.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gp/CMT103-7543324334.exe, 00000001.00000002.1274790008.0000000003DB7000.00000004.00000800.00020000.00000000.sdmp, MT103-7543324334.exe, 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, QQ.exe, 00000006.00000002.1301342473.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, QQ.exe, 00000014.00000002.1418482659.00000000042BA000.00000004.00000800.00020000.00000000.sdmp, QQ.exe, 00000017.00000002.1496790759.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, QQ.exe, 00000019.00000002.1580860250.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, QQ.exe, 00000019.00000002.1580860250.0000000003E11000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMT103-7543324334.exe, 00000001.00000002.1271398062.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, QQ.exe, 00000006.00000002.1296460638.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, QQ.exe, 00000014.00000002.1408801876.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, QQ.exe, 00000017.00000002.1488168688.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp, QQ.exe, 00000019.00000002.1569302206.0000000002D96000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  138.201.150.244
                  		milliondollar23.duckdns.orgGermany
                  		24940HETZNER-ASDEtrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1465305
                  Start date and time:2024-07-01 15:02:43 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 11m 28s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:33
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:MT103-7543324334.exe
                  Detection:MAL
                  Classification:mal100.rans.troj.spyw.expl.evad.winEXE@25/14@27/1
                  EGA Information:
                  • Successful, ratio: 85.7%
                  HCA Information:
                  • Successful, ratio: 98%
                  • Number of executed functions: 306
                  • Number of non-executed functions: 223
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target QQ.exe, PID 5628 because there are no executed function
                  • Not all processes where analyzed, report is missing behavior information
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: MT103-7543324334.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  09:03:36API Interceptor1x Sleep call for process: MT103-7543324334.exe modified
                  09:03:37API Interceptor30x Sleep call for process: powershell.exe modified
                  09:03:38API Interceptor7347856x Sleep call for process: QQ.exe modified
                  15:03:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-R6CJUW "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
                  15:03:49AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Rmc-R6CJUW "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
                  15:03:57AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-R6CJUW "C:\Users\user\AppData\Roaming\QQ\QQ.exe"

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  138.201.150.244rSCAN31804.exeGet hashmaliciousGuLoader, RemcosBrowse
                    MT103-7543324334hsbc.com.exeGet hashmaliciousRemcosBrowse
                      FACTURA08798696.vbeGet hashmaliciousGuLoader, RemcosBrowse
                        SCAN00381638.SCR.exeGet hashmaliciousGuLoader, RemcosBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          milliondollar23.duckdns.orgrSCAN31804.exeGet hashmaliciousGuLoader, RemcosBrowse
                          • 138.201.150.244
                          MT103-7543324334hsbc.com.exeGet hashmaliciousRemcosBrowse
                          • 138.201.150.244
                          FACTURA08798696.vbeGet hashmaliciousGuLoader, RemcosBrowse
                          • 138.201.150.244
                          SCAN00381638.SCR.exeGet hashmaliciousGuLoader, RemcosBrowse
                          • 138.201.150.244
                          oeillet.exeGet hashmaliciousRemcos, GuLoaderBrowse
                          • 172.245.214.71
                          DHL04AWB01173903102023PDF.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                          • 79.134.225.111

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          HETZNER-ASDEfile.exeGet hashmaliciousFormBookBrowse
                          • 135.181.212.206
                          file.exeGet hashmaliciousFormBookBrowse
                          • 135.181.212.206
                          Re_ gerechtelijke dagvaarding..emlGet hashmaliciousUnknownBrowse
                          • 95.217.55.136
                          zyJWi2vy29.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro Stealer, Vidar, zgRATBrowse
                          • 195.201.251.214
                          56bDgH9sMQ.exeGet hashmaliciousVidarBrowse
                          • 195.201.251.214
                          NI0Y4iB1ON.exeGet hashmaliciousRedLineBrowse
                          • 5.161.190.139
                          https://www.teamviewer.com/en-in/download/windows/Get hashmaliciousUnknownBrowse
                          • 144.76.236.241
                          https://he110ca11he1lpn0wwb112.pages.dev/Get hashmaliciousTechSupportScamBrowse
                          • 195.201.57.90
                          https://serviceca11he1pn0waa12.pages.dev/Get hashmaliciousTechSupportScamBrowse
                          • 195.201.57.90
                          https://u.to/NuS5IAGet hashmaliciousUnknownBrowse
                          • 94.130.141.49

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\ProgramData\remcos\logs.dat

                          Download File
                          Process:C:\Users\user\AppData\Roaming\QQ\QQ.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):360
                          Entropy (8bit):3.2835458468971743
                          Encrypted:false
                          SSDEEP:6:6lVKd4b5YcIeeDAlOWAAe5q1gWAAe5q1gWAAe5q1gWAv:6lVKMec0WFe5BWFe5BWFe5BW+
                          MD5:9C191842332AC930AC649FBEEEC6A62F
                          SHA1:57CA72E4BEEAD603E72C29AB9BF1049E103D4C10
                          SHA-256:9EBA88E137113A00CD76FAAC7699F069000B44E5B461D03E1965920A46279D7B
                          SHA-512:CFDF041836F92ECC25453EED4B29637261A9DC30D4D9DE121FF33B7AE2381ADAE2F96B777DD4D1899C7CEB027F79EC97267F8AE4FA4F1EEF3477B438EA2C4461
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                          Reputation:low
                          Preview:....[.2.0.2.4./.0.7./.0.1. .0.9.:.0.3.:.3.9. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MT103-7543324334.exe.log

                          Download File
                          Process:C:\Users\user\Desktop\MT103-7543324334.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1730
                          Entropy (8bit):5.35299682261553
                          Encrypted:false
                          SSDEEP:48:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HKHKMR5vzHKnHKU57Uy:Pq5qHwCYqh3oPtI6eqzxqqMR5rqnqU5t
                          MD5:4D047149BCD6E4625565C631F1F723B2
                          SHA1:33909516B8ACB42E0B7E5E7D48F8B2D917094BCB
                          SHA-256:E84139F7D948F47ADF2E6346641261ADED096D1DB640EFF9B9B7D122121685DC
                          SHA-512:AE0D2AC2C282AEBA1B63851529892240C3BE5D56F3996F1BEE3263FBB13A7A044348D63F04B0705836C5847994BD553F342511F6BB4DD075E4E8A3E9CB12D54F
                          Malicious:true
                          Reputation:moderate, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QQ.exe.log

                          Download File
                          Process:C:\Users\user\AppData\Roaming\QQ\QQ.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1730
                          Entropy (8bit):5.35299682261553
                          Encrypted:false
                          SSDEEP:48:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HKHKMR5vzHKnHKU57Uy:Pq5qHwCYqh3oPtI6eqzxqqMR5rqnqU5t
                          MD5:4D047149BCD6E4625565C631F1F723B2
                          SHA1:33909516B8ACB42E0B7E5E7D48F8B2D917094BCB
                          SHA-256:E84139F7D948F47ADF2E6346641261ADED096D1DB640EFF9B9B7D122121685DC
                          SHA-512:AE0D2AC2C282AEBA1B63851529892240C3BE5D56F3996F1BEE3263FBB13A7A044348D63F04B0705836C5847994BD553F342511F6BB4DD075E4E8A3E9CB12D54F
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):2232
                          Entropy (8bit):5.379552885213346
                          Encrypted:false
                          SSDEEP:48:fWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//ZM0UyuVws:fLHxvCsIfA2KRHmOugr1Vws
                          MD5:A8E0D497947F820B1578A90D417338D4
                          SHA1:945FF7C68A85BA98DD6077BF821D70C5D553C605
                          SHA-256:4626E2474B02F78DBD152878E50A4789514B4975D10D2C6D2FF557C7BCBAA166
                          SHA-512:971F39BC7970CA54CF45CB7065ADEA48559404E838BFAC09B4A4CEAD255A08B5D329C8F607CC0BA92B9C5761977BA904BC61A46B77FC40FB19BE582A6EDE3D91
                          Malicious:false
                          Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3nh1psxk.o4j.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhgouosc.xao.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gki20n25.suv.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hgiwqtjo.usc.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_le4cxdbk.v33.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lyei5cct.e1z.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rm1xrjzx.aw1.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0whuj45.knt.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Roaming\QQ\QQ.exe

                          Download File
                          Process:C:\Users\user\Desktop\MT103-7543324334.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):1601536
                          Entropy (8bit):7.372300066955007
                          Encrypted:false
                          SSDEEP:24576:wDDK7x0BPwAcDSnCITaaLue2jootHfCTVibOgSKma8i3Cxf:gPc62j/fSngRC
                          MD5:6D16DCF1423B30677D2918AE11FE2BC3
                          SHA1:E1FC54FB00530AB8E07C11B4CC16785858F1917C
                          SHA-256:B6F0586D835ACFF8C86C02904729023D95B10D879A066A9EECA973DEAF582E07
                          SHA-512:52815E0970FE4FA29A20C0127A14C133E0149D7B3C1F0315B3404FADC7F07D5B72D9CF83FAB32D488B43DCFC576CF60D3647167FC2114A4F0BA5ABEEA31407F6
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 71%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....zf.................R...........p... ........@.. ....................................@..................................o..S.................................................................................... ............... ..H............text...4P... ...R.................. ..`.rsrc................T..............@..@.reloc...............n..............@..B.................p......H.......t...d.......T....................................................0.......... d........%....(......... .........%.C...(.....D... .........%....(......... H........%.J...(.....K... @........%.f...(.....g... `........%.....(......... .........%.....(......... .........%.....(..... ... .........%.....(......... .........%.2...(.....3...(....*.....&*....0..G.........}B....(.....(.....(8......a...s.....+..(.....o.....(.....o.....(....*..0............}B.......(.......(....

                          C:\Users\user\AppData\Roaming\QQ\QQ.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\MT103-7543324334.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.372300066955007
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:MT103-7543324334.exe
                          File size:1'601'536 bytes
                          MD5:6d16dcf1423b30677d2918ae11fe2bc3
                          SHA1:e1fc54fb00530ab8e07c11b4cc16785858f1917c
                          SHA256:b6f0586d835acff8c86c02904729023d95b10d879a066a9eeca973deaf582e07
                          SHA512:52815e0970fe4fa29a20c0127a14c133e0149d7b3c1f0315b3404fadc7f07d5b72d9cf83fab32d488b43dcfc576cf60d3647167fc2114a4f0ba5abeea31407f6
                          SSDEEP:24576:wDDK7x0BPwAcDSnCITaaLue2jootHfCTVibOgSKma8i3Cxf:gPc62j/fSngRC
                          TLSH:8875C00D37A45647EA1E933BC392009587B5D126B75AE38F8DCA38E82DE53598FC3523
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....zf.................R...........p... ........@.. ....................................@................................

                          File Icon

                          Icon Hash:4d0e9370312b2b33

                          Static PE Info

                          General

                          Entrypoint:0x58702e
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x667A1E17 [Tue Jun 25 01:32:07 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x186fd80x53.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1880000x1a00.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x18a0000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x1850340x1852004665ed26931ea8f42af234673aa533ffFalse0.6937025678605846data7.374820869707466IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0x1880000x1a000x1a00f95e66c2f784ce48e7f75fc2c6cf0eb9False0.8416466346153846data7.154450119530442IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x18a0000xc0x200acb5dc57a1a877a7273af9b87c1227ecFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0x1880c80x13cbPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9850009867771857
                          RT_GROUP_ICON0x1894a40x14data1.05
                          RT_VERSION0x1894c80x3b4data0.48945147679324896

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 1, 2024 15:03:40.055960894 CEST497033984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:03:40.060970068 CEST398449703138.201.150.244192.168.2.7
                          Jul 1, 2024 15:03:40.061072111 CEST497033984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:03:40.075956106 CEST497033984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:03:40.080996037 CEST398449703138.201.150.244192.168.2.7
                          Jul 1, 2024 15:04:01.442066908 CEST398449703138.201.150.244192.168.2.7
                          Jul 1, 2024 15:04:01.442209005 CEST497033984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:04:01.442303896 CEST497033984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:04:01.447057962 CEST398449703138.201.150.244192.168.2.7
                          Jul 1, 2024 15:04:03.985188961 CEST497123984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:04:03.989945889 CEST398449712138.201.150.244192.168.2.7
                          Jul 1, 2024 15:04:03.992152929 CEST497123984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:04:03.997312069 CEST497123984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:04:04.002162933 CEST398449712138.201.150.244192.168.2.7
                          Jul 1, 2024 15:04:25.345175028 CEST398449712138.201.150.244192.168.2.7
                          Jul 1, 2024 15:04:25.345282078 CEST497123984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:04:25.345366955 CEST497123984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:04:25.350291014 CEST398449712138.201.150.244192.168.2.7
                          Jul 1, 2024 15:04:27.964086056 CEST497133984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:04:27.968976021 CEST398449713138.201.150.244192.168.2.7
                          Jul 1, 2024 15:04:27.969054937 CEST497133984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:04:27.972599983 CEST497133984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:04:27.977421999 CEST398449713138.201.150.244192.168.2.7
                          Jul 1, 2024 15:04:49.347301960 CEST398449713138.201.150.244192.168.2.7
                          Jul 1, 2024 15:04:49.347367048 CEST497133984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:04:49.347419024 CEST497133984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:04:49.352222919 CEST398449713138.201.150.244192.168.2.7
                          Jul 1, 2024 15:04:52.105035067 CEST497153984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:04:52.110178947 CEST398449715138.201.150.244192.168.2.7
                          Jul 1, 2024 15:04:52.110294104 CEST497153984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:04:52.113620043 CEST497153984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:04:52.118474007 CEST398449715138.201.150.244192.168.2.7
                          Jul 1, 2024 15:05:13.492234945 CEST398449715138.201.150.244192.168.2.7
                          Jul 1, 2024 15:05:13.496207952 CEST497153984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:05:13.496238947 CEST497153984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:05:13.501051903 CEST398449715138.201.150.244192.168.2.7
                          Jul 1, 2024 15:05:19.248091936 CEST497163984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:05:19.253297091 CEST398449716138.201.150.244192.168.2.7
                          Jul 1, 2024 15:05:19.253396034 CEST497163984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:05:19.256933928 CEST497163984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:05:19.261708021 CEST398449716138.201.150.244192.168.2.7
                          Jul 1, 2024 15:05:40.627655983 CEST398449716138.201.150.244192.168.2.7
                          Jul 1, 2024 15:05:40.627743959 CEST497163984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:05:40.627789974 CEST497163984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:05:40.632741928 CEST398449716138.201.150.244192.168.2.7
                          Jul 1, 2024 15:05:44.246912956 CEST497173984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:05:44.252119064 CEST398449717138.201.150.244192.168.2.7
                          Jul 1, 2024 15:05:44.252294064 CEST497173984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:05:44.256443024 CEST497173984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:05:44.268768072 CEST398449717138.201.150.244192.168.2.7
                          Jul 1, 2024 15:06:05.663501024 CEST398449717138.201.150.244192.168.2.7
                          Jul 1, 2024 15:06:05.663568020 CEST497173984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:06:05.663681030 CEST497173984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:06:05.668909073 CEST398449717138.201.150.244192.168.2.7
                          Jul 1, 2024 15:06:07.511431932 CEST497183984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:06:07.518153906 CEST398449718138.201.150.244192.168.2.7
                          Jul 1, 2024 15:06:07.518246889 CEST497183984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:06:07.522746086 CEST497183984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:06:07.528491974 CEST398449718138.201.150.244192.168.2.7
                          Jul 1, 2024 15:06:28.899935961 CEST398449718138.201.150.244192.168.2.7
                          Jul 1, 2024 15:06:28.900032997 CEST497183984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:06:28.900094986 CEST497183984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:06:28.905031919 CEST398449718138.201.150.244192.168.2.7
                          Jul 1, 2024 15:06:34.793287992 CEST497193984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:06:34.798367977 CEST398449719138.201.150.244192.168.2.7
                          Jul 1, 2024 15:06:34.798497915 CEST497193984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:06:34.801925898 CEST497193984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:06:34.806978941 CEST398449719138.201.150.244192.168.2.7
                          Jul 1, 2024 15:06:56.179780960 CEST398449719138.201.150.244192.168.2.7
                          Jul 1, 2024 15:06:56.179841042 CEST497193984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:06:56.179956913 CEST497193984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:06:56.184778929 CEST398449719138.201.150.244192.168.2.7
                          Jul 1, 2024 15:06:58.995734930 CEST497203984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:06:59.000636101 CEST398449720138.201.150.244192.168.2.7
                          Jul 1, 2024 15:06:59.000736952 CEST497203984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:06:59.004391909 CEST497203984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:06:59.010301113 CEST398449720138.201.150.244192.168.2.7
                          Jul 1, 2024 15:07:20.380860090 CEST398449720138.201.150.244192.168.2.7
                          Jul 1, 2024 15:07:20.384401083 CEST497203984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:07:20.387778044 CEST497203984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:07:20.392889977 CEST398449720138.201.150.244192.168.2.7
                          Jul 1, 2024 15:07:25.511554956 CEST497213984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:07:25.517159939 CEST398449721138.201.150.244192.168.2.7
                          Jul 1, 2024 15:07:25.517338991 CEST497213984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:07:25.520668983 CEST497213984192.168.2.7138.201.150.244
                          Jul 1, 2024 15:07:25.525595903 CEST398449721138.201.150.244192.168.2.7

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 1, 2024 15:03:40.043550014 CEST5195753192.168.2.71.1.1.1
                          Jul 1, 2024 15:03:40.051640034 CEST53519571.1.1.1192.168.2.7
                          Jul 1, 2024 15:04:01.442944050 CEST5249053192.168.2.71.1.1.1
                          Jul 1, 2024 15:04:02.447475910 CEST5249053192.168.2.71.1.1.1
                          Jul 1, 2024 15:04:02.854818106 CEST53524901.1.1.1192.168.2.7
                          Jul 1, 2024 15:04:02.854830980 CEST53524901.1.1.1192.168.2.7
                          Jul 1, 2024 15:04:03.869904041 CEST6209953192.168.2.71.1.1.1
                          Jul 1, 2024 15:04:03.980568886 CEST53620991.1.1.1192.168.2.7
                          Jul 1, 2024 15:04:25.345948935 CEST5202253192.168.2.71.1.1.1
                          Jul 1, 2024 15:04:26.338239908 CEST5202253192.168.2.71.1.1.1
                          Jul 1, 2024 15:04:26.951253891 CEST53520221.1.1.1192.168.2.7
                          Jul 1, 2024 15:04:26.952110052 CEST53520221.1.1.1192.168.2.7
                          Jul 1, 2024 15:04:49.348035097 CEST5225953192.168.2.71.1.1.1
                          Jul 1, 2024 15:04:50.353912115 CEST5225953192.168.2.71.1.1.1
                          Jul 1, 2024 15:04:51.094003916 CEST53522591.1.1.1192.168.2.7
                          Jul 1, 2024 15:04:51.094022036 CEST53522591.1.1.1192.168.2.7
                          Jul 1, 2024 15:05:13.496834993 CEST6143153192.168.2.71.1.1.1
                          Jul 1, 2024 15:05:14.131128073 CEST53614311.1.1.1192.168.2.7
                          Jul 1, 2024 15:05:15.135895014 CEST5196353192.168.2.71.1.1.1
                          Jul 1, 2024 15:05:16.151300907 CEST5196353192.168.2.71.1.1.1
                          Jul 1, 2024 15:05:17.166553974 CEST5196353192.168.2.71.1.1.1
                          Jul 1, 2024 15:05:19.166562080 CEST5196353192.168.2.71.1.1.1
                          Jul 1, 2024 15:05:19.247064114 CEST53519631.1.1.1192.168.2.7
                          Jul 1, 2024 15:05:19.247077942 CEST53519631.1.1.1192.168.2.7
                          Jul 1, 2024 15:05:19.247088909 CEST53519631.1.1.1192.168.2.7
                          Jul 1, 2024 15:05:19.247121096 CEST53519631.1.1.1192.168.2.7
                          Jul 1, 2024 15:05:40.628432989 CEST5435753192.168.2.71.1.1.1
                          Jul 1, 2024 15:05:41.619757891 CEST5435753192.168.2.71.1.1.1
                          Jul 1, 2024 15:05:42.622153997 CEST5435753192.168.2.71.1.1.1
                          Jul 1, 2024 15:05:43.236727953 CEST53543571.1.1.1192.168.2.7
                          Jul 1, 2024 15:05:43.236747980 CEST53543571.1.1.1192.168.2.7
                          Jul 1, 2024 15:05:43.236759901 CEST53543571.1.1.1192.168.2.7
                          Jul 1, 2024 15:06:05.664602041 CEST6042953192.168.2.71.1.1.1
                          Jul 1, 2024 15:06:06.501097918 CEST53604291.1.1.1192.168.2.7
                          Jul 1, 2024 15:06:28.900648117 CEST6033653192.168.2.71.1.1.1
                          Jul 1, 2024 15:06:29.885446072 CEST6033653192.168.2.71.1.1.1
                          Jul 1, 2024 15:06:30.901087999 CEST6033653192.168.2.71.1.1.1
                          Jul 1, 2024 15:06:32.916130066 CEST53603361.1.1.1192.168.2.7
                          Jul 1, 2024 15:06:32.916167021 CEST53603361.1.1.1192.168.2.7
                          Jul 1, 2024 15:06:32.916177988 CEST53603361.1.1.1192.168.2.7
                          Jul 1, 2024 15:06:33.932868004 CEST5359353192.168.2.71.1.1.1
                          Jul 1, 2024 15:06:34.792347908 CEST53535931.1.1.1192.168.2.7
                          Jul 1, 2024 15:06:56.181320906 CEST5086653192.168.2.71.1.1.1
                          Jul 1, 2024 15:06:57.177201986 CEST5086653192.168.2.71.1.1.1
                          Jul 1, 2024 15:06:57.990528107 CEST53508661.1.1.1192.168.2.7
                          Jul 1, 2024 15:06:57.990737915 CEST53508661.1.1.1192.168.2.7
                          Jul 1, 2024 15:07:20.395689011 CEST5735653192.168.2.71.1.1.1
                          Jul 1, 2024 15:07:21.401304960 CEST5735653192.168.2.71.1.1.1
                          Jul 1, 2024 15:07:22.416827917 CEST5735653192.168.2.71.1.1.1
                          Jul 1, 2024 15:07:24.432508945 CEST5735653192.168.2.71.1.1.1
                          Jul 1, 2024 15:07:24.496567011 CEST53573561.1.1.1192.168.2.7
                          Jul 1, 2024 15:07:24.496586084 CEST53573561.1.1.1192.168.2.7
                          Jul 1, 2024 15:07:24.496596098 CEST53573561.1.1.1192.168.2.7
                          Jul 1, 2024 15:07:24.500766993 CEST53573561.1.1.1192.168.2.7

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Jul 1, 2024 15:03:40.043550014 CEST192.168.2.71.1.1.10x648eStandard query (0)milliondollar23.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:04:01.442944050 CEST192.168.2.71.1.1.10x4601Standard query (0)milliondollar23backup.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:04:02.447475910 CEST192.168.2.71.1.1.10x4601Standard query (0)milliondollar23backup.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:04:03.869904041 CEST192.168.2.71.1.1.10xee46Standard query (0)milliondollar23.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:04:25.345948935 CEST192.168.2.71.1.1.10x9c90Standard query (0)milliondollar23backup.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:04:26.338239908 CEST192.168.2.71.1.1.10x9c90Standard query (0)milliondollar23backup.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:04:49.348035097 CEST192.168.2.71.1.1.10x903aStandard query (0)milliondollar23backup.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:04:50.353912115 CEST192.168.2.71.1.1.10x903aStandard query (0)milliondollar23backup.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:05:13.496834993 CEST192.168.2.71.1.1.10x38f8Standard query (0)milliondollar23backup.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:05:15.135895014 CEST192.168.2.71.1.1.10x63a3Standard query (0)milliondollar23.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:05:16.151300907 CEST192.168.2.71.1.1.10x63a3Standard query (0)milliondollar23.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:05:17.166553974 CEST192.168.2.71.1.1.10x63a3Standard query (0)milliondollar23.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:05:19.166562080 CEST192.168.2.71.1.1.10x63a3Standard query (0)milliondollar23.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:05:40.628432989 CEST192.168.2.71.1.1.10x18f8Standard query (0)milliondollar23backup.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:05:41.619757891 CEST192.168.2.71.1.1.10x18f8Standard query (0)milliondollar23backup.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:05:42.622153997 CEST192.168.2.71.1.1.10x18f8Standard query (0)milliondollar23backup.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:06:05.664602041 CEST192.168.2.71.1.1.10xfebcStandard query (0)milliondollar23backup.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:06:28.900648117 CEST192.168.2.71.1.1.10xc5ffStandard query (0)milliondollar23backup.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:06:29.885446072 CEST192.168.2.71.1.1.10xc5ffStandard query (0)milliondollar23backup.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:06:30.901087999 CEST192.168.2.71.1.1.10xc5ffStandard query (0)milliondollar23backup.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:06:33.932868004 CEST192.168.2.71.1.1.10xfcd3Standard query (0)milliondollar23.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:06:56.181320906 CEST192.168.2.71.1.1.10x46cdStandard query (0)milliondollar23backup.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:06:57.177201986 CEST192.168.2.71.1.1.10x46cdStandard query (0)milliondollar23backup.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:07:20.395689011 CEST192.168.2.71.1.1.10x786fStandard query (0)milliondollar23backup.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:07:21.401304960 CEST192.168.2.71.1.1.10x786fStandard query (0)milliondollar23backup.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:07:22.416827917 CEST192.168.2.71.1.1.10x786fStandard query (0)milliondollar23backup.duckdns.orgA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:07:24.432508945 CEST192.168.2.71.1.1.10x786fStandard query (0)milliondollar23backup.duckdns.orgA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Jul 1, 2024 15:03:40.051640034 CEST1.1.1.1192.168.2.70x648eNo error (0)milliondollar23.duckdns.org138.201.150.244A (IP address)IN (0x0001)false
                          Jul 1, 2024 15:04:02.854818106 CEST1.1.1.1192.168.2.70x4601Name error (3)milliondollar23backup.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:04:02.854830980 CEST1.1.1.1192.168.2.70x4601Name error (3)milliondollar23backup.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:04:03.980568886 CEST1.1.1.1192.168.2.70xee46No error (0)milliondollar23.duckdns.org138.201.150.244A (IP address)IN (0x0001)false
                          Jul 1, 2024 15:04:26.951253891 CEST1.1.1.1192.168.2.70x9c90Name error (3)milliondollar23backup.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:04:26.952110052 CEST1.1.1.1192.168.2.70x9c90Name error (3)milliondollar23backup.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:04:51.094003916 CEST1.1.1.1192.168.2.70x903aName error (3)milliondollar23backup.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:04:51.094022036 CEST1.1.1.1192.168.2.70x903aName error (3)milliondollar23backup.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:05:14.131128073 CEST1.1.1.1192.168.2.70x38f8Name error (3)milliondollar23backup.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:05:19.247064114 CEST1.1.1.1192.168.2.70x63a3No error (0)milliondollar23.duckdns.org138.201.150.244A (IP address)IN (0x0001)false
                          Jul 1, 2024 15:05:19.247077942 CEST1.1.1.1192.168.2.70x63a3No error (0)milliondollar23.duckdns.org138.201.150.244A (IP address)IN (0x0001)false
                          Jul 1, 2024 15:05:19.247088909 CEST1.1.1.1192.168.2.70x63a3No error (0)milliondollar23.duckdns.org138.201.150.244A (IP address)IN (0x0001)false
                          Jul 1, 2024 15:05:19.247121096 CEST1.1.1.1192.168.2.70x63a3No error (0)milliondollar23.duckdns.org138.201.150.244A (IP address)IN (0x0001)false
                          Jul 1, 2024 15:05:43.236727953 CEST1.1.1.1192.168.2.70x18f8Name error (3)milliondollar23backup.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:05:43.236747980 CEST1.1.1.1192.168.2.70x18f8Name error (3)milliondollar23backup.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:05:43.236759901 CEST1.1.1.1192.168.2.70x18f8Name error (3)milliondollar23backup.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:06:06.501097918 CEST1.1.1.1192.168.2.70xfebcName error (3)milliondollar23backup.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:06:32.916130066 CEST1.1.1.1192.168.2.70xc5ffServer failure (2)milliondollar23backup.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:06:32.916167021 CEST1.1.1.1192.168.2.70xc5ffServer failure (2)milliondollar23backup.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:06:32.916177988 CEST1.1.1.1192.168.2.70xc5ffServer failure (2)milliondollar23backup.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:06:34.792347908 CEST1.1.1.1192.168.2.70xfcd3No error (0)milliondollar23.duckdns.org138.201.150.244A (IP address)IN (0x0001)false
                          Jul 1, 2024 15:06:57.990528107 CEST1.1.1.1192.168.2.70x46cdName error (3)milliondollar23backup.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:06:57.990737915 CEST1.1.1.1192.168.2.70x46cdName error (3)milliondollar23backup.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:07:24.496567011 CEST1.1.1.1192.168.2.70x786fServer failure (2)milliondollar23backup.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:07:24.496586084 CEST1.1.1.1192.168.2.70x786fServer failure (2)milliondollar23backup.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:07:24.496596098 CEST1.1.1.1192.168.2.70x786fServer failure (2)milliondollar23backup.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:07:24.500766993 CEST1.1.1.1192.168.2.70x786fServer failure (2)milliondollar23backup.duckdns.orgnonenoneA (IP address)IN (0x0001)false

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:1
                          Start time:09:03:35
                          Start date:01/07/2024
                          Path:C:\Users\user\Desktop\MT103-7543324334.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\MT103-7543324334.exe"
                          Imagebase:0x8e0000
                          File size:1'601'536 bytes
                          MD5 hash:6D16DCF1423B30677D2918AE11FE2BC3
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.1274790008.0000000003DB7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.1274790008.0000000003DB7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000002.1274790008.0000000003DB7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:3
                          Start time:09:03:37
                          Start date:01/07/2024
                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MT103-7543324334.exe"
                          Imagebase:0x320000
                          File size:433'152 bytes
                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:09:03:37
                          Start date:01/07/2024
                          Path:C:\Users\user\Desktop\MT103-7543324334.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\MT103-7543324334.exe"
                          Imagebase:0x740000
                          File size:1'601'536 bytes
                          MD5 hash:6D16DCF1423B30677D2918AE11FE2BC3
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.1254234461.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:5
                          Start time:09:03:37
                          Start date:01/07/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff75da10000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:6
                          Start time:09:03:37
                          Start date:01/07/2024
                          Path:C:\Users\user\AppData\Roaming\QQ\QQ.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Roaming\QQ\QQ.exe"
                          Imagebase:0x9d0000
                          File size:1'601'536 bytes
                          MD5 hash:6D16DCF1423B30677D2918AE11FE2BC3
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.1301342473.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.1301342473.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.1301342473.0000000003EC8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 71%, ReversingLabs
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:8
                          Start time:09:03:39
                          Start date:01/07/2024
                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QQ\QQ.exe"
                          Imagebase:0x320000
                          File size:433'152 bytes
                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:9
                          Start time:09:03:39
                          Start date:01/07/2024
                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Imagebase:0x7ff7fb730000
                          File size:496'640 bytes
                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                          Has elevated privileges:true
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:10
                          Start time:09:03:39
                          Start date:01/07/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff75da10000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:11
                          Start time:09:03:39
                          Start date:01/07/2024
                          Path:C:\Users\user\AppData\Roaming\QQ\QQ.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Roaming\QQ\QQ.exe"
                          Imagebase:0x800000
                          File size:1'601'536 bytes
                          MD5 hash:6D16DCF1423B30677D2918AE11FE2BC3
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.3700500743.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.3707534940.0000000002B0F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:20
                          Start time:09:03:49
                          Start date:01/07/2024
                          Path:C:\Users\user\AppData\Roaming\QQ\QQ.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Roaming\QQ\QQ.exe"
                          Imagebase:0xd90000
                          File size:1'601'536 bytes
                          MD5 hash:6D16DCF1423B30677D2918AE11FE2BC3
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.1418482659.00000000042BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.1418482659.00000000042BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000014.00000002.1418482659.00000000042BA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:21
                          Start time:09:03:50
                          Start date:01/07/2024
                          Path:C:\Users\user\AppData\Roaming\QQ\QQ.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Roaming\QQ\QQ.exe"
                          Imagebase:0x750000
                          File size:1'601'536 bytes
                          MD5 hash:6D16DCF1423B30677D2918AE11FE2BC3
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000015.00000002.1385310551.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:23
                          Start time:09:03:57
                          Start date:01/07/2024
                          Path:C:\Users\user\AppData\Roaming\QQ\QQ.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Roaming\QQ\QQ.exe"
                          Imagebase:0x710000
                          File size:1'601'536 bytes
                          MD5 hash:6D16DCF1423B30677D2918AE11FE2BC3
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.1496790759.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000002.1496790759.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000017.00000002.1496790759.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:24
                          Start time:09:03:58
                          Start date:01/07/2024
                          Path:C:\Users\user\AppData\Roaming\QQ\QQ.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Roaming\QQ\QQ.exe"
                          Imagebase:0xd30000
                          File size:1'601'536 bytes
                          MD5 hash:6D16DCF1423B30677D2918AE11FE2BC3
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.1465639102.0000000001478000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:25
                          Start time:10:32:41
                          Start date:01/07/2024
                          Path:C:\Users\user\AppData\Roaming\QQ\QQ.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Roaming\QQ\QQ.exe"
                          Imagebase:0x840000
                          File size:1'601'536 bytes
                          MD5 hash:6D16DCF1423B30677D2918AE11FE2BC3
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.1580860250.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000019.00000002.1580860250.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000019.00000002.1580860250.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.1580860250.0000000003E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000019.00000002.1580860250.0000000003E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000019.00000002.1580860250.0000000003E11000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:26
                          Start time:10:32:42
                          Start date:01/07/2024
                          Path:C:\Users\user\AppData\Roaming\QQ\QQ.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\AppData\Roaming\QQ\QQ.exe"
                          Imagebase:0x260000
                          File size:1'601'536 bytes
                          MD5 hash:6D16DCF1423B30677D2918AE11FE2BC3
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:27
                          Start time:10:32:42
                          Start date:01/07/2024
                          Path:C:\Users\user\AppData\Roaming\QQ\QQ.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Roaming\QQ\QQ.exe"
                          Imagebase:0x790000
                          File size:1'601'536 bytes
                          MD5 hash:6D16DCF1423B30677D2918AE11FE2BC3
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001B.00000002.1548659538.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:11.9%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:2.2%
                            Total number of Nodes:223
                            Total number of Limit Nodes:8
                            execution_graph 45612 1404df0 45613 1404df9 45612->45613 45614 1404dff 45613->45614 45616 1404eea 45613->45616 45617 1404ef3 45616->45617 45618 1404f17 45616->45618 45622 1405400 45617->45622 45626 14053ef 45617->45626 45630 1405562 45617->45630 45618->45614 45623 1405417 45622->45623 45624 140533f 45623->45624 45634 1404fe4 45623->45634 45624->45618 45627 14053f3 45626->45627 45628 140533f 45627->45628 45629 1404fe4 CreateActCtxA 45627->45629 45628->45618 45629->45627 45633 1405469 45630->45633 45631 1405550 45631->45618 45632 1404fe4 CreateActCtxA 45632->45633 45633->45631 45633->45632 45635 1406490 CreateActCtxA 45634->45635 45637 1406553 45635->45637 45638 7122c20 45639 7122dab 45638->45639 45641 7122c46 45638->45641 45641->45639 45642 71210ec 45641->45642 45643 7122ea0 PostMessageW 45642->45643 45644 7122f0c 45643->45644 45644->45641 45645 7c71670 45646 7c71675 45645->45646 45649 7c70b24 45646->45649 45648 7c716ad 45651 7c70b2f 45649->45651 45650 7c71751 45650->45648 45651->45650 45655 7c72663 45651->45655 45662 7c72670 45651->45662 45652 7c71855 45652->45648 45656 7c7266a 45655->45656 45658 7c726e0 DrawTextExW 45655->45658 45666 7c71ac4 45656->45666 45660 7c7274e 45658->45660 45660->45652 45663 7c72671 45662->45663 45664 7c71ac4 DrawTextExW 45663->45664 45665 7c7268d 45664->45665 45665->45652 45668 7c71ac9 DrawTextExW 45666->45668 45669 7c7268d 45668->45669 45669->45652 45670 140da78 45671 140dabe 45670->45671 45674 140dc58 45671->45674 45677 140d360 45674->45677 45678 140dcc0 DuplicateHandle 45677->45678 45679 140dbab 45678->45679 45680 140b6f8 45683 140b7e2 45680->45683 45681 140b707 45684 140b801 45683->45684 45686 140b824 45683->45686 45684->45686 45691 140ba78 45684->45691 45695 140ba88 45684->45695 45685 140b81c 45685->45686 45687 140ba28 GetModuleHandleW 45685->45687 45686->45681 45688 140ba55 45687->45688 45688->45681 45692 140ba88 45691->45692 45694 140bac1 45692->45694 45699 140b230 45692->45699 45694->45685 45696 140ba9c 45695->45696 45697 140bac1 45696->45697 45698 140b230 LoadLibraryExW 45696->45698 45697->45685 45698->45697 45701 140bc68 LoadLibraryExW 45699->45701 45702 140bce1 45701->45702 45702->45694 45414 712019f 45415 71200d4 45414->45415 45416 712026e 45415->45416 45420 7121a00 45415->45420 45437 7121a66 45415->45437 45455 71219f1 45415->45455 45421 7121a1a 45420->45421 45422 7121a22 45421->45422 45472 71224f1 45421->45472 45477 7122309 45421->45477 45482 712212a 45421->45482 45487 7121fa5 45421->45487 45491 7122286 45421->45491 45496 7122143 45421->45496 45502 7122222 45421->45502 45507 7122082 45421->45507 45519 7121d19 45421->45519 45524 7121e79 45421->45524 45529 712233b 45421->45529 45534 7121f7a 45421->45534 45544 7122196 45421->45544 45549 71225d6 45421->45549 45422->45416 45438 71219f4 45437->45438 45440 7121a69 45437->45440 45439 7121a22 45438->45439 45441 71224f1 2 API calls 45438->45441 45442 71225d6 2 API calls 45438->45442 45443 7122196 2 API calls 45438->45443 45444 7121f7a 4 API calls 45438->45444 45445 712233b 2 API calls 45438->45445 45446 7121e79 2 API calls 45438->45446 45447 7121d19 2 API calls 45438->45447 45448 7122082 6 API calls 45438->45448 45449 7122222 2 API calls 45438->45449 45450 7122143 2 API calls 45438->45450 45451 7122286 2 API calls 45438->45451 45452 7121fa5 2 API calls 45438->45452 45453 712212a 2 API calls 45438->45453 45454 7122309 2 API calls 45438->45454 45439->45416 45440->45416 45441->45439 45442->45439 45443->45439 45444->45439 45445->45439 45446->45439 45447->45439 45448->45439 45449->45439 45450->45439 45451->45439 45452->45439 45453->45439 45454->45439 45456 71219f4 45455->45456 45457 7121a22 45456->45457 45458 71224f1 2 API calls 45456->45458 45459 71225d6 2 API calls 45456->45459 45460 7122196 2 API calls 45456->45460 45461 7121f7a 4 API calls 45456->45461 45462 712233b 2 API calls 45456->45462 45463 7121e79 2 API calls 45456->45463 45464 7121d19 2 API calls 45456->45464 45465 7122082 6 API calls 45456->45465 45466 7122222 2 API calls 45456->45466 45467 7122143 2 API calls 45456->45467 45468 7122286 2 API calls 45456->45468 45469 7121fa5 2 API calls 45456->45469 45470 712212a 2 API calls 45456->45470 45471 7122309 2 API calls 45456->45471 45457->45416 45458->45457 45459->45457 45460->45457 45461->45457 45462->45457 45463->45457 45464->45457 45465->45457 45466->45457 45467->45457 45468->45457 45469->45457 45470->45457 45471->45457 45473 7122512 45472->45473 45554 7122b8a 45473->45554 45559 7122b98 45473->45559 45474 7122525 45474->45422 45478 7122285 45477->45478 45480 7122b8a 2 API calls 45478->45480 45481 7122b98 2 API calls 45478->45481 45479 7122525 45479->45422 45480->45479 45481->45479 45483 71224a9 45482->45483 45572 7c7f7c0 45483->45572 45576 7c7f7b8 45483->45576 45484 71224c7 45580 7c7f6e0 45487->45580 45584 7c7f6e8 45487->45584 45488 7121fbf 45492 71222a0 45491->45492 45494 7122b8a 2 API calls 45492->45494 45495 7122b98 2 API calls 45492->45495 45493 7122525 45493->45422 45494->45493 45495->45493 45497 71221ad 45496->45497 45498 712224d 45497->45498 45588 7c7f880 45497->45588 45592 7c7f878 45497->45592 45498->45422 45499 71221ce 45499->45422 45503 71225da 45502->45503 45505 7c7f6e0 Wow64SetThreadContext 45503->45505 45506 7c7f6e8 Wow64SetThreadContext 45503->45506 45504 71225f5 45505->45504 45506->45504 45604 7c7f969 45507->45604 45608 7c7f970 45507->45608 45508 7121f86 45509 7121f98 45508->45509 45511 7121dfd 45508->45511 45513 7c7f880 WriteProcessMemory 45509->45513 45514 7c7f878 WriteProcessMemory 45509->45514 45510 71226ee 45512 7121e73 45511->45512 45596 7c7fafd 45511->45596 45600 7c7fb08 45511->45600 45512->45422 45513->45510 45514->45510 45520 7121d5b 45519->45520 45521 7121e73 45520->45521 45522 7c7fafd CreateProcessA 45520->45522 45523 7c7fb08 CreateProcessA 45520->45523 45521->45422 45522->45521 45523->45521 45526 7121e4f 45524->45526 45525 7121e73 45525->45422 45526->45525 45527 7c7fafd CreateProcessA 45526->45527 45528 7c7fb08 CreateProcessA 45526->45528 45527->45525 45528->45525 45530 712235e 45529->45530 45532 7c7f880 WriteProcessMemory 45530->45532 45533 7c7f878 WriteProcessMemory 45530->45533 45531 712277e 45532->45531 45533->45531 45535 7121f86 45534->45535 45536 7121f98 45535->45536 45538 7121dfd 45535->45538 45542 7c7f880 WriteProcessMemory 45536->45542 45543 7c7f878 WriteProcessMemory 45536->45543 45537 71226ee 45539 7121e73 45538->45539 45540 7c7fafd CreateProcessA 45538->45540 45541 7c7fb08 CreateProcessA 45538->45541 45539->45422 45540->45539 45541->45539 45542->45537 45543->45537 45545 712219c 45544->45545 45547 7c7f880 WriteProcessMemory 45545->45547 45548 7c7f878 WriteProcessMemory 45545->45548 45546 71221ce 45546->45422 45547->45546 45548->45546 45550 71225da 45549->45550 45552 7c7f6e0 Wow64SetThreadContext 45550->45552 45553 7c7f6e8 Wow64SetThreadContext 45550->45553 45551 71225f5 45552->45551 45553->45551 45555 7122b93 45554->45555 45564 7c7f200 45555->45564 45568 7c7f1f8 45555->45568 45556 7122bc0 45556->45474 45560 7122b9e 45559->45560 45562 7c7f200 ResumeThread 45560->45562 45563 7c7f1f8 ResumeThread 45560->45563 45561 7122bc0 45561->45474 45562->45561 45563->45561 45565 7c7f240 ResumeThread 45564->45565 45567 7c7f271 45565->45567 45567->45556 45569 7c7f240 ResumeThread 45568->45569 45571 7c7f271 45569->45571 45571->45556 45573 7c7f800 VirtualAllocEx 45572->45573 45575 7c7f83d 45573->45575 45575->45484 45577 7c7f7c0 VirtualAllocEx 45576->45577 45579 7c7f83d 45577->45579 45579->45484 45581 7c7f6e8 Wow64SetThreadContext 45580->45581 45583 7c7f775 45581->45583 45583->45488 45585 7c7f72d Wow64SetThreadContext 45584->45585 45587 7c7f775 45585->45587 45587->45488 45589 7c7f8c8 WriteProcessMemory 45588->45589 45591 7c7f91f 45589->45591 45591->45499 45593 7c7f8c8 WriteProcessMemory 45592->45593 45595 7c7f91f 45593->45595 45595->45499 45597 7c7fb08 CreateProcessA 45596->45597 45599 7c7fd53 45597->45599 45599->45599 45601 7c7fb91 CreateProcessA 45600->45601 45603 7c7fd53 45601->45603 45603->45603 45605 7c7f970 ReadProcessMemory 45604->45605 45607 7c7f9ff 45605->45607 45607->45508 45609 7c7f9bb ReadProcessMemory 45608->45609 45611 7c7f9ff 45609->45611 45611->45508

                            Executed Functions

                            Function 08FA0040 Relevance: 2.6, Instructions: 2597COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4edb4109915f05d50b62c7226257737a12a53a880f4b59b4aa502b03c1cf0bf1
                            • Instruction ID: 9a7f234d3344dba5d139f019ac71053926dfd3f0784a330a6cbecd8f0f37225c
                            • Opcode Fuzzy Hash: 4edb4109915f05d50b62c7226257737a12a53a880f4b59b4aa502b03c1cf0bf1
                            • Instruction Fuzzy Hash: 0A43EAB4E00619CFDB28DF68C898A9DB7B2BF89311F158199D419AB365DB30ED81CF50
                            Function 07123488 Relevance: .6, Instructions: 606COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1282399569.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7120000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f85edcd83eeeb197d739553e932c2752c3080301cc32edf8ede56dde05db0a95
                            • Instruction ID: 88103db2e6d025b39ff6f24cf3b6533e82bdc1d942324f0090bf873f8d48b06a
                            • Opcode Fuzzy Hash: f85edcd83eeeb197d739553e932c2752c3080301cc32edf8ede56dde05db0a95
                            • Instruction Fuzzy Hash: A022ABB0B012159FDB1ADB66C450BAEB7F6AF89700F24446EE1169B3E0CB35ED02DB51
                            Function 07121D19 Relevance: .2, Instructions: 192COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1282399569.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7120000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d3a8e163d1034019501ed689a6e19c38fbcc5c1728925aa0d450c4f493e5aebc
                            • Instruction ID: fbae707c3dd3e1e383bba60ff1d8518d59ea2851e50e32358a4dd790f00543ea
                            • Opcode Fuzzy Hash: d3a8e163d1034019501ed689a6e19c38fbcc5c1728925aa0d450c4f493e5aebc
                            • Instruction Fuzzy Hash: 2D8108B1D04229DBDB28CF66CC407DDB7F6BF8A300F1181AAD41DA6291EB705A96DF40
                            Function 08FABE21 Relevance: .1, Instructions: 67COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f33ef66e832a6b85eb195168037f241bd442ceff0e3876a2b98a78424a6be2f0
                            • Instruction ID: b07fc98d17b4c10afd099abd2054dafb8241e4984334eacc68306fb59357e257
                            • Opcode Fuzzy Hash: f33ef66e832a6b85eb195168037f241bd442ceff0e3876a2b98a78424a6be2f0
                            • Instruction Fuzzy Hash: FE21E6B1D056588BEB19CFA7D8543EEBFF6AFC9310F14C06AD409A62A4DB740946CF90
                            Function 07122070 Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1282399569.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7120000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9f1172a2393f2892f8b24c941c8fc6b1920f7c7a3cd2ed5ae6340d873a5fc81d
                            • Instruction ID: 9b807aa7ee13dad5bab2f0fe605df9bb78a8762b1b7fc91006fa40c962902877
                            • Opcode Fuzzy Hash: 9f1172a2393f2892f8b24c941c8fc6b1920f7c7a3cd2ed5ae6340d873a5fc81d
                            • Instruction Fuzzy Hash: 8FE086B4C1E26ADFC714DF60D4405B8FBB8BB0B310F12A2598829972D2DB304955EF04
                            Function 0712232C Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1282399569.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7120000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bed47bc4d4b4cf6c28c6257238c49f017038f6140efae37deda1aa981f5f1551
                            • Instruction ID: c3631c2401b690cc9e0b71701510b08edc3a0c148abecb3a4ab333e032a2fea1
                            • Opcode Fuzzy Hash: bed47bc4d4b4cf6c28c6257238c49f017038f6140efae37deda1aa981f5f1551
                            • Instruction Fuzzy Hash: E3B012C1C5F17498CB472A1000200F895BC171B000F533341C059230C31700C42B300D
                            Function 079291B9 Relevance: 1.8, Strings: 1, Instructions: 591COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID: 6/
                            • API String ID: 0-3003778272
                            • Opcode ID: 84653e7f0f1a6ea448107b16afcb06b6fb4eb76781c0a6e0f78f02ac89b0bedc
                            • Instruction ID: 50b1c72dc87bf9ad50b0973eb2fcdd2518f4953ab3bfbd90e98692ec4c3f51d5
                            • Opcode Fuzzy Hash: 84653e7f0f1a6ea448107b16afcb06b6fb4eb76781c0a6e0f78f02ac89b0bedc
                            • Instruction Fuzzy Hash: 093272B0F14229CFDB14AB95C844BAD77B6BB85328F244465E406BF38DCB71AC42EB51
                            Function 07C7FAFD Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 994 7c7fafd-7c7fb9d 997 7c7fbd6-7c7fbf6 994->997 998 7c7fb9f-7c7fba9 994->998 1005 7c7fc2f-7c7fc5e 997->1005 1006 7c7fbf8-7c7fc02 997->1006 998->997 999 7c7fbab-7c7fbad 998->999 1000 7c7fbd0-7c7fbd3 999->1000 1001 7c7fbaf-7c7fbb9 999->1001 1000->997 1003 7c7fbbd-7c7fbcc 1001->1003 1004 7c7fbbb 1001->1004 1003->1003 1007 7c7fbce 1003->1007 1004->1003 1012 7c7fc97-7c7fd51 CreateProcessA 1005->1012 1013 7c7fc60-7c7fc6a 1005->1013 1006->1005 1008 7c7fc04-7c7fc06 1006->1008 1007->1000 1010 7c7fc29-7c7fc2c 1008->1010 1011 7c7fc08-7c7fc12 1008->1011 1010->1005 1014 7c7fc16-7c7fc25 1011->1014 1015 7c7fc14 1011->1015 1026 7c7fd53-7c7fd59 1012->1026 1027 7c7fd5a-7c7fde0 1012->1027 1013->1012 1016 7c7fc6c-7c7fc6e 1013->1016 1014->1014 1017 7c7fc27 1014->1017 1015->1014 1018 7c7fc91-7c7fc94 1016->1018 1019 7c7fc70-7c7fc7a 1016->1019 1017->1010 1018->1012 1021 7c7fc7e-7c7fc8d 1019->1021 1022 7c7fc7c 1019->1022 1021->1021 1023 7c7fc8f 1021->1023 1022->1021 1023->1018 1026->1027 1037 7c7fde2-7c7fde6 1027->1037 1038 7c7fdf0-7c7fdf4 1027->1038 1037->1038 1041 7c7fde8 1037->1041 1039 7c7fdf6-7c7fdfa 1038->1039 1040 7c7fe04-7c7fe08 1038->1040 1039->1040 1042 7c7fdfc 1039->1042 1043 7c7fe0a-7c7fe0e 1040->1043 1044 7c7fe18-7c7fe1c 1040->1044 1041->1038 1042->1040 1043->1044 1045 7c7fe10 1043->1045 1046 7c7fe2e-7c7fe35 1044->1046 1047 7c7fe1e-7c7fe24 1044->1047 1045->1044 1048 7c7fe37-7c7fe46 1046->1048 1049 7c7fe4c 1046->1049 1047->1046 1048->1049 1050 7c7fe4d 1049->1050 1050->1050
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07C7FD3E
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: f0fce19dc29bf6377602df9b29b6dcce700eec004279172df8e90db051a58805
                            • Instruction ID: 10343f4901a0e5814e2c680097d0f7b9a0132bf3310e0e28034e007accd98f31
                            • Opcode Fuzzy Hash: f0fce19dc29bf6377602df9b29b6dcce700eec004279172df8e90db051a58805
                            • Instruction Fuzzy Hash: B7A15FB1D0061ADFDB24CF69C881BDDBBB2BF48310F1485A9D818A7240DB759986CF91
                            Function 07C7FB08 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1052 7c7fb08-7c7fb9d 1054 7c7fbd6-7c7fbf6 1052->1054 1055 7c7fb9f-7c7fba9 1052->1055 1062 7c7fc2f-7c7fc5e 1054->1062 1063 7c7fbf8-7c7fc02 1054->1063 1055->1054 1056 7c7fbab-7c7fbad 1055->1056 1057 7c7fbd0-7c7fbd3 1056->1057 1058 7c7fbaf-7c7fbb9 1056->1058 1057->1054 1060 7c7fbbd-7c7fbcc 1058->1060 1061 7c7fbbb 1058->1061 1060->1060 1064 7c7fbce 1060->1064 1061->1060 1069 7c7fc97-7c7fd51 CreateProcessA 1062->1069 1070 7c7fc60-7c7fc6a 1062->1070 1063->1062 1065 7c7fc04-7c7fc06 1063->1065 1064->1057 1067 7c7fc29-7c7fc2c 1065->1067 1068 7c7fc08-7c7fc12 1065->1068 1067->1062 1071 7c7fc16-7c7fc25 1068->1071 1072 7c7fc14 1068->1072 1083 7c7fd53-7c7fd59 1069->1083 1084 7c7fd5a-7c7fde0 1069->1084 1070->1069 1073 7c7fc6c-7c7fc6e 1070->1073 1071->1071 1074 7c7fc27 1071->1074 1072->1071 1075 7c7fc91-7c7fc94 1073->1075 1076 7c7fc70-7c7fc7a 1073->1076 1074->1067 1075->1069 1078 7c7fc7e-7c7fc8d 1076->1078 1079 7c7fc7c 1076->1079 1078->1078 1080 7c7fc8f 1078->1080 1079->1078 1080->1075 1083->1084 1094 7c7fde2-7c7fde6 1084->1094 1095 7c7fdf0-7c7fdf4 1084->1095 1094->1095 1098 7c7fde8 1094->1098 1096 7c7fdf6-7c7fdfa 1095->1096 1097 7c7fe04-7c7fe08 1095->1097 1096->1097 1099 7c7fdfc 1096->1099 1100 7c7fe0a-7c7fe0e 1097->1100 1101 7c7fe18-7c7fe1c 1097->1101 1098->1095 1099->1097 1100->1101 1102 7c7fe10 1100->1102 1103 7c7fe2e-7c7fe35 1101->1103 1104 7c7fe1e-7c7fe24 1101->1104 1102->1101 1105 7c7fe37-7c7fe46 1103->1105 1106 7c7fe4c 1103->1106 1104->1103 1105->1106 1107 7c7fe4d 1106->1107 1107->1107
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07C7FD3E
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: 90614822e4a0f81a0097410ac301b69109c26c544e78fd61312351fbed4ed51b
                            • Instruction ID: 5ccb89b038e996b984675135177d0ab3941089942c15dae951230515382b56b3
                            • Opcode Fuzzy Hash: 90614822e4a0f81a0097410ac301b69109c26c544e78fd61312351fbed4ed51b
                            • Instruction Fuzzy Hash: 3D9160B1D0071ACFDB24DF69C8817DDBBB2BF48310F1485A9D818A7240DB759A86CF91
                            Function 0140B7E2 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1109 140b7e2-140b7ff 1110 140b801-140b80e call 140a1f8 1109->1110 1111 140b82b-140b82f 1109->1111 1116 140b810 1110->1116 1117 140b824 1110->1117 1113 140b831-140b83b 1111->1113 1114 140b843-140b884 1111->1114 1113->1114 1120 140b891-140b89f 1114->1120 1121 140b886-140b88e 1114->1121 1167 140b816 call 140ba78 1116->1167 1168 140b816 call 140ba88 1116->1168 1117->1111 1122 140b8a1-140b8a6 1120->1122 1123 140b8c3-140b8c5 1120->1123 1121->1120 1125 140b8b1 1122->1125 1126 140b8a8-140b8af call 140b1d4 1122->1126 1128 140b8c8-140b8cf 1123->1128 1124 140b81c-140b81e 1124->1117 1127 140b960-140ba20 1124->1127 1130 140b8b3-140b8c1 1125->1130 1126->1130 1160 140ba22-140ba25 1127->1160 1161 140ba28-140ba53 GetModuleHandleW 1127->1161 1131 140b8d1-140b8d9 1128->1131 1132 140b8dc-140b8e3 1128->1132 1130->1128 1131->1132 1134 140b8f0-140b8f9 call 140b1e4 1132->1134 1135 140b8e5-140b8ed 1132->1135 1140 140b906-140b90b 1134->1140 1141 140b8fb-140b903 1134->1141 1135->1134 1142 140b929-140b92d 1140->1142 1143 140b90d-140b914 1140->1143 1141->1140 1165 140b930 call 140bd78 1142->1165 1166 140b930 call 140bd88 1142->1166 1143->1142 1145 140b916-140b926 call 140b1f4 call 140b204 1143->1145 1145->1142 1148 140b933-140b936 1150 140b938-140b956 1148->1150 1151 140b959-140b95f 1148->1151 1150->1151 1160->1161 1162 140ba55-140ba5b 1161->1162 1163 140ba5c-140ba70 1161->1163 1162->1163 1165->1148 1166->1148 1167->1124 1168->1124
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0140BA46
                            Memory Dump Source
                            • Source File: 00000001.00000002.1270657460.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1400000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: d409e788a4bc1836bae757d15f37e305abdcbfdec1f11b6528d228e0c1892492
                            • Instruction ID: 54a3d4a0c9a2da9debe1a6d8ce596636664a032dc118b35ea9bc8059ac750518
                            • Opcode Fuzzy Hash: d409e788a4bc1836bae757d15f37e305abdcbfdec1f11b6528d228e0c1892492
                            • Instruction Fuzzy Hash: 40814674A00B058FE726DF2AD44475ABBF1FF48200F00892ED59ADBBA0D775E949CB94
                            Function 01406486 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1186 1406486-140648a 1187 1406491-1406551 CreateActCtxA 1186->1187 1189 1406553-1406559 1187->1189 1190 140655a-14065b4 1187->1190 1189->1190 1197 14065c3-14065c7 1190->1197 1198 14065b6-14065b9 1190->1198 1199 14065d8 1197->1199 1200 14065c9-14065d5 1197->1200 1198->1197 1202 14065d9 1199->1202 1200->1199 1202->1202
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 01406541
                            Memory Dump Source
                            • Source File: 00000001.00000002.1270657460.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1400000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 67a93e1a9a5b9219eedf9d4b2579f0bc06f429d7eb49e1c08304b04b636b5ddb
                            • Instruction ID: 5c05a640c34793e238c9325a1a201901035db035669319716e985163ba4b84c6
                            • Opcode Fuzzy Hash: 67a93e1a9a5b9219eedf9d4b2579f0bc06f429d7eb49e1c08304b04b636b5ddb
                            • Instruction Fuzzy Hash: AA41D2B1C00729CFDB24DFAAC84479EBBB5BF48314F20816AD409AB254DB755946CF90
                            Function 01404FE4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1169 1404fe4-1406551 CreateActCtxA 1172 1406553-1406559 1169->1172 1173 140655a-14065b4 1169->1173 1172->1173 1180 14065c3-14065c7 1173->1180 1181 14065b6-14065b9 1173->1181 1182 14065d8 1180->1182 1183 14065c9-14065d5 1180->1183 1181->1180 1185 14065d9 1182->1185 1183->1182 1185->1185
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 01406541
                            Memory Dump Source
                            • Source File: 00000001.00000002.1270657460.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1400000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 1f5107c067bda7b570926c26ea7d3ac49d63032df67be4d89385ede6d87ed0d1
                            • Instruction ID: ee250ca299059fbec72a8859d43fa4707f71181cac2b15e88469dd505413aca6
                            • Opcode Fuzzy Hash: 1f5107c067bda7b570926c26ea7d3ac49d63032df67be4d89385ede6d87ed0d1
                            • Instruction Fuzzy Hash: 7241F2B0C0071DCBDB24DFAAC844B9EBBF6BF48314F20816AD409AB254DB756946CF90
                            Function 07C71AB8 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1203 7c71ab8-7c71ac2 1205 7c71ac4 1203->1205 1206 7c71ac9-7c726f4 1203->1206 1205->1206 1208 7c726f6-7c726fc 1206->1208 1209 7c726ff-7c7270e 1206->1209 1208->1209 1210 7c72713-7c7274c DrawTextExW 1209->1210 1211 7c72710 1209->1211 1212 7c72755-7c72772 1210->1212 1213 7c7274e-7c72754 1210->1213 1211->1210 1213->1212
                            APIs
                            • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07C7268D,?,?), ref: 07C7273F
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: DrawText
                            • String ID:
                            • API String ID: 2175133113-0
                            • Opcode ID: f957aa8e638cdc51865259fc86222cf44f8ad48fb666dbb0aaeb6946c4b8e781
                            • Instruction ID: 1e31701dd887bf7e9dcf730e618017e44bf8696f269017d3ca49f4c71b9e057c
                            • Opcode Fuzzy Hash: f957aa8e638cdc51865259fc86222cf44f8ad48fb666dbb0aaeb6946c4b8e781
                            • Instruction Fuzzy Hash: 9431F2B5D003099FDB10DF9AD884ADEBBF5FF48220F14842AE914A7210D775A944CFA4
                            Function 07C72663 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1227 7c72663-7c72668 1228 7c726e0-7c726f4 1227->1228 1229 7c7266a 1227->1229 1230 7c726f6-7c726fc 1228->1230 1231 7c726ff-7c7270e 1228->1231 1232 7c72671-7c72688 call 7c71ac4 1229->1232 1233 7c7266c-7c7266f 1229->1233 1230->1231 1234 7c72713-7c7274c DrawTextExW 1231->1234 1235 7c72710 1231->1235 1239 7c7268d-7c7268f 1232->1239 1233->1232 1237 7c72755-7c72772 1234->1237 1238 7c7274e-7c72754 1234->1238 1235->1234 1238->1237
                            APIs
                            • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07C7268D,?,?), ref: 07C7273F
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: DrawText
                            • String ID:
                            • API String ID: 2175133113-0
                            • Opcode ID: 4a26bc757aaa7c23048e1878675b43e7713525c8f5ab9eaec1930451312d4063
                            • Instruction ID: 6c2184a5804d07c75ea78f3a40075af668822c59b7a97a6a493ad76c6b892afc
                            • Opcode Fuzzy Hash: 4a26bc757aaa7c23048e1878675b43e7713525c8f5ab9eaec1930451312d4063
                            • Instruction Fuzzy Hash: EB2127B6900209AFDB11CF99D840BDEBBF5FF48320F18841AE919AB261D735D951DBA0
                            Function 07C71AC4 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1216 7c71ac4-7c726f4 1219 7c726f6-7c726fc 1216->1219 1220 7c726ff-7c7270e 1216->1220 1219->1220 1221 7c72713-7c7274c DrawTextExW 1220->1221 1222 7c72710 1220->1222 1223 7c72755-7c72772 1221->1223 1224 7c7274e-7c72754 1221->1224 1222->1221 1224->1223
                            APIs
                            • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07C7268D,?,?), ref: 07C7273F
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: DrawText
                            • String ID:
                            • API String ID: 2175133113-0
                            • Opcode ID: 7b1889edf03869939b1f07141b0d2ec2f1a7b474e9c9e8498ffa553846e891a9
                            • Instruction ID: d0645e661074d74e1d24cf7677675cea513aef1a9e33dc4a75f5ffae16386d01
                            • Opcode Fuzzy Hash: 7b1889edf03869939b1f07141b0d2ec2f1a7b474e9c9e8498ffa553846e891a9
                            • Instruction Fuzzy Hash: 8331E3B5D003099FDB10CF9AD884A9EFBF5FF48310F54842AE919A7210D774A940CFA0
                            Function 07C7F878 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1242 7c7f878-7c7f8ce 1244 7c7f8d0-7c7f8dc 1242->1244 1245 7c7f8de-7c7f91d WriteProcessMemory 1242->1245 1244->1245 1247 7c7f926-7c7f956 1245->1247 1248 7c7f91f-7c7f925 1245->1248 1248->1247
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07C7F910
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: ad777d20dda951e3d9105c8b5c9b0980f83445958552f84a98e3d5342964afa5
                            • Instruction ID: 5f27fddec5db85ccde5a47607ec03da3afde99e29e9309aa06fe4c1875f7d432
                            • Opcode Fuzzy Hash: ad777d20dda951e3d9105c8b5c9b0980f83445958552f84a98e3d5342964afa5
                            • Instruction Fuzzy Hash: EB2144B5D003099FDB10CFA9C881BEEBBF5FF48320F10842AE958A7240CB789941CB60
                            Function 07C726A3 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1252 7c726a3-7c726f4 1254 7c726f6-7c726fc 1252->1254 1255 7c726ff-7c7270e 1252->1255 1254->1255 1256 7c72713-7c7274c DrawTextExW 1255->1256 1257 7c72710 1255->1257 1258 7c72755-7c72772 1256->1258 1259 7c7274e-7c72754 1256->1259 1257->1256 1259->1258
                            APIs
                            • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07C7268D,?,?), ref: 07C7273F
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: DrawText
                            • String ID:
                            • API String ID: 2175133113-0
                            • Opcode ID: 8e29bd849f8814b463b54a36416686dbe74ecd4b44e1e2336972e8e6d776fa73
                            • Instruction ID: babf3dafe9aff0e984228dda40d6f0b2e24d0ea49af77af350ecb6b87778df7f
                            • Opcode Fuzzy Hash: 8e29bd849f8814b463b54a36416686dbe74ecd4b44e1e2336972e8e6d776fa73
                            • Instruction Fuzzy Hash: AA21E0B5D003099FDB10CF9AD884A9EFBF5FB48320F14842AE918A7310D774A940CFA0
                            Function 07C7F880 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1262 7c7f880-7c7f8ce 1264 7c7f8d0-7c7f8dc 1262->1264 1265 7c7f8de-7c7f91d WriteProcessMemory 1262->1265 1264->1265 1267 7c7f926-7c7f956 1265->1267 1268 7c7f91f-7c7f925 1265->1268 1268->1267
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07C7F910
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: 7145532c40a368e582c50f914df07e72e040022865b31f3b7d200248a83248e6
                            • Instruction ID: eb31de7439bc1bff5ca18e8821174bac7ac06cfdcbf19d2f1a7458edfdc1a70a
                            • Opcode Fuzzy Hash: 7145532c40a368e582c50f914df07e72e040022865b31f3b7d200248a83248e6
                            • Instruction Fuzzy Hash: EC2127B5D003199FDB10DFA9C885BEEBBF5FF48310F10842AE958A7240CB789941CBA4
                            Function 07C7F6E0 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1272 7c7f6e0-7c7f733 1275 7c7f735-7c7f741 1272->1275 1276 7c7f743-7c7f773 Wow64SetThreadContext 1272->1276 1275->1276 1278 7c7f775-7c7f77b 1276->1278 1279 7c7f77c-7c7f7ac 1276->1279 1278->1279
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07C7F766
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: e4f2f1871700147eaac1da3edf31c8ca180b4ba209af261e985c810f5e95c8a2
                            • Instruction ID: c0297ad192c8adc80806a81165e9ab0d7884851f2fbf783eed3928f8e39ab624
                            • Opcode Fuzzy Hash: e4f2f1871700147eaac1da3edf31c8ca180b4ba209af261e985c810f5e95c8a2
                            • Instruction Fuzzy Hash: DC2148B5D003099FDB10DFAAC4857EEBBF4AF48320F508429D458A7240CB789945CFA4
                            Function 07C7F969 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1283 7c7f969-7c7f9fd ReadProcessMemory 1287 7c7fa06-7c7fa36 1283->1287 1288 7c7f9ff-7c7fa05 1283->1288 1288->1287
                            APIs
                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07C7F9F0
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: 1f8053cbef3abe66e8a3c8abb59becb8894629107f47b3fcefdbd710cf82968f
                            • Instruction ID: 200d92780d7a3a2ac2e4a58977b5d6b1f7ed250b8be3249e0eac61153747129a
                            • Opcode Fuzzy Hash: 1f8053cbef3abe66e8a3c8abb59becb8894629107f47b3fcefdbd710cf82968f
                            • Instruction Fuzzy Hash: B72107B5C003599FDB10DF9AC881BEEBBF5FF48310F508429E959A7240CB359541DBA5
                            Function 0140D360 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1292 140d360-140dd54 DuplicateHandle 1294 140dd56-140dd5c 1292->1294 1295 140dd5d-140dd7a 1292->1295 1294->1295
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0140DC86,?,?,?,?,?), ref: 0140DD47
                            Memory Dump Source
                            • Source File: 00000001.00000002.1270657460.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1400000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 5791b41cb297004da18d7b6835b20fc7cbd9f4fd95323f3a2d1300664b117df3
                            • Instruction ID: ecd123c27e96ec7814d2784bcd05e7a5ae0672d80f11e86a880a50f22525ec13
                            • Opcode Fuzzy Hash: 5791b41cb297004da18d7b6835b20fc7cbd9f4fd95323f3a2d1300664b117df3
                            • Instruction Fuzzy Hash: 1221E3B5D00209DFDB10CF9AD984AEEBBF9EB48320F14842AE914A7350D374A945CFA4
                            Function 07C7F6E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1298 7c7f6e8-7c7f733 1300 7c7f735-7c7f741 1298->1300 1301 7c7f743-7c7f773 Wow64SetThreadContext 1298->1301 1300->1301 1303 7c7f775-7c7f77b 1301->1303 1304 7c7f77c-7c7f7ac 1301->1304 1303->1304
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07C7F766
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: 2bee7c1249ed78bdf32e97377720635b4ac73828041cd5c5dce3f3ecaeaa2756
                            • Instruction ID: 05518cb890a2ff4a4e4f7bcee153b32f346cf95e8ca031a3255410dca94bc1d6
                            • Opcode Fuzzy Hash: 2bee7c1249ed78bdf32e97377720635b4ac73828041cd5c5dce3f3ecaeaa2756
                            • Instruction Fuzzy Hash: 1C2107B5D003098FDB10DFAAC4857AEBBF4AF48224F54842DD559A7240CB789945CFA5
                            Function 07C7F970 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                            Download Yara Rule
                            APIs
                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07C7F9F0
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: 4e184e44cd53fb30f576028e0a14cd64d70b94155611e81430fa4c724cc4eb92
                            • Instruction ID: 54b0164e1f11637252770aa5930ae507fa30f77a4e5e0664f9db134bc096912e
                            • Opcode Fuzzy Hash: 4e184e44cd53fb30f576028e0a14cd64d70b94155611e81430fa4c724cc4eb92
                            • Instruction Fuzzy Hash: 652119B1C003599FDB10DF9AC881BEEBBF5FF48310F508429E559A7240CB359541CB64
                            Function 0140B218 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0140BAC1,00000800,00000000,00000000), ref: 0140BCD2
                            Memory Dump Source
                            • Source File: 00000001.00000002.1270657460.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1400000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 0c98f0239abca97c819b829094c16a6fc7d9d30a2b7f638be8166bbf208cf77e
                            • Instruction ID: af20f0472c90169cbd0efc127ebe2cb8a6c42cc15553255a9f33d217a702afc0
                            • Opcode Fuzzy Hash: 0c98f0239abca97c819b829094c16a6fc7d9d30a2b7f638be8166bbf208cf77e
                            • Instruction Fuzzy Hash: D72123BAC043488FDB11CFAAC844ADEBBF4EF88210F14806ED559AB251D774A505CBA5
                            Function 07C7F7B8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07C7F82E
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 5cc2ec5f9015dc7a4af9904de88872e735021240e741e4f71efbd3db358e18df
                            • Instruction ID: 6c4710a8c3bcc5edd55085cb50dd226e2bb22d98c0d214ea362386ced3964984
                            • Opcode Fuzzy Hash: 5cc2ec5f9015dc7a4af9904de88872e735021240e741e4f71efbd3db358e18df
                            • Instruction Fuzzy Hash: A1114775D003099FDB20DFAAC845BEEBBF5AB48320F148419E915A7250CB759941CBA5
                            Function 0140B230 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0140BAC1,00000800,00000000,00000000), ref: 0140BCD2
                            Memory Dump Source
                            • Source File: 00000001.00000002.1270657460.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1400000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 4e99ec1760842471612affda7c0ab4d2891559d04e5a84c09dba043952812541
                            • Instruction ID: 13ae58c34ffcc4151cdccd56040794c0318f5dafa29586b7494ace3046657313
                            • Opcode Fuzzy Hash: 4e99ec1760842471612affda7c0ab4d2891559d04e5a84c09dba043952812541
                            • Instruction Fuzzy Hash: 0411F2BAD043098FDB20CF9AC444A9EBBF4EB48210F10842ED919A7250C775A545CFA4
                            Function 07C7F7C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07C7F82E
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 4db758defd17b8a15ca7777432e60e2dbd9197eb1bd9d7fd2d73231fd8b32268
                            • Instruction ID: 46c08e75bd8594a3ec198682df5e3879bd10c3ea0977a908621c14efb13d2209
                            • Opcode Fuzzy Hash: 4db758defd17b8a15ca7777432e60e2dbd9197eb1bd9d7fd2d73231fd8b32268
                            • Instruction Fuzzy Hash: EC113775C003499FDB20DFAAC845BEEBBF5EF48320F148419E915A7250CB759941CFA0
                            Function 0140BC61 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0140BAC1,00000800,00000000,00000000), ref: 0140BCD2
                            Memory Dump Source
                            • Source File: 00000001.00000002.1270657460.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1400000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: d8c83dfaf2cd7d4b1e0baae332046ad0e64dbeb71d6b2f1491f4d6b66ed8e464
                            • Instruction ID: ff81fca277d131c64d3d4605f8977ad2bd2c2237a1587d413e2f3784e96ba1bd
                            • Opcode Fuzzy Hash: d8c83dfaf2cd7d4b1e0baae332046ad0e64dbeb71d6b2f1491f4d6b66ed8e464
                            • Instruction Fuzzy Hash: D411D3BAC042499FDB14CF9AD844ADEFBF4EB88310F10842ED519A7250C775A545CFA5
                            Function 07C7F1F8 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: d7869e01f380acb0cd1f395ba76644cb937bca74e21b2afa7314c40cf3cd6823
                            • Instruction ID: 1eae4ebd1c622fa7257d151547ced1029486d2cb1c08c00d5530d2da24075ab5
                            • Opcode Fuzzy Hash: d7869e01f380acb0cd1f395ba76644cb937bca74e21b2afa7314c40cf3cd6823
                            • Instruction Fuzzy Hash: 4E1146B5D003498FDB20DFAAC4457EEFBF4AB88320F248419D559A7240CB75A945CFA4
                            Function 07C7F200 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 0732f3090a798c1f9ae1e0ebb2c67c529e36ecf7a948c6210c7944c8c8a17104
                            • Instruction ID: 04bb7f0198e04840520a9582d207818baca3915d1e2a83fd1177b546df28fb76
                            • Opcode Fuzzy Hash: 0732f3090a798c1f9ae1e0ebb2c67c529e36ecf7a948c6210c7944c8c8a17104
                            • Instruction Fuzzy Hash: 7A1125B5D003498FDB20DFAAC8457EEFBF5AB88220F248419D519A7240CA79A941CBA4
                            Function 07122E98 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07122EFD
                            Memory Dump Source
                            • Source File: 00000001.00000002.1282399569.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7120000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: 155bcc66cc5338afa273c923f42f1931c4337ed184399d904b551886c8ab780d
                            • Instruction ID: e059d10e09d91c373c28e57721c9e0c176670995256acdea910e46e513b3fa3f
                            • Opcode Fuzzy Hash: 155bcc66cc5338afa273c923f42f1931c4337ed184399d904b551886c8ab780d
                            • Instruction Fuzzy Hash: 1A11E3B58003599FDB20DF9AD885BDEBFF8EB48320F20841AD518A7641C375A945CFA1
                            Function 0140B9E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0140BA46
                            Memory Dump Source
                            • Source File: 00000001.00000002.1270657460.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1400000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: df6f52d163e068404e2ae3f555e45e4f3e6d9f60ac57d3e59f28774af2abb2d3
                            • Instruction ID: 54a7271eae2d3d9951c48e357163e56bfbe61584e8951e0aad2ad2568ebbd349
                            • Opcode Fuzzy Hash: df6f52d163e068404e2ae3f555e45e4f3e6d9f60ac57d3e59f28774af2abb2d3
                            • Instruction Fuzzy Hash: ED11DFB9C003498FDB20DF9AD444ADEFBF4EB88221F10842AD529A7650D379A545CFA5
                            Function 071210EC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07122EFD
                            Memory Dump Source
                            • Source File: 00000001.00000002.1282399569.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7120000_MT103-7543324334.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: e8150d7ee9972a89670624dff367d6a0832ff5094b196bed69099eb90a2fb41f
                            • Instruction ID: fb587dfb7707cd2a0dccb608bcf96bc51cbe653c3926ff4501283b93c22afeec
                            • Opcode Fuzzy Hash: e8150d7ee9972a89670624dff367d6a0832ff5094b196bed69099eb90a2fb41f
                            • Instruction Fuzzy Hash: 2A1103B58003599FDB20DF9AD885BDEBBF8FB48320F108419E918B7240C375A954CFA5
                            Function 07924031 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID: )
                            • API String ID: 0-2427484129
                            • Opcode ID: 63a077dbf79edcc68205d09f90cc37b15c65d2b7f55cd3a036f81392435ed761
                            • Instruction ID: 5292d047f05d4330f0562626599f308b2aec165d484336563c40e69c97fd724f
                            • Opcode Fuzzy Hash: 63a077dbf79edcc68205d09f90cc37b15c65d2b7f55cd3a036f81392435ed761
                            • Instruction Fuzzy Hash: B931E73920D2608FD707DB25E854AF93BA5EB86314F1981A7E445CF2E7CB249C0697A1
                            Function 08FA86F0 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID: 3
                            • API String ID: 0-1842515611
                            • Opcode ID: 9a11ad439906357612e61ca5e8fb3006924e77ac3cce0b77978b2249286a2bf1
                            • Instruction ID: 45bcba3f4d707cb3109adc350fad6fee71f64c6ce52d6035e4f3c355ad24697a
                            • Opcode Fuzzy Hash: 9a11ad439906357612e61ca5e8fb3006924e77ac3cce0b77978b2249286a2bf1
                            • Instruction Fuzzy Hash: 1C2149B6B19244CFC705DA74C840A29BBB5EB852F1B1480BED4068F356CBB29C02C791
                            Function 08FA39D0 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID: O
                            • API String ID: 0-878818188
                            • Opcode ID: 14ae1c347ea5570f324463326cf05a8fed875a9369c7c98a64d41e767c20aac3
                            • Instruction ID: 485aa456bb4ab832d772006c43918f4a520c3f99c631ddcc5dcfd396231fa600
                            • Opcode Fuzzy Hash: 14ae1c347ea5570f324463326cf05a8fed875a9369c7c98a64d41e767c20aac3
                            • Instruction Fuzzy Hash: 9821C070A047448FC721DF79C8849ABBBF6EFC9304B01856DE45ACB321EB35A909C7A1
                            Function 08FAE1F9 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID: \)tl
                            • API String ID: 0-2555675624
                            • Opcode ID: 881523dfe7169ded695d87f3364767de3ddfea4f2aa4e1eadc903de54f536a8d
                            • Instruction ID: db0412b40f0c7ced892ac0071fc97a132ba31c3450fd68738350f731d1c6f720
                            • Opcode Fuzzy Hash: 881523dfe7169ded695d87f3364767de3ddfea4f2aa4e1eadc903de54f536a8d
                            • Instruction Fuzzy Hash: 0DF04675D082848FD702E774D4407E87FF69F47312F0481AAC000A7692CA340849CB23
                            Function 08FAC8B1 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID: r
                            • API String ID: 0-1812594589
                            • Opcode ID: f7e47aca3af63f5e8050da6d31775f680e67386447d77dd94790e5bc467d9d5b
                            • Instruction ID: 8ef92647c3b5d6b058ee2a989b0d0e1d8c272486764a42bfa57bfeb70326e4fa
                            • Opcode Fuzzy Hash: f7e47aca3af63f5e8050da6d31775f680e67386447d77dd94790e5bc467d9d5b
                            • Instruction Fuzzy Hash: 8DF08CB1D19205DFC718CF65C0448BCB7B9FB4E323B10E195D00A6A256C7309842CF00
                            Function 08FAE208 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID: \)tl
                            • API String ID: 0-2555675624
                            • Opcode ID: c21e2120d1e461beb790a34f31b3f82f48ced4677c0135c990596dd7dfcab08b
                            • Instruction ID: e00186aab2e3c176a420bd6d26d0a5df842e4401830c69217a65fad866868a87
                            • Opcode Fuzzy Hash: c21e2120d1e461beb790a34f31b3f82f48ced4677c0135c990596dd7dfcab08b
                            • Instruction Fuzzy Hash: 52F0A0B1D04248DFE710EBB5D805BADBBFAAB86312F00D129C01567294DE34554ACB22
                            Function 08FA48D0 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID: *
                            • API String ID: 0-163128923
                            • Opcode ID: c40385a8e6a208b72053e8998da89b89de7932d435acfd54217218539c7ef96f
                            • Instruction ID: 228fc20150dab79b9fd0f2031b61740ec7e37e52f52df8d420752567a276bee1
                            • Opcode Fuzzy Hash: c40385a8e6a208b72053e8998da89b89de7932d435acfd54217218539c7ef96f
                            • Instruction Fuzzy Hash: 93D0126050D2C5EFC3459AB5A8195F93FB59F13266F1401E6E809CB153DAA20D04D376
                            Function 08FAE8E5 Relevance: 1.3, Strings: 1, Instructions: 18COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID: D<Z
                            • API String ID: 0-1559290824
                            • Opcode ID: e7fc5f25e13d34e11edd41cc09712e01b3d574e8edba618f30971a27ed6f0c8f
                            • Instruction ID: fa7f5ac9d396567c1190cca7edbad18b3d5f91e78ed65aec55276160d31c125f
                            • Opcode Fuzzy Hash: e7fc5f25e13d34e11edd41cc09712e01b3d574e8edba618f30971a27ed6f0c8f
                            • Instruction Fuzzy Hash: F8E04FB4E012098FCB41DBA8EC0519CFBBAEF44316710C605E0029F749D6B468068F12
                            Function 08FA6F99 Relevance: 1.3, Strings: 1, Instructions: 18COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0
                            • API String ID: 0-4108050209
                            • Opcode ID: 09ab69919ab079d2bd0a757398f117dfbe872885ee1e9d96e95398af6602f539
                            • Instruction ID: e76a93c3ed8982fdd7697ea9835f1ecf825a39fd794f8711f6a22a5f4ff848a8
                            • Opcode Fuzzy Hash: 09ab69919ab079d2bd0a757398f117dfbe872885ee1e9d96e95398af6602f539
                            • Instruction Fuzzy Hash: 5AD05E6444F38C9EC713EBB4E8015ACBFB44E97161F0901CAC449CB213F5A90E0C8792
                            Function 08FAE29E Relevance: 1.3, Strings: 1, Instructions: 15COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID: \)tl
                            • API String ID: 0-2555675624
                            • Opcode ID: a3cb10978d9c9c9f2de7134c20f2b8955b6ee84b761fc978548c732112a2d2a6
                            • Instruction ID: 47c929b800b2c6a1b9a893c2152654f3ce562a2345a92169c339c7517896891c
                            • Opcode Fuzzy Hash: a3cb10978d9c9c9f2de7134c20f2b8955b6ee84b761fc978548c732112a2d2a6
                            • Instruction Fuzzy Hash: 2FE02B75D14306CFCB00EB60D08899C7FF3EF01211F458265C015AB696C935844B8F03
                            Function 08FA48E0 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID: *
                            • API String ID: 0-163128923
                            • Opcode ID: 864e8bdb60d89d1426c8753fe3f770456e08d9a4207d8ea0f76407ddbf771173
                            • Instruction ID: 69d9cfef2083791b02a0b4f42fdc99a94a9d4b7e62a10834e6cd6bb1d4a02f36
                            • Opcode Fuzzy Hash: 864e8bdb60d89d1426c8753fe3f770456e08d9a4207d8ea0f76407ddbf771173
                            • Instruction Fuzzy Hash: C5C0807150414CD7C704CB55F40553C77FCF701315F100094F80947580DBF11D005659
                            Function 08FA6FA8 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0
                            • API String ID: 0-4108050209
                            • Opcode ID: b83397b6450317f20c125684e54875aacb9bffa9503094028829b491255dfcb8
                            • Instruction ID: 39ca7750284f05ac931140e598940145ae4d787c0182dd7d1ad160ffd79cc6d2
                            • Opcode Fuzzy Hash: b83397b6450317f20c125684e54875aacb9bffa9503094028829b491255dfcb8
                            • Instruction Fuzzy Hash: 8EC08CB540A20CEBC600DEA1D80162CF3AC9B15132F0401CAD80983300FA79AE00928A
                            Function 08FA4AA2 Relevance: .4, Instructions: 412COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fc9591914a81ea95d4de8649779576fbf11bfebf593951dd9eb24150cea05d46
                            • Instruction ID: e3ef97cf086bf6c165320ac3cc49905f58997c7135e104d6e88fbf6d0752dbce
                            • Opcode Fuzzy Hash: fc9591914a81ea95d4de8649779576fbf11bfebf593951dd9eb24150cea05d46
                            • Instruction Fuzzy Hash: 7002E576A00204DFCB09DFA8C984E59BBB2FF58325B1A8098E5099B376C771EC91DF54
                            Function 08FA3691 Relevance: .2, Instructions: 243COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 337b400162c86d85cfa4ba9d0e855e66e7c148fd2c493b742f4b0c7c483924ab
                            • Instruction ID: da1233c1825d71124b4656d02e3e487d11a6d0fae15809f070e95e23c3ba763e
                            • Opcode Fuzzy Hash: 337b400162c86d85cfa4ba9d0e855e66e7c148fd2c493b742f4b0c7c483924ab
                            • Instruction Fuzzy Hash: 91915E74610B008FC719EB38C454A9ABBE2FF8A315F1085ADE45ACB365DF31AD46CB91
                            Function 08FA3C78 Relevance: .2, Instructions: 234COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4382f5ad55084a9e7cdd4d3ac980693745dfecce0f3ccf96a75119ed325da595
                            • Instruction ID: 6f75e28c6e82aec4cc6907ed545d588f7bfd0deea82b135da22163bb820fb334
                            • Opcode Fuzzy Hash: 4382f5ad55084a9e7cdd4d3ac980693745dfecce0f3ccf96a75119ed325da595
                            • Instruction Fuzzy Hash: 5C917275A002198FCB05DFA5C4809EEB7F5FF89311B1480AAE805EB365EB35DD06CB51
                            Function 0792B570 Relevance: .2, Instructions: 234COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9d7424c992e6cc1602b53bb7c7611402b1c86c53fafb6d06830ffafa5bb7615b
                            • Instruction ID: cd7c22f8749bbe173ed0e697d0b6ebb937b943217d29cf029b800921077df900
                            • Opcode Fuzzy Hash: 9d7424c992e6cc1602b53bb7c7611402b1c86c53fafb6d06830ffafa5bb7615b
                            • Instruction Fuzzy Hash: 5891AF70B10615CFCB18EB69C480A6EB7F2FF88214F14856DD4069B368DB70EC46CB90
                            Function 079220F8 Relevance: .2, Instructions: 234COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5fd6f9379ea95f548ec6c96b4fd0fb955e3370d5b96c27b1f1770c361219c86d
                            • Instruction ID: 2c2bd0fac3f443bf6babe4603c351863ede459d34fecd4ae42550bdd949d7f47
                            • Opcode Fuzzy Hash: 5fd6f9379ea95f548ec6c96b4fd0fb955e3370d5b96c27b1f1770c361219c86d
                            • Instruction Fuzzy Hash: A591D130B00341CFE765EB34C854BAA77B2BF89319F144659E96A8B3C5DB35AC42C791
                            Function 079220E8 Relevance: .2, Instructions: 234COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aeb2b599ece8645380735b9c6af1e22b6b6a21505897df07f413f6b48670f24b
                            • Instruction ID: f6d4c113ef1f199b6b9b2c4c5f1f64d46590e6f3da2addea99acd190aa31d854
                            • Opcode Fuzzy Hash: aeb2b599ece8645380735b9c6af1e22b6b6a21505897df07f413f6b48670f24b
                            • Instruction Fuzzy Hash: C791E330700341CFE765EB30C854BBA7BB2BF89319F144659E96A8B3C5DB35A802CB91
                            Function 08FA710C Relevance: .2, Instructions: 202COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 56fc45b6e4bb614d07b039fc45126a8959b5270b893091ad6268c8ec6b04ca7f
                            • Instruction ID: c9d3ee149669600f694ad65c078472a154cfcbc71b46abf65cf77bfcff0f1eae
                            • Opcode Fuzzy Hash: 56fc45b6e4bb614d07b039fc45126a8959b5270b893091ad6268c8ec6b04ca7f
                            • Instruction Fuzzy Hash: 4C6191B6B002059FCB15EF79C884D7ABBF6EFC8261B14882DD496DB354DB31AD028B51
                            Function 07929645 Relevance: .2, Instructions: 199COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f5d673d575d152cb7b6c2b30090d581039742c821a925cf45242ca8d2e345def
                            • Instruction ID: 83f595a1aba2a1713a7ca77cfa130e0968111801a5c61c821fae554d13963ca6
                            • Opcode Fuzzy Hash: f5d673d575d152cb7b6c2b30090d581039742c821a925cf45242ca8d2e345def
                            • Instruction Fuzzy Hash: 9371C4B0E14229CFDB14AB94C844AACB7BAFB41738F244556E402BF29DC771AC43EB44
                            Function 08FAFCF8 Relevance: .2, Instructions: 197COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 61aced7dd8b41d359708dceaab3d4f6ffe44855aee83d2cdfa4ca65ee545c5d3
                            • Instruction ID: 83587c828b74e544bba15e24f11ce4b1135bb8198368f9ba53f79a448f87b3f7
                            • Opcode Fuzzy Hash: 61aced7dd8b41d359708dceaab3d4f6ffe44855aee83d2cdfa4ca65ee545c5d3
                            • Instruction Fuzzy Hash: 5861C4B5F002058FDF29DFB4C4906ADBBB6EF85262B10056ED416AB382DF359D02C7A5
                            Function 0792962C Relevance: .2, Instructions: 197COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 711de7a2c2d58a0b5c9802a5df4a5a9f9f76bab09e4346d7758797f1019cc23a
                            • Instruction ID: ebd696afc35bfce8a773f35dd5d1a5e4283f254422c045e68c3343163b801fa7
                            • Opcode Fuzzy Hash: 711de7a2c2d58a0b5c9802a5df4a5a9f9f76bab09e4346d7758797f1019cc23a
                            • Instruction Fuzzy Hash: 7671C4B0E14229CFDB14AB94C844A6CB7BAFB41738F244516E402BF29DC771AC43EB45
                            Function 07927D27 Relevance: .2, Instructions: 197COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c2580f8c850b83f71f09d475e10c292b688f6e1af59d37a165ccefa60bce2701
                            • Instruction ID: 610bf855b5c8b7023eb87bd14bd4cd7e994ca20f9d68e30a8c2e30424672c25e
                            • Opcode Fuzzy Hash: c2580f8c850b83f71f09d475e10c292b688f6e1af59d37a165ccefa60bce2701
                            • Instruction Fuzzy Hash: 1771C671604300CFE725EB74C850BBA77A2BF89318F208668E5A64F3D5CF75A842CB91
                            Function 08FA3710 Relevance: .2, Instructions: 195COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aed3920cd17d6938e84c33d97f305c2eb3664f916f748957b712e13bebc6182b
                            • Instruction ID: 5f1e5a7bfa0d08d772170987ec1bbc93396969a753a23363bf2d84f59f817e81
                            • Opcode Fuzzy Hash: aed3920cd17d6938e84c33d97f305c2eb3664f916f748957b712e13bebc6182b
                            • Instruction Fuzzy Hash: 73814634600A008FC759EF38C454A9ABBE6FFC9315F1085ADE51A8B361EF31AD46CB91
                            Function 0792DF98 Relevance: .2, Instructions: 189COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fa4d2d4a7788a04d8db9356a5469a12a7c7aa3eddcc8461b8cf39ea9ebae64a7
                            • Instruction ID: 11f3eaefbb3e7521f4b28483a958786779801c4b0e4028a0da60f6b041df167a
                            • Opcode Fuzzy Hash: fa4d2d4a7788a04d8db9356a5469a12a7c7aa3eddcc8461b8cf39ea9ebae64a7
                            • Instruction Fuzzy Hash: 00915B32810B06CBDB01EF79D884195B7B1FF99314B15CB6AEC597F21AEB70A584CB90
                            Function 08FAAF40 Relevance: .2, Instructions: 161COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b00a77f04e658af8d3f5e43b25f971900b04dff00b6e9b487a496afe9346bb8f
                            • Instruction ID: 4cb0ded3d2f97c1cc40d983385b9fd19c3df88960ce79c5953bde0a8985bb1b4
                            • Opcode Fuzzy Hash: b00a77f04e658af8d3f5e43b25f971900b04dff00b6e9b487a496afe9346bb8f
                            • Instruction Fuzzy Hash: F051E7B5E04219CFDB08CFA5C8846EDBBB6FF89311F109029E419BB355DB755906CB50
                            Function 07922CB0 Relevance: .2, Instructions: 155COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4037bd5cf17853009e6e2a3d86b928351aedc8cf52f7ef8a8116a212ee75e259
                            • Instruction ID: e5b17927e4f4940246de4501a56e5a1645450c55f161476c383a1d2f3e65440e
                            • Opcode Fuzzy Hash: 4037bd5cf17853009e6e2a3d86b928351aedc8cf52f7ef8a8116a212ee75e259
                            • Instruction Fuzzy Hash: 5B51D075A00300DBE321EB34C841BBA77A6BF89318F244559E9A58F3C9DB74BD42D7A1
                            Function 08FAC850 Relevance: .2, Instructions: 150COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 31dd6d73901b5b369a94bac4ad1a2f021f6ec11955b7f69202001f04e3fd0866
                            • Instruction ID: 745bd014c9f39e2ee5426e557716d95fb105df392f2c2d7f96cc5cbf2884f8c5
                            • Opcode Fuzzy Hash: 31dd6d73901b5b369a94bac4ad1a2f021f6ec11955b7f69202001f04e3fd0866
                            • Instruction Fuzzy Hash: 575159B5D05219DFCB04CFAAD5849ADFBB6FF4D312F249169E40AAB202C7349981CF90
                            Function 08FA4671 Relevance: .1, Instructions: 147COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e01058215c0ca5a36b1e63d13d128cca65d44f4f50dcca66f30a88a52320bdee
                            • Instruction ID: f3acdc2e4430d3b0163dd018f63935b307186282939a8a14400019b847c623aa
                            • Opcode Fuzzy Hash: e01058215c0ca5a36b1e63d13d128cca65d44f4f50dcca66f30a88a52320bdee
                            • Instruction Fuzzy Hash: F9513F39B01108DFDB58DBA9D85466DB7B6FFCD215B248069E806D7389DF329C039B90
                            Function 08FA5BC5 Relevance: .1, Instructions: 144COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0916abe437e6e11423e339dd1867de5a166bedcef5c7f8a94f3b532bbe493942
                            • Instruction ID: 62bfe614561cdec52802419cad0c86311b320c6c79bfe491bf8830900d904e3b
                            • Opcode Fuzzy Hash: 0916abe437e6e11423e339dd1867de5a166bedcef5c7f8a94f3b532bbe493942
                            • Instruction Fuzzy Hash: 2351ADB4909284DFC306DBBAE554958BFB0AF4B201B2A80DAD484DF263D6359E09CB12
                            Function 08FAAF30 Relevance: .1, Instructions: 142COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ab341fde2d2e65e09a3da79fe4616356d347fa1c2b7bee5c6891e66f2aca4bb8
                            • Instruction ID: 7c300d728cf45ed2d551f06bb8ac6973fa8f2bfcef5d73c60e61c088cbd50dd6
                            • Opcode Fuzzy Hash: ab341fde2d2e65e09a3da79fe4616356d347fa1c2b7bee5c6891e66f2aca4bb8
                            • Instruction Fuzzy Hash: 0751F4B5E04219CFDB08CFAAC8846EDBBB6FF89311F10802AE419AB355DB755906CF50
                            Function 08FAB6C1 Relevance: .1, Instructions: 134COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f288143ab02f84b1ababeaccd3f930918c6b9fbb900618980da372c83b4f83cd
                            • Instruction ID: 11fac7ef1d81cbdf6559c4835ef7b0601ce95fbf02605c489d3d41781e83bfb6
                            • Opcode Fuzzy Hash: f288143ab02f84b1ababeaccd3f930918c6b9fbb900618980da372c83b4f83cd
                            • Instruction Fuzzy Hash: 9F4149B5E092189BDB08CFAAD4446EEBBF6FF8D322F14D029E409A7251D7744941CF64
                            Function 07923B60 Relevance: .1, Instructions: 127COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a79ce2d35d0cbfdcaedba45fea002807c0f2d30b81fcc6a45352d3212c454386
                            • Instruction ID: 0e9aace3c181c6db3c75e1822809c089c68852a46145809478244117c4e03723
                            • Opcode Fuzzy Hash: a79ce2d35d0cbfdcaedba45fea002807c0f2d30b81fcc6a45352d3212c454386
                            • Instruction Fuzzy Hash: 4941C135A04300DBE321EB34C854BBA77B6AF89318F144659E9668F3C5DB74BD42C7A1
                            Function 08FA5D7F Relevance: .1, Instructions: 124COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 32473542610c8b09d611c6d651b0bfdcc87c307c3c3e8712b133788e3fef1b6a
                            • Instruction ID: 07c3501b5a7a61b31632bec485bf75352fa1e148047e604931840e270574b2cc
                            • Opcode Fuzzy Hash: 32473542610c8b09d611c6d651b0bfdcc87c307c3c3e8712b133788e3fef1b6a
                            • Instruction Fuzzy Hash: 374117B5D09219DFCB00CFF9E4859FEBBB4FB0E221B0158A9E856AB311D7309814CB64
                            Function 08FA5D90 Relevance: .1, Instructions: 117COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8a8a988bde6877eb3404a5918aafe82039dc832921d94cbb8aa350f83c986745
                            • Instruction ID: 6ac4b7aa9d1256fde1f220126c65d69b4515a6958335681a2618b03b120a4e0e
                            • Opcode Fuzzy Hash: 8a8a988bde6877eb3404a5918aafe82039dc832921d94cbb8aa350f83c986745
                            • Instruction Fuzzy Hash: CE41F8B5D09229DFCB00CFE5E4858FEBBB4FB4E222B115865E456BB315D7309850CB64
                            Function 079241D2 Relevance: .1, Instructions: 117COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4112923e52943f7dfbbfb10ded2f416b265a30adbccd3a35553b4cd951146561
                            • Instruction ID: 316838d2cad5819b50e3b6f957ffa26d01c98ebb3629c6bfa647c8bb06f1bfce
                            • Opcode Fuzzy Hash: 4112923e52943f7dfbbfb10ded2f416b265a30adbccd3a35553b4cd951146561
                            • Instruction Fuzzy Hash: 2931E6792086508FD717DB35EC419FD3BA1EB86325B188196E851CF2E3C7249D0687A1
                            Function 08FA6653 Relevance: .1, Instructions: 108COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 097d11fd20dfd524e32b115373c9f68c3c1662f36726efd9026a36fdc2e81d05
                            • Instruction ID: e8a01d812d6737824e66ca11b3971694eba5a652ca744c0d231b63be4e810cd9
                            • Opcode Fuzzy Hash: 097d11fd20dfd524e32b115373c9f68c3c1662f36726efd9026a36fdc2e81d05
                            • Instruction Fuzzy Hash: 6A41ADB4E102299FCB44CFB9C884AEDBBB2BB19311F149029E81AFB210DB359941CF14
                            Function 07924188 Relevance: .1, Instructions: 108COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 650943ab5e5ff8dfc0f20eda1082468c952cf8374d6d79e717531679908eed3f
                            • Instruction ID: 3d6a44d8fda888d854f2938be2a771935b06b0febce15b33350b540f8f8cf099
                            • Opcode Fuzzy Hash: 650943ab5e5ff8dfc0f20eda1082468c952cf8374d6d79e717531679908eed3f
                            • Instruction Fuzzy Hash: 2731B43920C6618FD717DB34E8509ED3BA1AF86314B198196E855CF6E7CB20A90687E1
                            Function 08FA5F0E Relevance: .1, Instructions: 104COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 41deaf0ae837efc724a10a47b8a88b4368fbf71c6b68c53e0d243b37f919f46b
                            • Instruction ID: 27ddca6ea6bf46d0e57308139468460233480f33ba59454647d9b911b0aff664
                            • Opcode Fuzzy Hash: 41deaf0ae837efc724a10a47b8a88b4368fbf71c6b68c53e0d243b37f919f46b
                            • Instruction Fuzzy Hash: E341E6B5D09219DFCB00CFE9E4858FDBBB4FB4E222B019869E466BB211D7319850CF14
                            Function 07923F5A Relevance: .1, Instructions: 103COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a7f06cc4f7726f430861371746a10e7d9f16a4b253ee472fdfd7fd534b5dec26
                            • Instruction ID: 5b31c08663f9ba5e478c81f841bd1d0ce966f6d3a88aa8b8682df7beace145a8
                            • Opcode Fuzzy Hash: a7f06cc4f7726f430861371746a10e7d9f16a4b253ee472fdfd7fd534b5dec26
                            • Instruction Fuzzy Hash: 9231913930C2A18FE716D635AC11AED3B65DBC6224F1881A6E441CF6E3CB249D0796E1
                            Function 07923EF2 Relevance: .1, Instructions: 103COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2a27e7a04d7a3fb4242563ce6d831cd65809e3f350267033ec2145aeb1e60954
                            • Instruction ID: ee5e000074c54351e9596474086b97ed3271883c02643df6a2ed2679d9e4984e
                            • Opcode Fuzzy Hash: 2a27e7a04d7a3fb4242563ce6d831cd65809e3f350267033ec2145aeb1e60954
                            • Instruction Fuzzy Hash: B831B43930C2609FD717D725AC15AFD3BA6DFC5214F1981A6E445CF6E2CB249C0B86E1
                            Function 08FA3C69 Relevance: .1, Instructions: 101COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9b0ead9f6b28e553aa5552e4f8a4bd567dd1c0ae90561f21c6026b0471d94b1c
                            • Instruction ID: d9d6e7cfe89dafb16aaf82dfee105c938e5a840d13e00a6261ea47b0d102f185
                            • Opcode Fuzzy Hash: 9b0ead9f6b28e553aa5552e4f8a4bd567dd1c0ae90561f21c6026b0471d94b1c
                            • Instruction Fuzzy Hash: 93417A75A006098FCB05DF64C884AEEBBF2EF49311F1580A9E805AB366DB35EE05CB50
                            Function 07924137 Relevance: .1, Instructions: 100COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bd158a233168a9231034e2d6fb3ba11173be53c49c512332790391796294a344
                            • Instruction ID: 3a0c6a708c3796e2f7fe0dcf7e0988bb0c921b14c7a69000dc276fb7e5e8bf88
                            • Opcode Fuzzy Hash: bd158a233168a9231034e2d6fb3ba11173be53c49c512332790391796294a344
                            • Instruction Fuzzy Hash: F031B13920C2A15FE707D634A811AFD3BA1DB82224B1981A7E495CB6E3CB149C4B87E1
                            Function 08FA44DA Relevance: .1, Instructions: 93COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a60be7081536ea39b2c34a846bfc5d74b1cc5a84d54b385371258a8feeaec395
                            • Instruction ID: 628d873cd5f3b6ab696fcbd92428c69a387f919e145673671a8bc9767d0e131e
                            • Opcode Fuzzy Hash: a60be7081536ea39b2c34a846bfc5d74b1cc5a84d54b385371258a8feeaec395
                            • Instruction Fuzzy Hash: 733190B6B04105DFC704EFA8C855729B7A2FFE9319F24806DE4169B389CF7298038B45
                            Function 08FAE2B2 Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3ab6feb5a5851c1a07fe74f1d225f180cff7546ed153ccbc63c97ffd726fd9fd
                            • Instruction ID: 3d222ae0da1da054b58d697552db9e1639e05f6ce46bae82cfcfb23d0cc73338
                            • Opcode Fuzzy Hash: 3ab6feb5a5851c1a07fe74f1d225f180cff7546ed153ccbc63c97ffd726fd9fd
                            • Instruction Fuzzy Hash: 133168B4A10248CFDB10DF68E888AADFBF5FB49311F008298E40A9B346DB34AD41CF11
                            Function 08FAC820 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 27de866008907c7b39e5f9c98a863e7f06343775a79cee1d0740a9a8c82abafc
                            • Instruction ID: b6dc43fe966493cc5477d7548c19546751091d372a1797a09122c82cea1d0a1b
                            • Opcode Fuzzy Hash: 27de866008907c7b39e5f9c98a863e7f06343775a79cee1d0740a9a8c82abafc
                            • Instruction Fuzzy Hash: B2217A75D06354DFDB09CF6AD444AADBBB2BF8A321F1480AEE449AB212C7754945CB40
                            Function 0111D4C4 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1270158321.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_111d000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 950619e770005e3bc77207856f7d4f7075a915399ccf8848351919ea0708981f
                            • Instruction ID: 41db356aef7d4609d003dfc134c85871944d63457e63fce88240dac44f9358b7
                            • Opcode Fuzzy Hash: 950619e770005e3bc77207856f7d4f7075a915399ccf8848351919ea0708981f
                            • Instruction Fuzzy Hash: C221F171604240DFDF19DF54E9C8B26FF75FB88328F20C579E8090A65AC336D456CAA2
                            Function 0792ECA0 Relevance: .1, Instructions: 74COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 00f9f91d7de580186b1701e30ce30b382c78a575bea923a0e168ebc9db466ad2
                            • Instruction ID: 468f3127567db2780a130d111ca62cc6d541727864140b8247a012d958de35cd
                            • Opcode Fuzzy Hash: 00f9f91d7de580186b1701e30ce30b382c78a575bea923a0e168ebc9db466ad2
                            • Instruction Fuzzy Hash: 842154743502214FEB09BB39C458B6E339AAF98B04F14417DE506CB7E6CEB1EC428791
                            Function 07924320 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 02fac09590e0cb5e1630081a3ad53c836bf8ff6be3f3a4fe528fcc0986e5b5f6
                            • Instruction ID: c8b5ffb4e5e90f3ce425cd91a9cfeb755632fb9f23f5d8a78c9c7d672b4fabf1
                            • Opcode Fuzzy Hash: 02fac09590e0cb5e1630081a3ad53c836bf8ff6be3f3a4fe528fcc0986e5b5f6
                            • Instruction Fuzzy Hash: 6611AC3E34C1655FD70BD625FC119EC3BA1DBC9224B1880A7E442CF6A3CB109C0B86E1
                            Function 0112D294 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1270202381.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_112d000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fa5f07c9c91cc37d8980562306387b7a6c35e0118c1c56c9d01f1995507f1589
                            • Instruction ID: 109162a0d4173e0fb35ff1915a886c2fd32a9855aeecd1c4d8d44110fb42ef95
                            • Opcode Fuzzy Hash: fa5f07c9c91cc37d8980562306387b7a6c35e0118c1c56c9d01f1995507f1589
                            • Instruction Fuzzy Hash: 5C2107B5608204DFDF09DF94E9C4B15BBA5FB84324F24C56DD8494B342C336D856CB62
                            Function 0112D01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1270202381.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_112d000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bae94c202d1fa0b7babba3d5b816e2cd801a314fb77d64031a43f76da1f760de
                            • Instruction ID: ef93e595102567e28f5116b60df1804244a7a18b870a80ba899859ddcad73782
                            • Opcode Fuzzy Hash: bae94c202d1fa0b7babba3d5b816e2cd801a314fb77d64031a43f76da1f760de
                            • Instruction Fuzzy Hash: DF212271604340DFDF19DF54E9C4B16BB61EB84314F20C5ADD84A0B2A6C33AD827CB66
                            Function 08FA86D9 Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 651258cfc46b87c9b504a24dbe1456fa3539039bfdb85c89d8c4ffa8f275e762
                            • Instruction ID: 208bb0e97cb85e3d0b5f1f593aa18dcaf8a9b781eed3a10212cd5fe151c1bd28
                            • Opcode Fuzzy Hash: 651258cfc46b87c9b504a24dbe1456fa3539039bfdb85c89d8c4ffa8f275e762
                            • Instruction Fuzzy Hash: E81126BA719281DFC705DA24C880A79BB71EB852F6F24847ED4168F356CBB29C02C791
                            Function 0792C1F8 Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 30f80c2ef1cdc7af383946fba655be98941822314a48b1a8b907e1b28604919c
                            • Instruction ID: b82602d35378da6a1f6f0454e6233c1fc9d642dc975db154c650825f14ca5366
                            • Opcode Fuzzy Hash: 30f80c2ef1cdc7af383946fba655be98941822314a48b1a8b907e1b28604919c
                            • Instruction Fuzzy Hash: 3621E231A007018BDB05EF39C894695BB71EFA6308F0986BEE8492F35ADF71A484C791
                            Function 08FA70FD Relevance: .1, Instructions: 67COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 406a2489c31ae3a05fa491162f2b054927181323be3e6f1a157b41d6955bc3e0
                            • Instruction ID: 7cc6b8a90ffc905dac9ed589a58bf2eacf98c0f3173069b541e21ff9a30b7a15
                            • Opcode Fuzzy Hash: 406a2489c31ae3a05fa491162f2b054927181323be3e6f1a157b41d6955bc3e0
                            • Instruction Fuzzy Hash: F411C1B5A007159B8B15EB798C409BFB7FAEEC42317148A3DD868D7390EF308A0583A1
                            Function 08FAE36B Relevance: .1, Instructions: 67COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1d6c0626a659ab53725e035795c1e12bd4b23537aca5b8db706f0a9559d63667
                            • Instruction ID: 6ebdd17e2123df2a1ade82fc4e7057fb4e6ae0bba33827f433da80a3cc1f244b
                            • Opcode Fuzzy Hash: 1d6c0626a659ab53725e035795c1e12bd4b23537aca5b8db706f0a9559d63667
                            • Instruction Fuzzy Hash: F33143B4A15254CFDB40DF68E944BADBBB6FB85312F0082A8E4099B359DB30AD44CF42
                            Function 08FAB838 Relevance: .1, Instructions: 65COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 42c114fb8e6a86cdc6a8349da9b2e6ed1f3e40b819e79509bc2944b414f413e4
                            • Instruction ID: 73dd932cf98054e7edaafc707a281816c6840f790b7a88ce220af35ce602d65e
                            • Opcode Fuzzy Hash: 42c114fb8e6a86cdc6a8349da9b2e6ed1f3e40b819e79509bc2944b414f413e4
                            • Instruction Fuzzy Hash: 8D2109B8D09249DFCB44CFA9C1809AEBBF5FF4A321F609599D809A7712C3309A41CF61
                            Function 0792BC98 Relevance: .1, Instructions: 65COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 081dd8180748d404110688b49552fd7ca3804651bc1bd40188d1be41d78a6b80
                            • Instruction ID: 825d0e26ba145a2c5beb82f59fbf35482cafe6314dfce67d12696121a6ee504f
                            • Opcode Fuzzy Hash: 081dd8180748d404110688b49552fd7ca3804651bc1bd40188d1be41d78a6b80
                            • Instruction Fuzzy Hash: 22115EB174023697DE28727964143BE27EB8FC4169F14007ADB0ACB688EF35D843A396
                            Function 0112D006 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1270202381.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_112d000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 14439724fe57c2814b53804993b417cd6f75935713ae77ab22536958987b6231
                            • Instruction ID: e3f3d049ea2fcc2536b57c31550a82af3e751458d2b366a28dc388a0e05dd3df
                            • Opcode Fuzzy Hash: 14439724fe57c2814b53804993b417cd6f75935713ae77ab22536958987b6231
                            • Instruction Fuzzy Hash: 2B2180755083809FCB06CF64D994715BF71EB46214F28C5DAD8898F2A7C33A9816CB62
                            Function 08FA5CB8 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7ffa7c686473353ce6241c5ea58b1044150e0e4dfc6cac056411e96d68fc9208
                            • Instruction ID: 220bf7a72b78de31c2b3b3a976158d6569d23b96750907ddb04f3fa206caadbb
                            • Opcode Fuzzy Hash: 7ffa7c686473353ce6241c5ea58b1044150e0e4dfc6cac056411e96d68fc9208
                            • Instruction Fuzzy Hash: D621C674A00918DFC704DF9AE684999BBF1FF8D310B6281E8E444AB326DB31EE14DB04
                            Function 08FA5008 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ecf470213313223099ec113b8d714e14866d28c95bb9d3dd00d3203a0e9fda35
                            • Instruction ID: 86e80e644d5e8561e954e74eca48db283791a37fa2a2af738fea71960b2f0b95
                            • Opcode Fuzzy Hash: ecf470213313223099ec113b8d714e14866d28c95bb9d3dd00d3203a0e9fda35
                            • Instruction Fuzzy Hash: A41104B3704242DFC704A6B8D84056EBBA6EFD9276B1480AED406CB35ACE315C0287E1
                            Function 08FAB848 Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ea6e82fd997d504db9b8670a1457bfd0395dfc4112e327f60c2aa5088af62a6a
                            • Instruction ID: 8a4d80f23d985c4505e7e8949318438d0c49af3cf02deb472163caaa373ea33a
                            • Opcode Fuzzy Hash: ea6e82fd997d504db9b8670a1457bfd0395dfc4112e327f60c2aa5088af62a6a
                            • Instruction Fuzzy Hash: 4321C7B8D09209DFCB40DFA9C180AAEBBF5FF49321F609069D809A7715D7309A41CF51
                            Function 08FA7A27 Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 90758e68f18f62bceff9f2aaeaddd0b5e094eb8505ae25bd80094a95897c56e2
                            • Instruction ID: d6be2cfb7bdbeb5c99fd6ec67bd0f4fb020ccd5f6ae5932e50bdd81e95372b20
                            • Opcode Fuzzy Hash: 90758e68f18f62bceff9f2aaeaddd0b5e094eb8505ae25bd80094a95897c56e2
                            • Instruction Fuzzy Hash: DA11A3B5F003469B8B15EA799C408BFB7F6EFC4260714493DD854D7350EF3099058361
                            Function 08FA7958 Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 701fe36fa8238e67dfed9e21be30c910fd71d5e64a0e22f066d5d7af36b65a32
                            • Instruction ID: fcd1b59e1dea6fcc8bda7406f455e1341423f72893972e820c2cd483e5fa2295
                            • Opcode Fuzzy Hash: 701fe36fa8238e67dfed9e21be30c910fd71d5e64a0e22f066d5d7af36b65a32
                            • Instruction Fuzzy Hash: 13112172F0020A9BCB15EBB998106EEBBF6AFC4351B20407EC545E7354EB719D02CB91
                            Function 08FAC216 Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b758087ce9d69de5745dffb2e68be685c9ea6f97e9e39b6cc1e7d186b7e3f9c2
                            • Instruction ID: c7620aead9966e0328bd94d947c2271ad71fedb1c0757a4b1eead70b93d830f6
                            • Opcode Fuzzy Hash: b758087ce9d69de5745dffb2e68be685c9ea6f97e9e39b6cc1e7d186b7e3f9c2
                            • Instruction Fuzzy Hash: 512172B9A09229CFCB50CF68C984BACBBB5BF49211F1491D9D44DA7312DA309E85CF64
                            Function 08FAB930 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1efa10e620f8cfac56102e64a799efe2505e80629f259ebab1001557f3c5903a
                            • Instruction ID: 9266331c4d098d7a6a6dbc5da10c6c1e2764a5fe0c4151a4d24dd55bfa82c3de
                            • Opcode Fuzzy Hash: 1efa10e620f8cfac56102e64a799efe2505e80629f259ebab1001557f3c5903a
                            • Instruction Fuzzy Hash: D51116B4D08248EFDB04DFA9C1409ADBFF5EB4E321F109599C458AB316D3309A45DB80
                            Function 0111D4BF Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1270158321.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_111d000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                            • Instruction ID: fd65f9bdf00011157770473c15668c0922ae80dba53d06d3a2250e85833db1ce
                            • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                            • Instruction Fuzzy Hash: 5C119D76504280CFCF1ACF54E5C4B16BF72FB84324F2486A9D8490B65AC336D456CBA2
                            Function 08FAC131 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7780ecde6c7e2c9a0488c7be8b2a1d38bf5359dbd93039b10fb4becf418b1009
                            • Instruction ID: fe2380a0007f2a0f75176539f101e98c1b40921c222c0ddc6ecf69fa93c702c0
                            • Opcode Fuzzy Hash: 7780ecde6c7e2c9a0488c7be8b2a1d38bf5359dbd93039b10fb4becf418b1009
                            • Instruction Fuzzy Hash: 8221C4B4E05258CFCB64DFA4C984BA8BBF5BB49321F1480EAD509AB342D7759E84CF10
                            Function 0112D28F Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1270202381.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_112d000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                            • Instruction ID: 46864b6283ceeb9864f1153e8290ce3d14cd88343eae17203e1d1c73b990296c
                            • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                            • Instruction Fuzzy Hash: 74118EB9508240DFDB06CF54D5C4B15BFA1FB84314F24C6A9D8494B656C33AD45ACB91
                            Function 079283E8 Relevance: .1, Instructions: 52COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: feb84562f502f23ff06112b847f6b1b1a663306a1adae3bc9829743c9b9914c0
                            • Instruction ID: d0802513aaaff93c5b2d9b4adab5521370281dbc905bf39b72e0b782dec1881e
                            • Opcode Fuzzy Hash: feb84562f502f23ff06112b847f6b1b1a663306a1adae3bc9829743c9b9914c0
                            • Instruction Fuzzy Hash: 93112B352093409FD7259A34DC50BAB7B79ABCA324F1844AAD9958F3C6C635A842C771
                            Function 08FACC88 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4e9a2fab9f584d48b52547097fd1736e46ba053eb647ffa6e3f83e31fd1cb5b5
                            • Instruction ID: f0ab5c1e387c2892495b13038c6dafd55f561e9876c0a19792faf01d706fec29
                            • Opcode Fuzzy Hash: 4e9a2fab9f584d48b52547097fd1736e46ba053eb647ffa6e3f83e31fd1cb5b5
                            • Instruction Fuzzy Hash: FA116975A09298DFDB05DBB9C584AA8BFF5EF4A210F1880D9E849DB366C7309E04DB40
                            Function 08FAA4D5 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f4ee1a2b7981292f17951d9b04a5b01dd6b52be4907dd3e17f5deb95957e91a4
                            • Instruction ID: d0308216b6f6f5c44650bdf3714127173d1f9fd8d37d33d38a3e2f635e346c1c
                            • Opcode Fuzzy Hash: f4ee1a2b7981292f17951d9b04a5b01dd6b52be4907dd3e17f5deb95957e91a4
                            • Instruction Fuzzy Hash: CB01A29250E3D59FD7173B3898292E53FA19F13521F0A05EBD0C18F0A3D559484DC7A6
                            Function 0792C068 Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1605238820f72eed86372da0b0e3e295c973a877247b4b7f0c0cd9dabd183ece
                            • Instruction ID: 3bc00ffdbcc42b7caaaf19c12164666e182a1bf88635d3a1f90d87aec9f9b651
                            • Opcode Fuzzy Hash: 1605238820f72eed86372da0b0e3e295c973a877247b4b7f0c0cd9dabd183ece
                            • Instruction Fuzzy Hash: 5E01F7753452218FDB642A36A40C3AE3EF8F78A35DF54403EE00EC3249CB748886C7A0
                            Function 08FACC11 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7637482bf8937758904a4d9c3c5c52cad1a9a17ec3175e7f5b384b11bf8bc5a9
                            • Instruction ID: d62d11bb291ad3816fd6e543eafbfc80a44a001f4cfd44c632a9aaa2c0e8e0af
                            • Opcode Fuzzy Hash: 7637482bf8937758904a4d9c3c5c52cad1a9a17ec3175e7f5b384b11bf8bc5a9
                            • Instruction Fuzzy Hash: 480171B190D2C4DBCB06CB75D5549F9BFB8DF4B211F0491E9D0499A222C3304A05DB41
                            Function 08FA7138 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b112b5d1e1a1fe1f590d128d4bfd5dcfb4bdfac190aca84c7d2a6af8b463723d
                            • Instruction ID: dae4ed50952819aedc077f70acd61f0ad021bc36abb2d7273c21d46aa7733ca6
                            • Opcode Fuzzy Hash: b112b5d1e1a1fe1f590d128d4bfd5dcfb4bdfac190aca84c7d2a6af8b463723d
                            • Instruction Fuzzy Hash: FAF0B216C2A3E15BF3137B7C94B46DA7F60DEA3A66B494483C1944D0538805048FC6EF
                            Function 08FA4470 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 38ee5080063c22fc336707182d396c1dd7bfcd9b5d65211ca87024047af6d5ab
                            • Instruction ID: fd96813855dca5cce9d4b77b692cf604f6ecc6535e584114e2b36eefa729094b
                            • Opcode Fuzzy Hash: 38ee5080063c22fc336707182d396c1dd7bfcd9b5d65211ca87024047af6d5ab
                            • Instruction Fuzzy Hash: 5801F231E083A49BD712EB7CD4645DA7FB19F97264F1440AAC442DF396DA214C0EC7AA
                            Function 08FACC98 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6ccb160b23d045efd6bfb563b75e5b793fccad7a8126b89730ddd3648ea0431a
                            • Instruction ID: dbf2f7d5df276e850ec292ce84856d89c6be300bb322445f79174efe9c736c27
                            • Opcode Fuzzy Hash: 6ccb160b23d045efd6bfb563b75e5b793fccad7a8126b89730ddd3648ea0431a
                            • Instruction Fuzzy Hash: 5C01FB75A08158EFD704DFA9C684EADBBF9EB4D211F158099E909AB356D730DE00DB40
                            Function 08FAD369 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 71e5f2832ec738f10d627580f2125eaf41885e57cedc4c2ba6ef8a6fcba906b0
                            • Instruction ID: a48b954233ec3fe3a4a00b8c3788d9413e81b84ce5ee49ec98897ea0dd540bfd
                            • Opcode Fuzzy Hash: 71e5f2832ec738f10d627580f2125eaf41885e57cedc4c2ba6ef8a6fcba906b0
                            • Instruction Fuzzy Hash: 47011778C05249AFCB00DFA8D5949AEBFF0FF09210B20859AE844E7341D3309A40CF91
                            Function 0792BEF0 Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ecc4bfd79b607247c3a202e6179cc0df48ce54ab250fdfb1ac285399129154e6
                            • Instruction ID: 835b4e44b5fae08f304f0d6e1d0087b3e2b66369eb1cadf5e86fe0f1e7faf7ed
                            • Opcode Fuzzy Hash: ecc4bfd79b607247c3a202e6179cc0df48ce54ab250fdfb1ac285399129154e6
                            • Instruction Fuzzy Hash: 6FF04CB17143114BC712F7B9B01024AFBD4EF922B8B4489BFD61ED7759EA729C404B90
                            Function 0792052E Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 952cf8c0b229230e8e6f169ee72bdc3e21d4053cf2fcaf0b95991baeb1fa9050
                            • Instruction ID: c829f9e837e07ef6c2e9e456193d9c5102b0e80f2172401e63387444549c76c9
                            • Opcode Fuzzy Hash: 952cf8c0b229230e8e6f169ee72bdc3e21d4053cf2fcaf0b95991baeb1fa9050
                            • Instruction Fuzzy Hash: 2E01D230A10329CFD725DB30D894BDEBBB1FF81205F4085A9D0599B296CB349D86CF91
                            Function 08FA4F66 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5bd4c3ae8fa6fa11fe96e0bbc98e80d04c4b1d75c25d4708a645af1a23b81453
                            • Instruction ID: 513517174e7713022e926c3bf6a4e1a8809131cbdcf7c908e981d2522de780ae
                            • Opcode Fuzzy Hash: 5bd4c3ae8fa6fa11fe96e0bbc98e80d04c4b1d75c25d4708a645af1a23b81453
                            • Instruction Fuzzy Hash: 25F0C86230C1919FC314EBB5D8144257B66DBE717231554AAE507CB3AADAA18C02C3A5
                            Function 079200F8 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6954aba37bc9880b264895fa2dfbe16c2a96a2c85db6c81e7fe18eb7e1678c7b
                            • Instruction ID: 540f2404502a6a5a0b16e6e48f2a1230b1df51f824b1b87b65e0c8e4c0409d96
                            • Opcode Fuzzy Hash: 6954aba37bc9880b264895fa2dfbe16c2a96a2c85db6c81e7fe18eb7e1678c7b
                            • Instruction Fuzzy Hash: C901AD30644211CFD715AF28D884AAE77B6FB85319B2484A6D402CB6A5CB74EC47CBD1
                            Function 08FAE5C5 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 53331bc365612a1dca6b84bf509c8fb646818a004fd5e5be2b284d1536d07b0d
                            • Instruction ID: 71676a6af9d75060a5eee5b39fae280c686348ac7a58646fd0f1d3ba03e212ec
                            • Opcode Fuzzy Hash: 53331bc365612a1dca6b84bf509c8fb646818a004fd5e5be2b284d1536d07b0d
                            • Instruction Fuzzy Hash: 290125B4E14308DFCB60DFB4E84649DFBB5EB88211B21C328D415AB385DB389842CF12
                            Function 0792DEE8 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 09c9434f734a8bc1ded5ed378cba7e63053c4fd14f135c163b77951a9b07de32
                            • Instruction ID: acf908ee510c5bc43488866bd024f9df4740e2cac188b6d3ea09684add33b216
                            • Opcode Fuzzy Hash: 09c9434f734a8bc1ded5ed378cba7e63053c4fd14f135c163b77951a9b07de32
                            • Instruction Fuzzy Hash: 4CF0AF30310320CFE728BA35C400BAA73EAAFC6619F10446ED54A8B318CB31EC03CB62
                            Function 07920A2E Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c80596b02b22102b54506a30b6e599cca042b67eb25f4551cc410d6728a7a8ce
                            • Instruction ID: 891958d8b0fe69a372efd649effdaf3bd199534a3b781bcb2f493879e1e676ba
                            • Opcode Fuzzy Hash: c80596b02b22102b54506a30b6e599cca042b67eb25f4551cc410d6728a7a8ce
                            • Instruction Fuzzy Hash: BA01D130644316CFD326EB30D4947BE7BB2AF81215F188479D4528B686DB349C0BDBD1
                            Function 079208E4 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b2b7dc367d033e3129262f523f68aca7f78ed1b83e1c45c482e8b35af01d531c
                            • Instruction ID: 52c6d9d5f5014e1db443926adb6774117a0f38dd6efdec706b0b9ce7ee870b3b
                            • Opcode Fuzzy Hash: b2b7dc367d033e3129262f523f68aca7f78ed1b83e1c45c482e8b35af01d531c
                            • Instruction Fuzzy Hash: 86018F30A04365CFD725DF34C894BEEB7B1FF85211F1489AAD4569B295C7309C86CB90
                            Function 0792EC18 Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 00dd4ce6844e4065259660f1330b6f43650ada84260ad9c87321aaba47091fce
                            • Instruction ID: 3c43317e50c1605f6f1f0a83dd459d2f6a0fa953527aa9e12872c60e5c58ea37
                            • Opcode Fuzzy Hash: 00dd4ce6844e4065259660f1330b6f43650ada84260ad9c87321aaba47091fce
                            • Instruction Fuzzy Hash: 5CF0AF30A106158FCB04EBA8C45989DBFB1FF84304F018199E60A9B365EF30AD84CBC1
                            Function 0792027A Relevance: .0, Instructions: 34COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8af366343281acf94852ed99fa068faa99a040364ba93f54615f3759cd39f625
                            • Instruction ID: cc92ac6ba694d63645a740351c8915b0f961d4fa88f0853b71ea20827e6159bd
                            • Opcode Fuzzy Hash: 8af366343281acf94852ed99fa068faa99a040364ba93f54615f3759cd39f625
                            • Instruction Fuzzy Hash: 04F097316082628FE303E224C804BFE7BA69BC1205F488032C150DB585CB34CC47ABD1
                            Function 08FA4F78 Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 039919d6410c91f53ff131221e8abb1bc54569b3f51369448d1cc5c54132c21d
                            • Instruction ID: 3d1543e0656b593411d838f903a9a7639a673fa3d62b1c00913c39f38f9a595a
                            • Opcode Fuzzy Hash: 039919d6410c91f53ff131221e8abb1bc54569b3f51369448d1cc5c54132c21d
                            • Instruction Fuzzy Hash: 67F0A777308011DF8514AB79D40183AB7AAEBE56777209469F507CB74DDEB19C0387A4
                            Function 08FAC262 Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 91774fd71278f4b956a02aca79a84ff16d15ee24ffefba3c4abba6afab5af9dd
                            • Instruction ID: 1375a65ebe39fd00540a997fae92b41cba494c03644027bab240ed2b9291b838
                            • Opcode Fuzzy Hash: 91774fd71278f4b956a02aca79a84ff16d15ee24ffefba3c4abba6afab5af9dd
                            • Instruction Fuzzy Hash: 1501C4B9905228CFCB60CF68C880BA8B7B5FF49210F1091E9D45DE3341DB309A85CF10
                            Function 08FAD378 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e4abddf3dc53fd6f86128229d7f09a76092e58bf5e5c2389d1c09685742bd8e5
                            • Instruction ID: 497f520775de8bc088aa108cf28494466490cdeb6492a4c826b2b39b8da5ebc7
                            • Opcode Fuzzy Hash: e4abddf3dc53fd6f86128229d7f09a76092e58bf5e5c2389d1c09685742bd8e5
                            • Instruction Fuzzy Hash: B901E8B8D00209EFCB40EFA8D5449AEBBF4FB48311F108199E854A7381D7349A40CB91
                            Function 0792C9A0 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a26dc59d7636a4c7086bfff1ce30d1340f75d0d9b3159e5d557c12c41b58a8f8
                            • Instruction ID: 5718759ab5444fff83c80e1a447928c4ecc4bcaf3383d574ed75c01ae20c161e
                            • Opcode Fuzzy Hash: a26dc59d7636a4c7086bfff1ce30d1340f75d0d9b3159e5d557c12c41b58a8f8
                            • Instruction Fuzzy Hash: E6F04F74A11349EFCF48EFB8E45959DBFB1FB84205B2081A9D4059B358EF306E05DB51
                            Function 0792FDC8 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bf08cd4c725939f94a37781e6a08659c855f0ee10c5a08d2d33e87e2017f3a9b
                            • Instruction ID: 2ed3ee8ef3471dd5640b0892b8d66acb452559c722c84c02fde594aae52fe73e
                            • Opcode Fuzzy Hash: bf08cd4c725939f94a37781e6a08659c855f0ee10c5a08d2d33e87e2017f3a9b
                            • Instruction Fuzzy Hash: 0DF05E747009258FC718AA3AD418A6E37EAAFC5B18F0440BEE509C7325DF609C129791
                            Function 08FAE63B Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9eb38b62ff9ff2c954bddb1bb1986c6e950ac457cf40d915f6afb93c823ef6e6
                            • Instruction ID: 3a552a77ba8f9f584166a4520b9a29a01f6152a8f77391a6dcf123b90867bbe0
                            • Opcode Fuzzy Hash: 9eb38b62ff9ff2c954bddb1bb1986c6e950ac457cf40d915f6afb93c823ef6e6
                            • Instruction Fuzzy Hash: DA01F6B0E1024ADFCB10DFA8D94565DBBF1EF48201F11C1AAD408A7304DA349A468F21
                            Function 08FA5F84 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4e6ea8f51e242b825337eac8c11e5f639f33c5d05d296139f62c9ff8823206a9
                            • Instruction ID: a5f214a3a432a7577b99ea2aafa4bf8ca87d216796a88e99f21b81117a3692f8
                            • Opcode Fuzzy Hash: 4e6ea8f51e242b825337eac8c11e5f639f33c5d05d296139f62c9ff8823206a9
                            • Instruction Fuzzy Hash: 0EF0E7B9E05298EFCF12CFA8C84198CFFB4AF08200F24055AE545A7352D7315952DF11
                            Function 08FA51EB Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bcbaddb7bc1585938968b133ed28e75e1c785c3faf007620f1e6aff2e84a73d3
                            • Instruction ID: a4b10b00558304e4ec0e0225d2fa110e3e26a78ae0207f44b8d6913b79ebf2f8
                            • Opcode Fuzzy Hash: bcbaddb7bc1585938968b133ed28e75e1c785c3faf007620f1e6aff2e84a73d3
                            • Instruction Fuzzy Hash: 2BF042B9900249DFCB40CFE4C59199CBBB1FB4D355B248559D826AB314D731A907CB50
                            Function 08FAC1D8 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0033dfb309baa7067605d09f954a376727c6cf3597a6c49c68cd426e3c4e9633
                            • Instruction ID: 3be7f75914766afb5d5e46c475ecf1c10d77d2525812a86e5b3e45f959dacf7b
                            • Opcode Fuzzy Hash: 0033dfb309baa7067605d09f954a376727c6cf3597a6c49c68cd426e3c4e9633
                            • Instruction Fuzzy Hash: 9BF0B2F9C09259CBCB24CFB5C5447BEBBF4AB09222F1050AAD51AB6300E6344A81CF60
                            Function 07922F30 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 247abcca7773795e46f792a6d0efa7f3a264030a59d8f91f0870c28845992e9b
                            • Instruction ID: 92433f7b90127069967cea06b5d5e7687d08592f716b6254329c2e078a899014
                            • Opcode Fuzzy Hash: 247abcca7773795e46f792a6d0efa7f3a264030a59d8f91f0870c28845992e9b
                            • Instruction Fuzzy Hash: 35E092353204248FC708AF28E455A9E37B9EF4DA24B05419AE902C73A1CF64EC028BC4
                            Function 07925F70 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 348f032dc04b866cbbfea9384e0022c975d9d70b959224f41baabf5f2b89aaa5
                            • Instruction ID: bf4d59d8d4edb469a902b533c950cedbf4f9f7ebd9ae21dba644c863a9a5731e
                            • Opcode Fuzzy Hash: 348f032dc04b866cbbfea9384e0022c975d9d70b959224f41baabf5f2b89aaa5
                            • Instruction Fuzzy Hash: E4E09B353206108FCB049B28D45595D37B5EF4EA15B514099E905C7360CF60EC0297C4
                            Function 07927CA8 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5cae2231ecff69a4f88394c244026d7b98a1f372133b5869d265b63eeabaf374
                            • Instruction ID: 6fc33f39400388e679f2fd83e5fa8511083ce46aa959081e3e030a987991dccd
                            • Opcode Fuzzy Hash: 5cae2231ecff69a4f88394c244026d7b98a1f372133b5869d265b63eeabaf374
                            • Instruction Fuzzy Hash: EEE09236324524DFCB44AB28D455A6D37BAEF8EA14B415196F906CB3A0CF70EC028BC9
                            Function 08FA55B8 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4fe13486a9cdde30b34f8d0003cf7cbaccbcba2684fc41516e9b795b626a773d
                            • Instruction ID: e518d5a199eeb832881ef65784efe4522c23dc16383214ed04dc725c04402498
                            • Opcode Fuzzy Hash: 4fe13486a9cdde30b34f8d0003cf7cbaccbcba2684fc41516e9b795b626a773d
                            • Instruction Fuzzy Hash: 27E0DFD320CAE1CFC70A51FA52281B93B534B2F2BF78800ABD84BCE457E80749048A23
                            Function 07925A01 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aadb68a7d50ede8ba1871fdce2dce7f0fbd24f73b55ac06a1566a2b16bdd8655
                            • Instruction ID: 0eec968aa9fd0cbf47e02b5dcb3c6767b87e47f328085fa51ef63b9cc0ea715b
                            • Opcode Fuzzy Hash: aadb68a7d50ede8ba1871fdce2dce7f0fbd24f73b55ac06a1566a2b16bdd8655
                            • Instruction Fuzzy Hash: 4FE012363245249FC704AF28D455A5D37AEEF8EA14B454095E906C73B1CF70ED11CBC5
                            Function 079201E5 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 301c4d8536b3acd34278ed302963d9ba10a70b150fbd261b170801262eb2644e
                            • Instruction ID: 7a8040dc7a7bd4d47b742fb6cd7bfd7e99b8011235c0e9c9f87d728ec063cda6
                            • Opcode Fuzzy Hash: 301c4d8536b3acd34278ed302963d9ba10a70b150fbd261b170801262eb2644e
                            • Instruction Fuzzy Hash: F6F01D74A10318CFDB25DF74D494A5EBBB2FF44205B209E29D8429B7A6EB35AC02CF41
                            Function 07928C58 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 543291cc657d9aa63d9f100023dd29ffbff95879fe8fa9381b208d0c50c3032a
                            • Instruction ID: 9499be646c008520a7a86032c5eeeebaac5735161d89aab85aeff470b41f94ca
                            • Opcode Fuzzy Hash: 543291cc657d9aa63d9f100023dd29ffbff95879fe8fa9381b208d0c50c3032a
                            • Instruction Fuzzy Hash: 6FE0D8B17153147BE71455009C52F62372CCB95764F548421FA058A3C4DFA1BC036591
                            Function 07922098 Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a57af81dd039f47bf8b3205843637b1e463d527a3b1487df98110ca10095717f
                            • Instruction ID: 9e9cb80d5ba777741262e1f50d4966819bb1d6f41298eacde1f5f260880802b2
                            • Opcode Fuzzy Hash: a57af81dd039f47bf8b3205843637b1e463d527a3b1487df98110ca10095717f
                            • Instruction Fuzzy Hash: D1F039353205108FDB49AB28D5998683FB1EF4DA613111086E80ACB362CF709D018B81
                            Function 08FA5999 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e419b91fa163ce7559b0ef9c4002e4eff73ae9c5340502c97aa1a9901ded26f2
                            • Instruction ID: 2f32cd331e39e7029f318fa7ea3e51eaefb14bc4d1a30e164f9efda7de18877a
                            • Opcode Fuzzy Hash: e419b91fa163ce7559b0ef9c4002e4eff73ae9c5340502c97aa1a9901ded26f2
                            • Instruction Fuzzy Hash: B4E022A360D3818EC705A2B894014AA7F759F9E375705449FC04ADF297C9620C028761
                            Function 079224D0 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ac538ec78ab59e93b8153febbea20f5edcccd3468a652a4a05cb954aeb215049
                            • Instruction ID: 9ee6b665a77e9f357b98d9c842b45382d6d81a90391b6394f6a321ae8d8d3b5f
                            • Opcode Fuzzy Hash: ac538ec78ab59e93b8153febbea20f5edcccd3468a652a4a05cb954aeb215049
                            • Instruction Fuzzy Hash: 58E06D353254548FCB05DF68D9544AE3BA1AF89A1535180CAE9068B3A1CF319C068F81
                            Function 07928C68 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 214f93d99c019e7a6f58aff3536a14127a17d98e1182e86b929dc07e254da8da
                            • Instruction ID: aee41992f6eec113a985d3d0b1342bda5ee98b338ccce670f7b37e4e740bdf96
                            • Opcode Fuzzy Hash: 214f93d99c019e7a6f58aff3536a14127a17d98e1182e86b929dc07e254da8da
                            • Instruction Fuzzy Hash: B0E026F0B21328AFD324A9115C11F31326D9BC9760B204831FA058F3C8DFB2AC0266A5
                            Function 0792028E Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9e3da5e4075b0fd9e0fdaa4f12719614ad5e2cd8734e0ac547a3a6f235a660a7
                            • Instruction ID: bc77c16d994a6aa4356770806ea6f9204a1435c829d78f687367e04bc84e632a
                            • Opcode Fuzzy Hash: 9e3da5e4075b0fd9e0fdaa4f12719614ad5e2cd8734e0ac547a3a6f235a660a7
                            • Instruction Fuzzy Hash: 70F0A7305007018FE7269B30C094B3E7BF3AF84206B558429D5624B650CF34AD47EF91
                            Function 07920152 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2eaa9920fa4d5ff59135af177518f1b1b3b35a271abd3318d39f254fcee88c0c
                            • Instruction ID: d29adee4073217073dd879041c8730ce388dbb3dbc32da281775f5482a863b57
                            • Opcode Fuzzy Hash: 2eaa9920fa4d5ff59135af177518f1b1b3b35a271abd3318d39f254fcee88c0c
                            • Instruction Fuzzy Hash: 0DF03930614349CFE725AB34C09966E7BB6BB85202B104828D4838B744DF38AC07DB82
                            Function 07924C43 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f2df8a8b24eaa3360d15025cddef1a3ebc436f0c691b086a094d97e0f457bcba
                            • Instruction ID: d7f2f54ed95c69137d2bfc6f46d0c6e9a24921d7fe26901b2f331298966cfacb
                            • Opcode Fuzzy Hash: f2df8a8b24eaa3360d15025cddef1a3ebc436f0c691b086a094d97e0f457bcba
                            • Instruction Fuzzy Hash: CFE04635324528DF8B08EF28E45486D77B9EF8EA18301419AF90ACB3A0CF71EC018BC5
                            Function 07925F80 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1bdbc0f45d760d34aaa2d9d018e63591e545c7b17a8e30bb04cdf20f4cd496c2
                            • Instruction ID: 906bd0f4eaffc3c5db48b062be52ebdc1293386bf77eb471489403a73c084666
                            • Opcode Fuzzy Hash: 1bdbc0f45d760d34aaa2d9d018e63591e545c7b17a8e30bb04cdf20f4cd496c2
                            • Instruction Fuzzy Hash: C9E0EC353246249F8B08AF2CE45886D37A9EF8EA25351419AF906CB3B1CF71EC11CBD5
                            Function 07920385 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4c401e5ed14b304d7a541ffab3f2e30e091a2efd47b1792e17854dd86c0c8418
                            • Instruction ID: 12b1071313cbb75c25e725c1d6062867e937a7d59fb1f489e815021131d51c93
                            • Opcode Fuzzy Hash: 4c401e5ed14b304d7a541ffab3f2e30e091a2efd47b1792e17854dd86c0c8418
                            • Instruction Fuzzy Hash: 58F0A731908304CFD724DF30C494B5ABFB1FF41204F248A6DC496AB252DB346446CF51
                            Function 07922F40 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: daf56c9fc6e84628b8791c8f004d36a6088a3f1374d98169456751608ceacd2c
                            • Instruction ID: 1e78a1aa1e5fc500b43c680fd67ba6d0c1c026d959640d791eb1713481b040b8
                            • Opcode Fuzzy Hash: daf56c9fc6e84628b8791c8f004d36a6088a3f1374d98169456751608ceacd2c
                            • Instruction Fuzzy Hash: F0E04F353244248F8704AF28E45489D37A9EF8DA14301009BE506CB3A0CF70DC018BC5
                            Function 07924378 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7c1194635ec3de4180d0354c9fb52c21d60e6e8e8fa58e095d9705ae2d546431
                            • Instruction ID: 49bcea683a35e7d37cffe76e9eb64c1ba5ae8634ee51f82707284c3ff0d5f35b
                            • Opcode Fuzzy Hash: 7c1194635ec3de4180d0354c9fb52c21d60e6e8e8fa58e095d9705ae2d546431
                            • Instruction Fuzzy Hash: 3BE0BF353245249F8A05AB28E45485D77A9AF8DA15311409AE906CB361CF719C118BD5
                            Function 07925A10 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4eba83f6d59a36f55a9621925dc77ed7af8f7f882cad0fed047ddf22aa4105f5
                            • Instruction ID: d4eb5af45785481e556f5aabbdbaef262eebff55d892aca88c34e80b43656369
                            • Opcode Fuzzy Hash: 4eba83f6d59a36f55a9621925dc77ed7af8f7f882cad0fed047ddf22aa4105f5
                            • Instruction Fuzzy Hash: F9E0B6353245249F8B08AF28E45486D37AAAF8EA25311409AE906CB3A1CF71EC118BD5
                            Function 07927CB8 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 09411c99406d69b47138a7b0b84e1cbd00718f9fa616251297550576316d9018
                            • Instruction ID: 9b894961f80af8744c0f0144d27eea08c74298e66dd6237d3ccbe4291b86657a
                            • Opcode Fuzzy Hash: 09411c99406d69b47138a7b0b84e1cbd00718f9fa616251297550576316d9018
                            • Instruction Fuzzy Hash: 9DE046353245248F8B08AB28E45486D37AAAF8EA14301119AF906CB3A1CF70AC028BC5
                            Function 079220A8 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c77cb9684309495223bf2e13f7524eacfe7b41ebf60fe23204f58e616ce1d13f
                            • Instruction ID: 3ae65879b3daba99235cb38df38627e71649374acf02525593167701305eab4f
                            • Opcode Fuzzy Hash: c77cb9684309495223bf2e13f7524eacfe7b41ebf60fe23204f58e616ce1d13f
                            • Instruction Fuzzy Hash: 1DE0B639320524CFCB48AF29E45886D3BF9EF8EA65311119AF906C7361CFB5AD018BC5
                            Function 079224E0 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6eadfeb13e8a1a57ad0b2b92267255da03d5571c87a002cf785ec7d0ef6f70ab
                            • Instruction ID: 60712d64d6066ce3c11e3ee29b4afa5174080668b8354712bbdf682df0bc7464
                            • Opcode Fuzzy Hash: 6eadfeb13e8a1a57ad0b2b92267255da03d5571c87a002cf785ec7d0ef6f70ab
                            • Instruction Fuzzy Hash: 5FE08C353244248F8B08AF2CE45486D37AAEF8EA2430100DAF906CB3B0CF70EC028BC5
                            Function 07924C48 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 71219eea70266e8294d06099a60c505760902baa499498171ec134f61c24e713
                            • Instruction ID: 2fc8efc30405ffb291854814a2db4c6d4b73d8ad20c0e1e0fd536cf1ca75a625
                            • Opcode Fuzzy Hash: 71219eea70266e8294d06099a60c505760902baa499498171ec134f61c24e713
                            • Instruction Fuzzy Hash: 32E0B6353245289F8B08AB68E45486D77A9EF8EA19311419AF906CB3A1CF71EC118BD5
                            Function 08FA55C8 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 45e5b9bdf2689cc56b110af8332d94586d2f63f9ecb3527c80bbd71a51928165
                            • Instruction ID: e4095a26cc0fc0e930832660f520bc6d7dfd375d815edb62618e0caa2a26952d
                            • Opcode Fuzzy Hash: 45e5b9bdf2689cc56b110af8332d94586d2f63f9ecb3527c80bbd71a51928165
                            • Instruction Fuzzy Hash: 13D0A9E320CD72CF460804FA632823A314B835D23FA90402BEE0BC9945EA03C9104953
                            Function 079203E1 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a06635006b3d1ceabec53ce0d57d47a8320ebaf61a9323df27a4819740bc391f
                            • Instruction ID: 426675834473927d5b1c959795320c87df59da0aeebeef9bf2c17fd0dba3827a
                            • Opcode Fuzzy Hash: a06635006b3d1ceabec53ce0d57d47a8320ebaf61a9323df27a4819740bc391f
                            • Instruction Fuzzy Hash: B2E012346103058FD629AB30C0A476E7B73AB84205F508928D45B4B740DF796C47EB81
                            Function 07920485 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4e1c80969cc3149578c9280226968c52a96009eb0f15811d8ee579d4d4ab306f
                            • Instruction ID: 5e8a54d1d0eb87f7c3303e879e59235387be3057bc4bf612d9e74b983530a7f3
                            • Opcode Fuzzy Hash: 4e1c80969cc3149578c9280226968c52a96009eb0f15811d8ee579d4d4ab306f
                            • Instruction Fuzzy Hash: C2E09230610305CBE729AB34C094B2F3BB3ABC4381F149818D0578B250DF38AC47CB92
                            Function 0792BC58 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ecbe58cb36abd1e3aed38a8b79b0d27537b79ca86542567dcbf06ddb8eb8eebc
                            • Instruction ID: 10968389f59800a2834540d7c1a545f36e1c59f93c76f2d6aaec0abcc8cc6a7a
                            • Opcode Fuzzy Hash: ecbe58cb36abd1e3aed38a8b79b0d27537b79ca86542567dcbf06ddb8eb8eebc
                            • Instruction Fuzzy Hash: 22D09EB13553259BDF2CEB76A45453633EC6F8451D32089FDD41D8A662EA23E853D500
                            Function 08FA59A8 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4d7c1d2a0a6e876ed96400f1cf6d0cb92b91c1d326c1cf56d6830b324bae7489
                            • Instruction ID: c49e652c1771f3ba5517214e75a8f081ab8e36229b200ed15bd024e279971f61
                            • Opcode Fuzzy Hash: 4d7c1d2a0a6e876ed96400f1cf6d0cb92b91c1d326c1cf56d6830b324bae7489
                            • Instruction Fuzzy Hash: 0CD02BF3308205DF810856E8D4004257379D78D37A700405AD10A5F345CE729C028790
                            Function 0792CB48 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: acadb64a0e27e7817368e83c70646a172ab3a86b30072475a21542aac18ac946
                            • Instruction ID: a2a706817fdb38f5de29591520f65711fad1e7be9cb7bd67c354dc90b67ddce9
                            • Opcode Fuzzy Hash: acadb64a0e27e7817368e83c70646a172ab3a86b30072475a21542aac18ac946
                            • Instruction Fuzzy Hash: BBE09279D1020CEFCB41DFE4D9458DDBBB9EB48200F1082AAE90AE3200EB306B55DF80
                            Function 08FA6016 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 50adf99649bf76efd6a73de6a2ce6247fbd7ffc67a28a70c42f38cdc7559e60c
                            • Instruction ID: 450c503bd30734a4a9fec79ecd6ae39258bec899e08496048b1e61e5865e0d1c
                            • Opcode Fuzzy Hash: 50adf99649bf76efd6a73de6a2ce6247fbd7ffc67a28a70c42f38cdc7559e60c
                            • Instruction Fuzzy Hash: 3ED052F6E05128CBCB00DAF8E8844ECBB30EB9A223B004636D606E3200C3314811CA14
                            Function 0792BDE0 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fa132a46edf16f32167131e690b629c346eb746f02ed21f4eb65e7289dd309bf
                            • Instruction ID: f6f85394719eafb2ae7b6aefc1c49920b0196ff460973dbf8fbafdc4ddf72feb
                            • Opcode Fuzzy Hash: fa132a46edf16f32167131e690b629c346eb746f02ed21f4eb65e7289dd309bf
                            • Instruction Fuzzy Hash: 9ED01230610B18DBFF21B775F40C7567BE9EF44256F004826E612976A8DA70A98247D1
                            Function 08FAFF28 Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6ddf28c3300f4542303398686bc43af308018de37c24b94bf6e8bbe71116997a
                            • Instruction ID: 6bffaa8b2ae4a3b4666b54f8c56ab25ba8805dd1846086fcce6b951514a4910a
                            • Opcode Fuzzy Hash: 6ddf28c3300f4542303398686bc43af308018de37c24b94bf6e8bbe71116997a
                            • Instruction Fuzzy Hash: 86E0C270D0020CEBCB14EFB8D40525CBBB8EB46302F0001BCE9096B384DA304D00D755
                            Function 07920767 Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 076024371031f31eac3d9da071c5ad2e91097ca2120cf48570aa1ef7faa967d2
                            • Instruction ID: 152417bdbffc4d0c8110999adf9c8c69fec2d06e63eecd25d7aa75d7b39ebd98
                            • Opcode Fuzzy Hash: 076024371031f31eac3d9da071c5ad2e91097ca2120cf48570aa1ef7faa967d2
                            • Instruction Fuzzy Hash: 46E0E534611700CBD769AB30C498B1AB7B2BB85201F508A2CD85647744CB35A886CB50
                            Function 079202F0 Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 51c530162807417b33e56b501478d2840444c26be2e29013c363c705d196c60e
                            • Instruction ID: 8f6b25e71ea41a8ada54ed0c92bc2c0d8bf64c0fccafa27a49fcae509fb0b6f1
                            • Opcode Fuzzy Hash: 51c530162807417b33e56b501478d2840444c26be2e29013c363c705d196c60e
                            • Instruction Fuzzy Hash: 08E07E746107008BD769AB30C09876AB7B2BB89216F208D2DD8A787754CF35A886DB41
                            Function 08FA488E Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7b97ff685ad25a0f51a5076afefb48ac66fb8de4991949ce620f7a23a8ac3193
                            • Instruction ID: 5f9ae929dd00785a21b07f23ec914be96e7b66badc3a0ac77b00711d1b11f523
                            • Opcode Fuzzy Hash: 7b97ff685ad25a0f51a5076afefb48ac66fb8de4991949ce620f7a23a8ac3193
                            • Instruction Fuzzy Hash: 99D02335100050DBC6005631D40403C73115FF1572710445ED80357572CFF64D634154
                            Function 08FA7921 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: baa7a110607c74994fe18b0b6681c7d6bfa705d17051891633e3cebed557323f
                            • Instruction ID: 0c797a25fdbbd7c0d8e55efccb0c9567105a13c833c316cca4c1a4f5485042b9
                            • Opcode Fuzzy Hash: baa7a110607c74994fe18b0b6681c7d6bfa705d17051891633e3cebed557323f
                            • Instruction Fuzzy Hash: 77D0C9A529E2C27EDB837B758C519863FA19A6319834AA0F7A080CF073D602D41AD332
                            Function 08FA4FD9 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 435090bbb3becfdfe6d43b7be760a9bc145fb536d857ad6e2d4a554ebaa94158
                            • Instruction ID: f34db5c9ffc05531e20915ac80a929aa3f76051a459f0a1daba6c98f902a35fa
                            • Opcode Fuzzy Hash: 435090bbb3becfdfe6d43b7be760a9bc145fb536d857ad6e2d4a554ebaa94158
                            • Instruction Fuzzy Hash: 9DD05EA580E288DEC701E6B48A0199ABB784B12122B0511CBC409AB6A2E9A41D0893BA
                            Function 08FA51FE Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2e9759f8c5be7a749d17f38fc17ab7cd09dc5422a67a9bd3bb3439bb76921fa8
                            • Instruction ID: aa5f49f412d5890935a6cf0439ef7d9e45b5dbf7e9342c6ffbb542b4780a09ae
                            • Opcode Fuzzy Hash: 2e9759f8c5be7a749d17f38fc17ab7cd09dc5422a67a9bd3bb3439bb76921fa8
                            • Instruction Fuzzy Hash: 58E0FE79E00248DF8B40CFE8C59099CFBB1BB4C355B20851AD816AB308D735A94ACF50
                            Function 08FAA9A7 Relevance: .0, Instructions: 14COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 693116fa1b277a3543218c5a7be055dc7c707053fb824d4b3945701ef7bb1005
                            • Instruction ID: f3820c216ef33b0d2194dd3030e8c4cb0739bae1e14beaf7fedf040bf7bcf4ca
                            • Opcode Fuzzy Hash: 693116fa1b277a3543218c5a7be055dc7c707053fb824d4b3945701ef7bb1005
                            • Instruction Fuzzy Hash: 31D05276A02228DFEB20CB10EC80BECBB74FB85222F0022A9D00C93210C7312A89CF00
                            Function 08FA7CB0 Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1690495d0ee5adac6354eddd3b457522448ccfde78f6eae5f8d90d80c390357a
                            • Instruction ID: 7cf58b64bf3e8acf76201765e1fc10375aa02c059b2872e88bf3e25d6e7c30ed
                            • Opcode Fuzzy Hash: 1690495d0ee5adac6354eddd3b457522448ccfde78f6eae5f8d90d80c390357a
                            • Instruction Fuzzy Hash: BDC08C5022E3C37FE303A27088165917F328AA326030840C39180EA06BD9450019D233
                            Function 08FA4FE8 Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2caf5416b814d710057129adf397962fdfe3622a26c82b87f2beab406d8aedfc
                            • Instruction ID: 57f4d35a4570afc79838a4e40e4cd65ef4437bb7e88a8b4c0161ee28db777830
                            • Opcode Fuzzy Hash: 2caf5416b814d710057129adf397962fdfe3622a26c82b87f2beab406d8aedfc
                            • Instruction Fuzzy Hash: 35C08CB540920CE7C610DAA5D901A6CB3AC8710232F0011CAD80E03280EAB12E0062AE
                            Function 08FA70E9 Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 933dd8ac17f53d0a049b9c7a594b2e35ed143de7cd813580d9c54fe9833f8d91
                            • Instruction ID: be1618a90fc3bc13b7bb266fdbbca56c882185aa18654cea791b72c01c6f2c18
                            • Opcode Fuzzy Hash: 933dd8ac17f53d0a049b9c7a594b2e35ed143de7cd813580d9c54fe9833f8d91
                            • Instruction Fuzzy Hash: DFC08036028140DE8306F7A0CC84D567E96BF6531174EC45690840B032C611401C9733
                            Function 0792D9B0 Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8ef5a22059936048455aea0a2db20330530c580d3fd5e1719ab0913cbcdcc392
                            • Instruction ID: 276ee417ab290ef92f8127d0ca4100f6b072c889ec9d38626ee1316e502f1b57
                            • Opcode Fuzzy Hash: 8ef5a22059936048455aea0a2db20330530c580d3fd5e1719ab0913cbcdcc392
                            • Instruction Fuzzy Hash: 55C01276300208AFDA80AE94C800D66BB69AB08B10F509004BA080A201C272E962DBA4
                            Function 08FAA590 Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8f0333ae982882f4ad4a0a4e1e371cc61a4604c97effd2ce169dfe3f8835628c
                            • Instruction ID: 9acd71dc1f733a5bc62c69b4b158187545ac93f6b6f3a949f11498e5285fe280
                            • Opcode Fuzzy Hash: 8f0333ae982882f4ad4a0a4e1e371cc61a4604c97effd2ce169dfe3f8835628c
                            • Instruction Fuzzy Hash: 1BC08CB14002548BD2142BA5E50E32877A8AB16213F40003CA10D004628AF91444C65A
                            Function 08FAC589 Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e036707eb8da91014b53a2b5c4a07ff84195b8106f209b7ea36da7ea3f299dfd
                            • Instruction ID: 8d9a53db220d1e075c94e203cc790f66eb60a2b52c91058ef16ca18881c17362
                            • Opcode Fuzzy Hash: e036707eb8da91014b53a2b5c4a07ff84195b8106f209b7ea36da7ea3f299dfd
                            • Instruction Fuzzy Hash: 41D0C936049250DFCB558B64C1585A47B75AF0B326B1010D9E04E6F121C7329980CF12
                            Function 08FAC60C Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b37fda66052b7c9962156e352c4fef4542f9fc0886a48ad60fd2235ff5c5a972
                            • Instruction ID: b4908674d81945cf9e473f8525e942bfe5ec61f2bc845024864fa4c47fb5720e
                            • Opcode Fuzzy Hash: b37fda66052b7c9962156e352c4fef4542f9fc0886a48ad60fd2235ff5c5a972
                            • Instruction Fuzzy Hash: 52C012B8500204CFC7148A29C1009607BA6EB0AA63F202198A06BAA211CB31D8428B10
                            Function 08FA81C5 Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b321be3bd9950c172b4b8c5afb05c1840284b9197c99a3c3a7c23d39af99d4c9
                            • Instruction ID: e17343b3a297dc4791e97635435035731820ebaef08a172423a1a238ef44fd7c
                            • Opcode Fuzzy Hash: b321be3bd9950c172b4b8c5afb05c1840284b9197c99a3c3a7c23d39af99d4c9
                            • Instruction Fuzzy Hash: 77C02BA1724D06CB0308A77041400AAF9E3F7EC1B03208035C0E3DA248E530C500C311
                            Function 08FA63B8 Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 321166cf8abc771f7395b63550ec179f9c4e3fde7b9f7245775d31a554cf2a20
                            • Instruction ID: 9bf752201ac83b3cff49a3aa12b2d09dd325066962ed38df85f0c9369f83bc50
                            • Opcode Fuzzy Hash: 321166cf8abc771f7395b63550ec179f9c4e3fde7b9f7245775d31a554cf2a20
                            • Instruction Fuzzy Hash: 2DD0CAB5D08209CFCB00CFA0C0446ADB7B0FB09302F244018E01AA2240C339A90A8F00
                            Function 0792DEC0 Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1283564411.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7920000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f2bfdfcb24dde39d1ccf8f45112e225381b7d5cc92f43e6c8416bb4fcf6ac0b8
                            • Instruction ID: f1993b9a296316db6135f98d72ac9889373dbd79adf698986966ac56640ecd6d
                            • Opcode Fuzzy Hash: f2bfdfcb24dde39d1ccf8f45112e225381b7d5cc92f43e6c8416bb4fcf6ac0b8
                            • Instruction Fuzzy Hash: E4C048343406088FC684EB6AD44CAAC77E8AB89604B8904E9A10EAB322DA61A8008B40
                            Function 08FA7194 Relevance: .0, Instructions: 8COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e1890de76f5c9979562cc963b2228793613aee30e67e8ae6e439768374fd86fd
                            • Instruction ID: e1af413416be82c580ecf0992600c2b90873ad488af7a867d65bd357068bda6c
                            • Opcode Fuzzy Hash: e1890de76f5c9979562cc963b2228793613aee30e67e8ae6e439768374fd86fd
                            • Instruction Fuzzy Hash: 9BB012B6194701F7515476B04D80F2BB920EFF5722F809C12B24551040C9214469EA2B

                            Non-executed Functions

                            Function 07C7DA78 Relevance: .5, Instructions: 453COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e5cb4633e95406af12c39b5b14b418a9aa4f212a95a0ee9ba3b32542358ffc2c
                            • Instruction ID: 12375364c316df7343ae79df83e3de3f939d9f75c364ee57f32a6d2310e632a7
                            • Opcode Fuzzy Hash: e5cb4633e95406af12c39b5b14b418a9aa4f212a95a0ee9ba3b32542358ffc2c
                            • Instruction Fuzzy Hash: D90239B5B105159FDB18CF69C488A6DBBB2BF89720F158169E816DB364DB31EC01CB90
                            Function 08FAE9D1 Relevance: .3, Instructions: 341COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a09780084f0a6eb406f54d45bf4afb97f0b2fa910154b1ea9a548d21ec12e6cb
                            • Instruction ID: 3910efbba3c5f43e741a7898bba7b6e366a20c25097096e45c1c7327f11f1d36
                            • Opcode Fuzzy Hash: a09780084f0a6eb406f54d45bf4afb97f0b2fa910154b1ea9a548d21ec12e6cb
                            • Instruction Fuzzy Hash: BFE1F5B4E002598FDB14DFA8C580AAEBBF2FF89315F248169D415AB356D734A942CF60
                            Function 07C7E768 Relevance: .3, Instructions: 332COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0de7da0f22e8f0f7cbae6190291d4de233ea705f6dfbf62bbec9bb655682f6ff
                            • Instruction ID: 983524f35ffdbe1d8329c4fb35adda9f9c16a37c9644b578cdde5f516bb81ae5
                            • Opcode Fuzzy Hash: 0de7da0f22e8f0f7cbae6190291d4de233ea705f6dfbf62bbec9bb655682f6ff
                            • Instruction Fuzzy Hash: 0CD15FB2E002558FCB14CF59C584AADBBF6FF45314F2881AAD458AB356DB31DD42CBA0
                            Function 07C7F2B0 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b6b6bbdeb29691d602e9efa807d4eb944beefcf0b145828c8aeb901d18194ec3
                            • Instruction ID: 283c1c2c4b76d8df62075fba59c22bd2069118c3636beaff66094ed615a8e564
                            • Opcode Fuzzy Hash: b6b6bbdeb29691d602e9efa807d4eb944beefcf0b145828c8aeb901d18194ec3
                            • Instruction Fuzzy Hash: 8EE1D4B4E002198FDB14DFA9C580AAEFBF2FF89304F248569D414AB355DB35A942CF60
                            Function 07C7E9D8 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ecb8b92200a8e8fe91a42aa4a2e923bcea9715fdcb5597ade4658e516bd69c51
                            • Instruction ID: ccf91401916b028f2402ce93f2e1992d21f268c39f915a9e68e7114b6ecd1a2a
                            • Opcode Fuzzy Hash: ecb8b92200a8e8fe91a42aa4a2e923bcea9715fdcb5597ade4658e516bd69c51
                            • Instruction Fuzzy Hash: 1CE1D7B5E002198FDB14DFA9C580AAEFBF2FF89304F2481A9D415AB355DB35A941CF60
                            Function 08FAEE38 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6635367b1eed6158bc35802f4589a493882c60a620f2ee9c5608ebd4b6a7af0c
                            • Instruction ID: b8f3dda26727057a0672c8d7cd849f170408d2c90e7ac00f2b0dc4920c7e4739
                            • Opcode Fuzzy Hash: 6635367b1eed6158bc35802f4589a493882c60a620f2ee9c5608ebd4b6a7af0c
                            • Instruction Fuzzy Hash: DEE1E9B4E002198FDB14DFA9D580AAEFBF2FF89315F248169D414AB355DB34A942CF60
                            Function 08FAF270 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b4fd868c203682fc527c16bc798a0b559573a8e95021ea14f2b2843637607ac9
                            • Instruction ID: c53130f53bac4146282327e62008ba734ffc91e81162216c149dcaf9b5c8083e
                            • Opcode Fuzzy Hash: b4fd868c203682fc527c16bc798a0b559573a8e95021ea14f2b2843637607ac9
                            • Instruction Fuzzy Hash: 97E1D7B4E002198FDB14DFA9C580AAEFBF2FF89315F248169D414AB355DB35A942CF60
                            Function 071257E8 Relevance: .3, Instructions: 298COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1282399569.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7120000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 53dc56e71fa89e617d5cc35d2d2976070e1cd56e6011c2faedf99552aa0258c2
                            • Instruction ID: 12ab7ff315e053d1636e06521f5553f8229617febc7ce6619699268b42ab82a9
                            • Opcode Fuzzy Hash: 53dc56e71fa89e617d5cc35d2d2976070e1cd56e6011c2faedf99552aa0258c2
                            • Instruction Fuzzy Hash: 9ED1E674A00215CFDB18DF69C598AA9B7F2BF4C711F2580E8E405AB3A1DB31AD51DF60
                            Function 07C77B67 Relevance: .3, Instructions: 269COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bbd8c0cf55a429d48cac52b37c3708fa246aa869c2d205683da05951ebb2faea
                            • Instruction ID: 9c5934800e6f54c5b62a6034e1e4f2ec07e340b48b86c5bcc0f7f208a3460c21
                            • Opcode Fuzzy Hash: bbd8c0cf55a429d48cac52b37c3708fa246aa869c2d205683da05951ebb2faea
                            • Instruction Fuzzy Hash: FDD11635D20B5ACACB11EBA4D850699B7B1FF96300F50D79AE0093B215EBB06AC5CF91
                            Function 07C77B78 Relevance: .3, Instructions: 264COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289005540.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7c70000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5b3a497ea4f282e36f3e76eed338127d72b6e2d9736f5af321dbe66995b43409
                            • Instruction ID: 8811c00eed0540e0b12f3d048f60b63b0ef391aebe0541328f20ceca63701bf2
                            • Opcode Fuzzy Hash: 5b3a497ea4f282e36f3e76eed338127d72b6e2d9736f5af321dbe66995b43409
                            • Instruction Fuzzy Hash: 93D11635D20B5ACACB11EBA4D850699F7B1FF96300F50D79AE0093B215EBB06AC5CF91
                            Function 0140E634 Relevance: .3, Instructions: 264COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1270657460.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1400000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 094b5bc73535c0c8b0ebe670141442745d8a7ef1f6a38426107ca6825c319f9d
                            • Instruction ID: 79044a2890c532241905c764244f92211f52431b1f926abf82e49feccfcc2e39
                            • Opcode Fuzzy Hash: 094b5bc73535c0c8b0ebe670141442745d8a7ef1f6a38426107ca6825c319f9d
                            • Instruction Fuzzy Hash: C4A17232E002058FCF16DFB6D84459EBBB2FF95300B15497AE905BB2A1DB31D956CB80
                            Function 08FAF260 Relevance: .1, Instructions: 137COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 80ce7571a814878619715c40249cd48af6e78148f0ddc35737e0dd6792ed9a73
                            • Instruction ID: f981cf26a84d2b57ffd0153605275ee7e864310cca7204304773610b8802d75a
                            • Opcode Fuzzy Hash: 80ce7571a814878619715c40249cd48af6e78148f0ddc35737e0dd6792ed9a73
                            • Instruction Fuzzy Hash: 6B5129B4E002198FDB14DFA9C5809AEFBF2FF89311F248169D418AB355DB349942CFA1
                            Function 08FAEE28 Relevance: .1, Instructions: 132COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1289786675.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8fa0000_MT103-7543324334.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c7e2c4a81bfeacb31ad7e437a4d7ad31d59d2964c38b00c812ca6e917347cb5c
                            • Instruction ID: 5baf8b48b2cef0a4994b0bb82c9183f4c68810187b41d739379a4ccac45f573e
                            • Opcode Fuzzy Hash: c7e2c4a81bfeacb31ad7e437a4d7ad31d59d2964c38b00c812ca6e917347cb5c
                            • Instruction Fuzzy Hash: 60512BB1E002598FDB14CFA9C5805AEFBF2FF89315F24816AD418AB356D7349942CFA1

                            Execution Graph

                            Execution Coverage:2%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:1.9%
                            Total number of Nodes:753
                            Total number of Limit Nodes:17
                            execution_graph 47111 434887 47112 434893 ___DestructExceptionObject 47111->47112 47138 434596 47112->47138 47114 43489a 47116 4348c3 47114->47116 47426 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47114->47426 47125 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47116->47125 47427 444251 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 47116->47427 47118 4348dc 47120 4348e2 ___DestructExceptionObject 47118->47120 47428 4441f5 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 47118->47428 47121 434962 47149 434b14 47121->47149 47125->47121 47429 4433e7 35 API calls 5 library calls 47125->47429 47131 434984 47132 43498e 47131->47132 47431 44341f 28 API calls _Atexit 47131->47431 47134 434997 47132->47134 47432 4433c2 28 API calls _Atexit 47132->47432 47433 43470d 13 API calls 2 library calls 47134->47433 47137 43499f 47137->47120 47139 43459f 47138->47139 47434 434c52 IsProcessorFeaturePresent 47139->47434 47141 4345ab 47435 438f31 10 API calls 4 library calls 47141->47435 47143 4345b0 47144 4345b4 47143->47144 47436 4440bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47143->47436 47144->47114 47146 4345bd 47147 4345cb 47146->47147 47437 438f5a 8 API calls 3 library calls 47146->47437 47147->47114 47438 436e90 47149->47438 47152 434968 47153 4441a2 47152->47153 47440 44f059 47153->47440 47155 4441ab 47156 434971 47155->47156 47444 446815 35 API calls 47155->47444 47158 40e9c5 47156->47158 47446 41cb50 LoadLibraryA GetProcAddress 47158->47446 47160 40e9e1 GetModuleFileNameW 47451 40f3c3 47160->47451 47162 40e9fd 47466 4020f6 47162->47466 47165 4020f6 28 API calls 47166 40ea1b 47165->47166 47472 41be1b 47166->47472 47170 40ea2d 47498 401e8d 47170->47498 47172 40ea36 47173 40ea93 47172->47173 47174 40ea49 47172->47174 47504 401e65 47173->47504 47703 40fbb3 116 API calls 47174->47703 47177 40eaa3 47181 401e65 22 API calls 47177->47181 47178 40ea5b 47179 401e65 22 API calls 47178->47179 47180 40ea67 47179->47180 47704 410f37 36 API calls __EH_prolog 47180->47704 47182 40eac2 47181->47182 47509 40531e 47182->47509 47185 40ead1 47514 406383 47185->47514 47186 40ea79 47705 40fb64 77 API calls 47186->47705 47190 40ea82 47706 40f3b0 70 API calls 47190->47706 47196 401fd8 11 API calls 47198 40eefb 47196->47198 47197 401fd8 11 API calls 47199 40eafb 47197->47199 47430 4432f6 GetModuleHandleW 47198->47430 47200 401e65 22 API calls 47199->47200 47201 40eb04 47200->47201 47531 401fc0 47201->47531 47203 40eb0f 47204 401e65 22 API calls 47203->47204 47205 40eb28 47204->47205 47206 401e65 22 API calls 47205->47206 47207 40eb43 47206->47207 47208 40ebae 47207->47208 47707 406c1e 28 API calls 47207->47707 47209 401e65 22 API calls 47208->47209 47216 40ebbb 47209->47216 47211 40eb70 47212 401fe2 28 API calls 47211->47212 47213 40eb7c 47212->47213 47214 401fd8 11 API calls 47213->47214 47217 40eb85 47214->47217 47215 40ec02 47535 40d069 47215->47535 47216->47215 47220 413549 3 API calls 47216->47220 47708 413549 RegOpenKeyExA 47217->47708 47219 40ec08 47221 40ea8b 47219->47221 47538 41b2c3 47219->47538 47227 40ebe6 47220->47227 47221->47196 47225 40ec23 47228 40ec76 47225->47228 47555 407716 47225->47555 47226 40f34f 47745 4139a9 30 API calls 47226->47745 47227->47215 47711 4139a9 30 API calls 47227->47711 47230 401e65 22 API calls 47228->47230 47233 40ec7f 47230->47233 47242 40ec90 47233->47242 47243 40ec8b 47233->47243 47235 40f365 47746 412475 65 API calls ___scrt_fastfail 47235->47746 47236 40ec42 47712 407738 30 API calls 47236->47712 47237 40ec4c 47240 401e65 22 API calls 47237->47240 47250 40ec55 47240->47250 47241 41bc5e 28 API calls 47245 40f37f 47241->47245 47248 401e65 22 API calls 47242->47248 47715 407755 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47243->47715 47244 40ec47 47713 407260 97 API calls 47244->47713 47747 413a23 RegOpenKeyExW RegDeleteValueW 47245->47747 47249 40ec99 47248->47249 47559 41bc5e 47249->47559 47250->47228 47255 40ec71 47250->47255 47252 40eca4 47563 401f13 47252->47563 47714 407260 97 API calls 47255->47714 47256 40f392 47259 401f09 11 API calls 47256->47259 47261 40f39c 47259->47261 47263 401f09 11 API calls 47261->47263 47265 40f3a5 47263->47265 47264 401e65 22 API calls 47266 40ecc1 47264->47266 47748 40dd42 27 API calls 47265->47748 47270 401e65 22 API calls 47266->47270 47268 40f3aa 47749 414f2a 167 API calls _strftime 47268->47749 47272 40ecdb 47270->47272 47273 401e65 22 API calls 47272->47273 47274 40ecf5 47273->47274 47275 401e65 22 API calls 47274->47275 47277 40ed0e 47275->47277 47276 40ed7b 47279 40ed8a 47276->47279 47284 40ef06 ___scrt_fastfail 47276->47284 47277->47276 47278 401e65 22 API calls 47277->47278 47282 40ed23 _wcslen 47278->47282 47280 401e65 22 API calls 47279->47280 47286 40ee0f 47279->47286 47281 40ed9c 47280->47281 47283 401e65 22 API calls 47281->47283 47282->47276 47287 401e65 22 API calls 47282->47287 47285 40edae 47283->47285 47718 4136f8 RegOpenKeyExA RegQueryValueExA RegCloseKey 47284->47718 47290 401e65 22 API calls 47285->47290 47308 40ee0a ___scrt_fastfail 47286->47308 47288 40ed3e 47287->47288 47291 401e65 22 API calls 47288->47291 47292 40edc0 47290->47292 47293 40ed53 47291->47293 47295 401e65 22 API calls 47292->47295 47575 40da34 47293->47575 47294 40ef51 47296 401e65 22 API calls 47294->47296 47298 40ede9 47295->47298 47299 40ef76 47296->47299 47304 401e65 22 API calls 47298->47304 47719 402093 47299->47719 47301 401f13 28 API calls 47303 40ed72 47301->47303 47306 401f09 11 API calls 47303->47306 47307 40edfa 47304->47307 47305 40ef88 47725 41376f 14 API calls 47305->47725 47306->47276 47633 40cdf9 47307->47633 47308->47286 47716 413947 31 API calls 47308->47716 47312 40ef9e 47314 401e65 22 API calls 47312->47314 47313 40eea3 ctype 47316 401e65 22 API calls 47313->47316 47315 40efaa 47314->47315 47726 43baac 39 API calls _strftime 47315->47726 47319 40eeba 47316->47319 47318 40efb7 47320 40efe4 47318->47320 47727 41cd9b 86 API calls ___scrt_fastfail 47318->47727 47319->47294 47321 401e65 22 API calls 47319->47321 47325 402093 28 API calls 47320->47325 47323 40eed7 47321->47323 47326 41bc5e 28 API calls 47323->47326 47324 40efc8 CreateThread 47324->47320 48045 41d45d 10 API calls 47324->48045 47327 40eff9 47325->47327 47328 40eee3 47326->47328 47329 402093 28 API calls 47327->47329 47717 40f474 103 API calls 47328->47717 47331 40f008 47329->47331 47728 41b4ef 79 API calls 47331->47728 47332 40eee8 47332->47294 47334 40eeef 47332->47334 47334->47221 47335 40f00d 47336 401e65 22 API calls 47335->47336 47337 40f019 47336->47337 47338 401e65 22 API calls 47337->47338 47339 40f02b 47338->47339 47340 401e65 22 API calls 47339->47340 47341 40f04b 47340->47341 47729 43baac 39 API calls _strftime 47341->47729 47343 40f058 47344 401e65 22 API calls 47343->47344 47345 40f063 47344->47345 47346 401e65 22 API calls 47345->47346 47347 40f074 47346->47347 47348 401e65 22 API calls 47347->47348 47349 40f089 47348->47349 47350 401e65 22 API calls 47349->47350 47351 40f09a 47350->47351 47352 40f0a1 StrToIntA 47351->47352 47730 409de4 169 API calls _wcslen 47352->47730 47354 40f0b3 47355 401e65 22 API calls 47354->47355 47357 40f0bc 47355->47357 47356 40f101 47360 401e65 22 API calls 47356->47360 47357->47356 47731 4344ea 47357->47731 47365 40f111 47360->47365 47361 401e65 22 API calls 47362 40f0e4 47361->47362 47363 40f0eb CreateThread 47362->47363 47363->47356 48041 419fb4 102 API calls 2 library calls 47363->48041 47364 40f159 47366 401e65 22 API calls 47364->47366 47365->47364 47367 4344ea new 22 API calls 47365->47367 47372 40f162 47366->47372 47368 40f126 47367->47368 47369 401e65 22 API calls 47368->47369 47370 40f138 47369->47370 47373 40f13f CreateThread 47370->47373 47371 40f1cc 47374 401e65 22 API calls 47371->47374 47372->47371 47375 401e65 22 API calls 47372->47375 47373->47364 48046 419fb4 102 API calls 2 library calls 47373->48046 47377 40f1d5 47374->47377 47376 40f17e 47375->47376 47379 401e65 22 API calls 47376->47379 47378 40f21a 47377->47378 47381 401e65 22 API calls 47377->47381 47741 41b60d 79 API calls 47378->47741 47382 40f193 47379->47382 47384 40f1ea 47381->47384 47738 40d9e8 31 API calls 47382->47738 47383 40f223 47385 401f13 28 API calls 47383->47385 47388 401e65 22 API calls 47384->47388 47387 40f22e 47385->47387 47390 401f09 11 API calls 47387->47390 47391 40f1ff 47388->47391 47389 40f1a6 47392 401f13 28 API calls 47389->47392 47393 40f237 CreateThread 47390->47393 47739 43baac 39 API calls _strftime 47391->47739 47395 40f1b2 47392->47395 47396 40f264 47393->47396 47397 40f258 CreateThread 47393->47397 48040 40f7a7 120 API calls 47393->48040 47398 401f09 11 API calls 47395->47398 47399 40f279 47396->47399 47400 40f26d CreateThread 47396->47400 47397->47396 48042 4120f7 137 API calls 47397->48042 47402 40f1bb CreateThread 47398->47402 47404 40f2cc 47399->47404 47406 402093 28 API calls 47399->47406 47400->47399 48043 4126db 38 API calls ___scrt_fastfail 47400->48043 47402->47371 48044 401be9 49 API calls _strftime 47402->48044 47403 40f20c 47740 40c162 7 API calls 47403->47740 47743 4134ff RegOpenKeyExA RegQueryValueExA RegCloseKey 47404->47743 47407 40f29c 47406->47407 47742 4052fd 28 API calls 47407->47742 47410 40f2e4 47410->47265 47414 41bc5e 28 API calls 47410->47414 47416 40f2fd 47414->47416 47744 41361b 31 API calls 47416->47744 47420 40f313 47421 401f09 11 API calls 47420->47421 47424 40f31e 47421->47424 47422 40f346 DeleteFileW 47423 40f34d 47422->47423 47422->47424 47423->47241 47424->47422 47424->47423 47425 40f334 Sleep 47424->47425 47425->47424 47426->47114 47427->47118 47428->47125 47429->47121 47430->47131 47431->47132 47432->47134 47433->47137 47434->47141 47435->47143 47436->47146 47437->47144 47439 434b27 GetStartupInfoW 47438->47439 47439->47152 47441 44f06b 47440->47441 47442 44f062 47440->47442 47441->47155 47445 44ef58 48 API calls 5 library calls 47442->47445 47444->47155 47445->47441 47447 41cb8f LoadLibraryA GetProcAddress 47446->47447 47448 41cb7f GetModuleHandleA GetProcAddress 47446->47448 47449 41cbb8 44 API calls 47447->47449 47450 41cba8 LoadLibraryA GetProcAddress 47447->47450 47448->47447 47449->47160 47450->47449 47750 41b4a8 FindResourceA 47451->47750 47455 40f3ed _Yarn 47760 4020b7 47455->47760 47458 401fe2 28 API calls 47459 40f413 47458->47459 47460 401fd8 11 API calls 47459->47460 47461 40f41c 47460->47461 47462 43bd51 ___std_exception_copy 21 API calls 47461->47462 47463 40f42d _Yarn 47462->47463 47766 406dd8 47463->47766 47465 40f460 47465->47162 47467 40210c 47466->47467 47468 4023ce 11 API calls 47467->47468 47469 402126 47468->47469 47470 402569 28 API calls 47469->47470 47471 402134 47470->47471 47471->47165 47803 4020df 47472->47803 47474 401fd8 11 API calls 47475 41bed0 47474->47475 47477 401fd8 11 API calls 47475->47477 47476 41bea0 47819 4041a2 28 API calls 47476->47819 47480 41bed8 47477->47480 47482 401fd8 11 API calls 47480->47482 47481 41beac 47483 401fe2 28 API calls 47481->47483 47485 40ea24 47482->47485 47486 41beb5 47483->47486 47484 401fe2 28 API calls 47490 41be2e 47484->47490 47494 40fb17 47485->47494 47487 401fd8 11 API calls 47486->47487 47489 41bebd 47487->47489 47488 401fd8 11 API calls 47488->47490 47491 41ce34 28 API calls 47489->47491 47490->47476 47490->47484 47490->47488 47493 41be9e 47490->47493 47807 4041a2 28 API calls 47490->47807 47808 41ce34 47490->47808 47491->47493 47493->47474 47495 40fb23 47494->47495 47497 40fb2a 47494->47497 47845 402163 11 API calls 47495->47845 47497->47170 47499 402163 47498->47499 47500 40219f 47499->47500 47846 402730 11 API calls 47499->47846 47500->47172 47502 402184 47847 402712 11 API calls std::_Deallocate 47502->47847 47505 401e6d 47504->47505 47507 401e75 47505->47507 47848 402158 22 API calls 47505->47848 47507->47177 47510 4020df 11 API calls 47509->47510 47511 40532a 47510->47511 47849 4032a0 47511->47849 47513 405346 47513->47185 47854 4051ef 47514->47854 47516 406391 47858 402055 47516->47858 47519 401fe2 47520 401ff1 47519->47520 47527 402039 47519->47527 47521 4023ce 11 API calls 47520->47521 47522 401ffa 47521->47522 47523 40203c 47522->47523 47525 402015 47522->47525 47524 40267a 11 API calls 47523->47524 47524->47527 47873 403098 28 API calls 47525->47873 47528 401fd8 47527->47528 47529 4023ce 11 API calls 47528->47529 47530 401fe1 47529->47530 47530->47197 47532 401fd2 47531->47532 47533 401fc9 47531->47533 47532->47203 47874 4025e0 28 API calls 47533->47874 47875 401fab 47535->47875 47537 40d073 CreateMutexA GetLastError 47537->47219 47876 41bfb7 47538->47876 47543 401fe2 28 API calls 47544 41b2ff 47543->47544 47545 401fd8 11 API calls 47544->47545 47547 41b307 47545->47547 47546 41b35d 47546->47225 47547->47546 47548 4135a6 31 API calls 47547->47548 47549 41b330 47548->47549 47550 41b33b StrToIntA 47549->47550 47551 41b352 47550->47551 47552 41b349 47550->47552 47554 401fd8 11 API calls 47551->47554 47884 41cf69 22 API calls 47552->47884 47554->47546 47556 40772a 47555->47556 47557 413549 3 API calls 47556->47557 47558 407731 47557->47558 47558->47236 47558->47237 47560 41bc72 47559->47560 47885 40b904 47560->47885 47562 41bc7a 47562->47252 47564 401f22 47563->47564 47565 401f6a 47563->47565 47566 402252 11 API calls 47564->47566 47572 401f09 47565->47572 47567 401f2b 47566->47567 47568 401f6d 47567->47568 47569 401f46 47567->47569 47918 402336 47568->47918 47917 40305c 28 API calls 47569->47917 47573 402252 11 API calls 47572->47573 47574 401f12 47573->47574 47574->47264 47922 401f86 47575->47922 47578 40da70 47932 41b5b4 29 API calls 47578->47932 47579 40daa5 47583 41bfb7 GetCurrentProcess 47579->47583 47580 40da66 47582 40db99 GetLongPathNameW 47580->47582 47926 40417e 47582->47926 47586 40daaa 47583->47586 47584 40da79 47589 401f13 28 API calls 47584->47589 47587 40db00 47586->47587 47588 40daae 47586->47588 47591 40417e 28 API calls 47587->47591 47592 40417e 28 API calls 47588->47592 47593 40da83 47589->47593 47595 40db0e 47591->47595 47596 40dabc 47592->47596 47599 401f09 11 API calls 47593->47599 47594 40417e 28 API calls 47597 40dbbd 47594->47597 47602 40417e 28 API calls 47595->47602 47603 40417e 28 API calls 47596->47603 47935 40ddd1 28 API calls 47597->47935 47599->47580 47600 40dbd0 47936 402fa5 28 API calls 47600->47936 47605 40db24 47602->47605 47606 40dad2 47603->47606 47604 40dbdb 47937 402fa5 28 API calls 47604->47937 47934 402fa5 28 API calls 47605->47934 47933 402fa5 28 API calls 47606->47933 47610 40dbe5 47613 401f09 11 API calls 47610->47613 47611 40db2f 47614 401f13 28 API calls 47611->47614 47612 40dadd 47615 401f13 28 API calls 47612->47615 47616 40dbef 47613->47616 47617 40db3a 47614->47617 47618 40dae8 47615->47618 47619 401f09 11 API calls 47616->47619 47620 401f09 11 API calls 47617->47620 47621 401f09 11 API calls 47618->47621 47622 40dbf8 47619->47622 47623 40db43 47620->47623 47624 40daf1 47621->47624 47625 401f09 11 API calls 47622->47625 47626 401f09 11 API calls 47623->47626 47627 401f09 11 API calls 47624->47627 47628 40dc01 47625->47628 47626->47593 47627->47593 47629 401f09 11 API calls 47628->47629 47630 40dc0a 47629->47630 47631 401f09 11 API calls 47630->47631 47632 40dc13 47631->47632 47632->47301 47634 40ce0c _wcslen 47633->47634 47635 40ce60 47634->47635 47636 40ce16 47634->47636 47637 40da34 31 API calls 47635->47637 47639 40ce1f CreateDirectoryW 47636->47639 47638 40ce72 47637->47638 47640 401f13 28 API calls 47638->47640 47939 40915b 47639->47939 47642 40ce5e 47640->47642 47644 401f09 11 API calls 47642->47644 47643 40ce3b 47973 403014 47643->47973 47650 40ce89 47644->47650 47647 401f13 28 API calls 47648 40ce55 47647->47648 47649 401f09 11 API calls 47648->47649 47649->47642 47651 40cea2 47650->47651 47652 40cebf 47650->47652 47654 40cd0d 31 API calls 47651->47654 47653 40cec8 CopyFileW 47652->47653 47655 40cf99 47653->47655 47656 40ceda _wcslen 47653->47656 47687 40ceb3 47654->47687 47946 40cd0d 47655->47946 47656->47655 47658 40cef6 47656->47658 47659 40cf49 47656->47659 47662 40da34 31 API calls 47658->47662 47661 40da34 31 API calls 47659->47661 47666 40cf4f 47661->47666 47667 40cefc 47662->47667 47663 40cfb3 47672 40cfbc SetFileAttributesW 47663->47672 47664 40cfdf 47665 40d027 CloseHandle 47664->47665 47669 40417e 28 API calls 47664->47669 47972 401f04 47665->47972 47670 401f13 28 API calls 47666->47670 47671 401f13 28 API calls 47667->47671 47674 40cff5 47669->47674 47702 40cf43 47670->47702 47675 40cf08 47671->47675 47686 40cfcb _wcslen 47672->47686 47673 40d043 ShellExecuteW 47676 40d060 ExitProcess 47673->47676 47677 40d056 47673->47677 47678 41bc5e 28 API calls 47674->47678 47679 401f09 11 API calls 47675->47679 47681 40d069 CreateMutexA GetLastError 47677->47681 47682 40d008 47678->47682 47680 40cf11 47679->47680 47685 40915b 28 API calls 47680->47685 47681->47687 47979 413814 RegCreateKeyW 47682->47979 47683 401f09 11 API calls 47684 40cf61 47683->47684 47690 40cf6d CreateDirectoryW 47684->47690 47688 40cf25 47685->47688 47686->47664 47689 40cfdc SetFileAttributesW 47686->47689 47687->47308 47691 403014 28 API calls 47688->47691 47689->47664 47978 401f04 47690->47978 47694 40cf31 47691->47694 47697 401f13 28 API calls 47694->47697 47699 40cf3a 47697->47699 47698 401f09 11 API calls 47698->47665 47701 401f09 11 API calls 47699->47701 47701->47702 47702->47683 47703->47178 47704->47186 47705->47190 47707->47211 47709 40eba4 47708->47709 47710 413573 RegQueryValueExA RegCloseKey 47708->47710 47709->47208 47709->47226 47710->47709 47711->47215 47712->47244 47713->47237 47714->47228 47715->47242 47716->47313 47717->47332 47718->47294 47720 40209b 47719->47720 47721 4023ce 11 API calls 47720->47721 47722 4020a6 47721->47722 48032 4024ed 47722->48032 47725->47312 47726->47318 47727->47324 47728->47335 47729->47343 47730->47354 47737 4344ef 47731->47737 47732 43bd51 ___std_exception_copy 21 API calls 47732->47737 47733 40f0d1 47733->47361 47737->47732 47737->47733 48036 442f80 7 API calls 2 library calls 47737->48036 48037 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47737->48037 48038 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47737->48038 47738->47389 47739->47403 47740->47378 47741->47383 47743->47410 47744->47420 47745->47235 47747->47256 47748->47268 48039 41ad17 104 API calls 47749->48039 47751 41b4c5 LoadResource LockResource SizeofResource 47750->47751 47752 40f3de 47750->47752 47751->47752 47753 43bd51 47752->47753 47758 446137 __Getctype 47753->47758 47754 446175 47770 4405dd 20 API calls _Atexit 47754->47770 47756 446160 RtlAllocateHeap 47757 446173 47756->47757 47756->47758 47757->47455 47758->47754 47758->47756 47769 442f80 7 API calls 2 library calls 47758->47769 47761 4020bf 47760->47761 47771 4023ce 47761->47771 47763 4020ca 47775 40250a 47763->47775 47765 4020d9 47765->47458 47767 4020b7 28 API calls 47766->47767 47768 406dec 47767->47768 47768->47465 47769->47758 47770->47757 47772 402428 47771->47772 47773 4023d8 47771->47773 47772->47763 47773->47772 47782 4027a7 11 API calls std::_Deallocate 47773->47782 47776 40251a 47775->47776 47777 402520 47776->47777 47778 402535 47776->47778 47783 402569 47777->47783 47793 4028e8 28 API calls 47778->47793 47781 402533 47781->47765 47782->47772 47794 402888 47783->47794 47785 40257d 47786 402592 47785->47786 47787 4025a7 47785->47787 47799 402a34 22 API calls 47786->47799 47801 4028e8 28 API calls 47787->47801 47790 40259b 47800 4029da 22 API calls 47790->47800 47792 4025a5 47792->47781 47793->47781 47796 402890 47794->47796 47795 402898 47795->47785 47796->47795 47802 402ca3 22 API calls 47796->47802 47799->47790 47800->47792 47801->47792 47804 4020e7 47803->47804 47805 4023ce 11 API calls 47804->47805 47806 4020f2 47805->47806 47806->47490 47807->47490 47809 41ce41 47808->47809 47810 41cea0 47809->47810 47814 41ce51 47809->47814 47811 41ceba 47810->47811 47812 41cfe0 28 API calls 47810->47812 47829 41d146 28 API calls 47811->47829 47812->47811 47816 41ce89 47814->47816 47820 41cfe0 47814->47820 47828 41d146 28 API calls 47816->47828 47818 41ce9c 47818->47490 47819->47481 47822 41cfe8 47820->47822 47821 41d01a 47821->47816 47822->47821 47823 41d01e 47822->47823 47826 41d002 47822->47826 47840 402725 22 API calls 47823->47840 47830 41d051 47826->47830 47828->47818 47829->47818 47831 41d05b __EH_prolog 47830->47831 47841 402717 22 API calls 47831->47841 47833 41d06e 47842 41d15d 11 API calls 47833->47842 47835 41d094 47836 41d0cc 47835->47836 47843 402730 11 API calls 47835->47843 47836->47821 47838 41d0b3 47844 402712 11 API calls std::_Deallocate 47838->47844 47841->47833 47842->47835 47843->47838 47844->47836 47845->47497 47846->47502 47847->47500 47850 4032aa 47849->47850 47852 4032c9 47850->47852 47853 4028e8 28 API calls 47850->47853 47852->47513 47853->47852 47855 4051fb 47854->47855 47864 405274 47855->47864 47857 405208 47857->47516 47859 402061 47858->47859 47860 4023ce 11 API calls 47859->47860 47861 40207b 47860->47861 47869 40267a 47861->47869 47865 405282 47864->47865 47868 4028a4 22 API calls 47865->47868 47870 40268b 47869->47870 47871 4023ce 11 API calls 47870->47871 47872 40208d 47871->47872 47872->47519 47873->47527 47874->47532 47877 41bfc4 GetCurrentProcess 47876->47877 47878 41b2d1 47876->47878 47877->47878 47879 4135a6 RegOpenKeyExA 47878->47879 47880 4135d4 RegQueryValueExA RegCloseKey 47879->47880 47881 4135fe 47879->47881 47880->47881 47882 402093 28 API calls 47881->47882 47883 413613 47882->47883 47883->47543 47884->47551 47886 40b90c 47885->47886 47891 402252 47886->47891 47888 40b917 47895 40b92c 47888->47895 47890 40b926 47890->47562 47892 4022ac 47891->47892 47893 40225c 47891->47893 47892->47888 47893->47892 47902 402779 11 API calls std::_Deallocate 47893->47902 47896 40b966 47895->47896 47897 40b938 47895->47897 47914 4028a4 22 API calls 47896->47914 47903 4027e6 47897->47903 47901 40b942 47901->47890 47902->47892 47904 4027ef 47903->47904 47905 402851 47904->47905 47906 4027f9 47904->47906 47916 4028a4 22 API calls 47905->47916 47909 402802 47906->47909 47910 402815 47906->47910 47915 402aea 28 API calls __EH_prolog 47909->47915 47911 402813 47910->47911 47913 402252 11 API calls 47910->47913 47911->47901 47913->47911 47915->47911 47917->47565 47919 402347 47918->47919 47920 402252 11 API calls 47919->47920 47921 4023c7 47920->47921 47921->47565 47923 401f8e 47922->47923 47924 402252 11 API calls 47923->47924 47925 401f99 47924->47925 47925->47578 47925->47579 47925->47580 47927 404186 47926->47927 47928 402252 11 API calls 47927->47928 47929 404191 47928->47929 47938 4041bc 28 API calls 47929->47938 47931 40419c 47931->47594 47932->47584 47933->47612 47934->47611 47935->47600 47936->47604 47937->47610 47938->47931 47940 401f86 11 API calls 47939->47940 47941 409167 47940->47941 47985 40314c 47941->47985 47943 409184 47989 40325d 47943->47989 47945 40918c 47945->47643 47947 40cd33 47946->47947 47948 40cd6f 47946->47948 48003 40b97c 47947->48003 47949 40cdb0 47948->47949 47951 40b97c 28 API calls 47948->47951 47952 40cdf1 47949->47952 47955 40b97c 28 API calls 47949->47955 47954 40cd86 47951->47954 47952->47663 47952->47664 47957 403014 28 API calls 47954->47957 47958 40cdc7 47955->47958 47956 403014 28 API calls 47959 40cd4f 47956->47959 47962 40cd90 47957->47962 47960 403014 28 API calls 47958->47960 47961 413814 14 API calls 47959->47961 47963 40cdd1 47960->47963 47964 40cd63 47961->47964 47965 413814 14 API calls 47962->47965 47966 413814 14 API calls 47963->47966 47967 401f09 11 API calls 47964->47967 47968 40cda4 47965->47968 47969 40cde5 47966->47969 47967->47948 47970 401f09 11 API calls 47968->47970 47971 401f09 11 API calls 47969->47971 47970->47949 47971->47952 48010 403222 47973->48010 47975 403022 48014 403262 47975->48014 47980 413866 47979->47980 47983 413829 47979->47983 47981 401f09 11 API calls 47980->47981 47982 40d01b 47981->47982 47982->47698 47984 413842 RegSetValueExW RegCloseKey 47983->47984 47984->47980 47986 403156 47985->47986 47987 4027e6 28 API calls 47986->47987 47988 403175 47986->47988 47987->47988 47988->47943 47990 40323f 47989->47990 47993 4036a6 47990->47993 47992 40324c 47992->47945 47994 402888 22 API calls 47993->47994 47995 4036b9 47994->47995 47996 40372c 47995->47996 47997 4036de 47995->47997 48002 4028a4 22 API calls 47996->48002 48000 4027e6 28 API calls 47997->48000 48001 4036f0 47997->48001 48000->48001 48001->47992 48004 401f86 11 API calls 48003->48004 48005 40b988 48004->48005 48006 40314c 28 API calls 48005->48006 48007 40b9a4 48006->48007 48008 40325d 28 API calls 48007->48008 48009 40b9b7 48008->48009 48009->47956 48011 40322e 48010->48011 48020 403618 48011->48020 48013 40323b 48013->47975 48015 40326e 48014->48015 48016 402252 11 API calls 48015->48016 48017 403288 48016->48017 48018 402336 11 API calls 48017->48018 48019 403031 48018->48019 48019->47647 48021 403626 48020->48021 48022 403644 48021->48022 48023 40362c 48021->48023 48025 40365c 48022->48025 48026 40369e 48022->48026 48024 4036a6 28 API calls 48023->48024 48030 403642 48024->48030 48028 4027e6 28 API calls 48025->48028 48025->48030 48031 4028a4 22 API calls 48026->48031 48028->48030 48030->48013 48033 4024f9 48032->48033 48034 40250a 28 API calls 48033->48034 48035 4020b1 48034->48035 48035->47305 48036->47737 48047 4127ee 61 API calls 48042->48047 48048 43be58 48050 43be64 _swprintf ___DestructExceptionObject 48048->48050 48049 43be72 48064 4405dd 20 API calls _Atexit 48049->48064 48050->48049 48052 43be9c 48050->48052 48059 445888 EnterCriticalSection 48052->48059 48054 43be77 pre_c_initialization ___DestructExceptionObject 48055 43bea7 48060 43bf48 48055->48060 48059->48055 48061 43bf56 48060->48061 48063 43beb2 48061->48063 48066 44976c 36 API calls 2 library calls 48061->48066 48065 43becf LeaveCriticalSection std::_Lockit::~_Lockit 48063->48065 48064->48054 48065->48054 48066->48061 48067 40165e 48068 401666 48067->48068 48069 401669 48067->48069 48070 4016a8 48069->48070 48072 401696 48069->48072 48071 4344ea new 22 API calls 48070->48071 48073 40169c 48071->48073 48074 4344ea new 22 API calls 48072->48074 48074->48073

                            Executed Functions

                            Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                            • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                            • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                            • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                            • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                            • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                            • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                            • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                            • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                            • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                            • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                            • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                            • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                            • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                            • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                            • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                            • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                            • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                            • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                            • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                            • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                            • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad$HandleModule
                            • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                            • API String ID: 4236061018-3687161714
                            • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                            • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                            • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                            • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                            Function 0040E9C5 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 102 40f34f-40f36a call 401fab call 4139a9 call 412475 69->102 80 40ec03-40ec0a call 40d069 70->80 81 40ebcb-40ebea call 401fab call 413549 70->81 90 40ec13-40ec1a 80->90 91 40ec0c-40ec0e 80->91 81->80 97 40ebec-40ec02 call 401fab call 4139a9 81->97 95 40ec1c 90->95 96 40ec1e-40ec2a call 41b2c3 90->96 94 40eef1 91->94 94->49 95->96 103 40ec33-40ec37 96->103 104 40ec2c-40ec2e 96->104 97->80 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 102->126 107 40ec76-40ec89 call 401e65 call 401fab 103->107 108 40ec39 call 407716 103->108 104->103 128 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->128 129 40ec8b call 407755 107->129 117 40ec3e-40ec40 108->117 120 40ec42-40ec47 call 407738 call 407260 117->120 121 40ec4c-40ec5f call 401e65 call 401fab 117->121 120->121 121->107 140 40ec61-40ec67 121->140 157 40f3a5-40f3af call 40dd42 call 414f2a 126->157 177 40ed80-40ed84 128->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 128->178 129->128 140->107 144 40ec69-40ec6f 140->144 144->107 147 40ec71 call 407260 144->147 147->107 180 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->180 181 40ed8a-40ed91 177->181 178->177 205 40ed35-40ed61 call 401e65 call 401fab call 401e65 call 401fab call 40da34 178->205 236 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 180->236 184 40ed93-40ee05 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 181->184 185 40ee0f-40ee19 call 409057 181->185 271 40ee0a-40ee0d 184->271 191 40ee1e-40ee42 call 40247c call 434798 185->191 212 40ee51 191->212 213 40ee44-40ee4f call 436e90 191->213 247 40ed66-40ed7b call 401f13 call 401f09 205->247 218 40ee53-40eec8 call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 call 4347a1 call 401e65 call 40b9bd 212->218 213->218 218->236 286 40eece-40eeed call 401e65 call 41bc5e call 40f474 218->286 287 40efc1 236->287 288 40efdc-40efde 236->288 247->177 271->191 286->236 306 40eeef 286->306 292 40efc3-40efda call 41cd9b CreateThread 287->292 289 40efe0-40efe2 288->289 290 40efe4 288->290 289->292 294 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 290->294 292->294 344 40f101 294->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 294->345 306->94 347 40f103-40f11b call 401e65 call 401fab 344->347 345->347 357 40f159-40f16c call 401e65 call 401fab 347->357 358 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 347->358 368 40f1cc-40f1df call 401e65 call 401fab 357->368 369 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 368->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 368->380 369->368 379->380 400 40f240 380->400 401 40f243-40f256 CreateThread 380->401 400->401 404 40f264-40f26b 401->404 405 40f258-40f262 CreateThread 401->405 408 40f279-40f280 404->408 409 40f26d-40f277 CreateThread 404->409 405->404 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 415 40f287-40f28c 412->415 416 40f2cc-40f2e7 call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 416->157 427 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 416->427 418->416 443 40f346-40f34b DeleteFileW 427->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                            APIs
                              • Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\MT103-7543324334.exe,00000104), ref: 0040E9EE
                              • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                            • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\MT103-7543324334.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                            • API String ID: 2830904901-3179566290
                            • Opcode ID: 0cd4fde6fcb47545cace0fa7fd911bdfd4c95ac09e268c0cc0a3f31ecf5b26c9
                            • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                            • Opcode Fuzzy Hash: 0cd4fde6fcb47545cace0fa7fd911bdfd4c95ac09e268c0cc0a3f31ecf5b26c9
                            • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                            Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • _wcslen.LIBCMT ref: 0040CE07
                            • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                            • CopyFileW.KERNELBASE(C:\Users\user\Desktop\MT103-7543324334.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                            • _wcslen.LIBCMT ref: 0040CEE6
                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\MT103-7543324334.exe,00000000,00000000), ref: 0040CF84
                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                            • _wcslen.LIBCMT ref: 0040CFC6
                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                            • ExitProcess.KERNEL32 ref: 0040D062
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                            • String ID: 6$C:\Users\user\Desktop\MT103-7543324334.exe$del$open
                            • API String ID: 1579085052-2191379634
                            • Opcode ID: 814849405574f27cdfff210f7d5faa9ce691f1cc33a2f2159ed20f1a2e65d6c6
                            • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                            • Opcode Fuzzy Hash: 814849405574f27cdfff210f7d5faa9ce691f1cc33a2f2159ed20f1a2e65d6c6
                            • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                            Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040DB9A
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: LongNamePath
                            • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                            • API String ID: 82841172-425784914
                            • Opcode ID: 05c2ad93f6cc2ee26ed5624d475cb04337695bae26b39c69aed6eb4faf56ef7b
                            • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                            • Opcode Fuzzy Hash: 05c2ad93f6cc2ee26ed5624d475cb04337695bae26b39c69aed6eb4faf56ef7b
                            • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                            Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                              • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                              • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                              • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                            • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCurrentOpenProcessQueryValue
                            • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                            • API String ID: 1866151309-2070987746
                            • Opcode ID: b004e89fecfca72c60d0d2d1a8fce3e40073890883e7b2a8564e183fd8eeb87f
                            • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                            • Opcode Fuzzy Hash: b004e89fecfca72c60d0d2d1a8fce3e40073890883e7b2a8564e183fd8eeb87f
                            • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                            Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 656 413814-413827 RegCreateKeyW 657 413866 656->657 658 413829-413864 call 40247c call 401f04 RegSetValueExW RegCloseKey 656->658 659 413868-413876 call 401f09 657->659 658->659
                            APIs
                            • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041381F
                            • RegSetValueExW.KERNELBASE(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,771B37E0,?), ref: 0041384D
                            • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,771B37E0,?,?,?,?,?,0040CFAA,?,00000000), ref: 00413858
                            Strings
                            • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041381D
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                            • API String ID: 1818849710-1051519024
                            • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                            • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                            • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                            • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                            Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 666 40d069-40d095 call 401fab CreateMutexA GetLastError
                            APIs
                            • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                            • GetLastError.KERNEL32 ref: 0040D083
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateErrorLastMutex
                            • String ID: SG
                            • API String ID: 1925916568-3189917014
                            • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                            • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                            • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                            • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                            Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 669 4135a6-4135d2 RegOpenKeyExA 670 4135d4-4135fc RegQueryValueExA RegCloseKey 669->670 671 413607 669->671 672 413609 670->672 673 4135fe-413605 670->673 671->672 674 41360e-41361a call 402093 672->674 673->674
                            APIs
                            • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                            • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                            • RegCloseKey.KERNELBASE(?), ref: 004135F2
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 2c354c38eb467919e259a426341f00e1060616e4a77f0ac470f93c7e2a8fe8f5
                            • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                            • Opcode Fuzzy Hash: 2c354c38eb467919e259a426341f00e1060616e4a77f0ac470f93c7e2a8fe8f5
                            • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                            Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 677 413549-413571 RegOpenKeyExA 678 4135a0 677->678 679 413573-41359e RegQueryValueExA RegCloseKey 677->679 680 4135a2-4135a5 678->680 679->680
                            APIs
                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
                            • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                            • RegCloseKey.ADVAPI32(00000000), ref: 00413592
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                            • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                            • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                            • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                            Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 681 40165e-401664 682 401666-401668 681->682 683 401669-401674 681->683 684 401676 683->684 685 40167b-401685 683->685 684->685 686 401687-40168d 685->686 687 4016a8-4016a9 call 4344ea 685->687 686->687 689 40168f-401694 686->689 690 4016ae-4016af 687->690 689->684 691 401696-4016a6 call 4344ea 689->691 692 4016b1-4016b3 690->692 691->692
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                            • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                            • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                            • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                            Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 723 446137-446143 724 446175-446180 call 4405dd 723->724 725 446145-446147 723->725 732 446182-446184 724->732 727 446160-446171 RtlAllocateHeap 725->727 728 446149-44614a 725->728 729 446173 727->729 730 44614c-446153 call 445545 727->730 728->727 729->732 730->724 735 446155-44615e call 442f80 730->735 735->724 735->727
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                            • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                            • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                            • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF

                            Non-executed Functions

                            Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                            Download Yara Rule
                            APIs
                            • SetEvent.KERNEL32(?,?), ref: 00407CB9
                            • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                            • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                              • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                              • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                              • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                              • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                              • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                              • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                              • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                            • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                            • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                            • DeleteFileA.KERNEL32(?), ref: 00408652
                              • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                              • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                              • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                              • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                            • Sleep.KERNEL32(000007D0), ref: 004086F8
                            • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                              • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                            • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                            • API String ID: 1067849700-181434739
                            • Opcode ID: ee20889b26462be3d37d60383eaca84b38c4e413c047457fbe9ae68671e6accb
                            • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                            • Opcode Fuzzy Hash: ee20889b26462be3d37d60383eaca84b38c4e413c047457fbe9ae68671e6accb
                            • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                            Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                            Download Yara Rule
                            APIs
                            • __Init_thread_footer.LIBCMT ref: 004056E6
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            • __Init_thread_footer.LIBCMT ref: 00405723
                            • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                            • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                            • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                            • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                            • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                              • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                            • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                            • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                            • CloseHandle.KERNEL32 ref: 00405A23
                            • CloseHandle.KERNEL32 ref: 00405A2B
                            • CloseHandle.KERNEL32 ref: 00405A3D
                            • CloseHandle.KERNEL32 ref: 00405A45
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                            • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                            • API String ID: 2994406822-18413064
                            • Opcode ID: ff9017fe4a47b23c9c3faeacfcf4d74826474996782d69eafc0bdbb16b5f5ff1
                            • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                            • Opcode Fuzzy Hash: ff9017fe4a47b23c9c3faeacfcf4d74826474996782d69eafc0bdbb16b5f5ff1
                            • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                            Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcessId.KERNEL32 ref: 00412106
                              • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                              • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                              • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                            • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                            • CloseHandle.KERNEL32(00000000), ref: 00412155
                            • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                            • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                            • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                            • API String ID: 3018269243-13974260
                            • Opcode ID: 78734fea59190781a03b6456d66e0bf7232aacb85087176ce5126f2deed4f0f2
                            • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                            • Opcode Fuzzy Hash: 78734fea59190781a03b6456d66e0bf7232aacb85087176ce5126f2deed4f0f2
                            • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                            Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                            • FindClose.KERNEL32(00000000), ref: 0040BBC9
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                            • FindClose.KERNEL32(00000000), ref: 0040BD12
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$CloseFile$FirstNext
                            • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                            • API String ID: 1164774033-3681987949
                            • Opcode ID: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
                            • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                            • Opcode Fuzzy Hash: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
                            • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                            Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • OpenClipboard.USER32 ref: 004168C2
                            • EmptyClipboard.USER32 ref: 004168D0
                            • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                            • GlobalLock.KERNEL32(00000000), ref: 004168F9
                            • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                            • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                            • CloseClipboard.USER32 ref: 00416955
                            • OpenClipboard.USER32 ref: 0041695C
                            • GetClipboardData.USER32(0000000D), ref: 0041696C
                            • GlobalLock.KERNEL32(00000000), ref: 00416975
                            • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                            • CloseClipboard.USER32 ref: 00416984
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                            • String ID: !D@
                            • API String ID: 3520204547-604454484
                            • Opcode ID: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
                            • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                            • Opcode Fuzzy Hash: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
                            • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                            Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                            • FindClose.KERNEL32(00000000), ref: 0040BDC9
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                            • FindClose.KERNEL32(00000000), ref: 0040BEAF
                            • FindClose.KERNEL32(00000000), ref: 0040BED0
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$Close$File$FirstNext
                            • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                            • API String ID: 3527384056-432212279
                            • Opcode ID: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
                            • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                            • Opcode Fuzzy Hash: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
                            • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                            Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                            • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                              • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                              • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                            • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                            • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                            • API String ID: 3756808967-1743721670
                            • Opcode ID: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
                            • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                            • Opcode Fuzzy Hash: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
                            • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                            Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 0$1$2$3$4$5$6$7$VG
                            • API String ID: 0-1861860590
                            • Opcode ID: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
                            • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                            • Opcode Fuzzy Hash: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
                            • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                            Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                            Download Yara Rule
                            APIs
                            • _wcslen.LIBCMT ref: 00407521
                            • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Object_wcslen
                            • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                            • API String ID: 240030777-3166923314
                            • Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                            • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                            • Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                            • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                            Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                            • GetLastError.KERNEL32 ref: 0041A7BB
                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: EnumServicesStatus$ErrorLastManagerOpen
                            • String ID:
                            • API String ID: 3587775597-0
                            • Opcode ID: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
                            • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                            • Opcode Fuzzy Hash: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
                            • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                            Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                              • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                            • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                            • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                            • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                            • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                            • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                            • String ID: lJD$lJD$lJD
                            • API String ID: 745075371-479184356
                            • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                            • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                            • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                            • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                            Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                            • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                            • FindClose.KERNEL32(00000000), ref: 0040C47D
                            • FindClose.KERNEL32(00000000), ref: 0040C4A8
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$CloseFile$FirstNext
                            • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                            • API String ID: 1164774033-405221262
                            • Opcode ID: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
                            • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                            • Opcode Fuzzy Hash: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
                            • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                            Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C38E
                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C39B
                              • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                            • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C3BC
                            • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                            • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                            • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3E2
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                            • String ID:
                            • API String ID: 2341273852-0
                            • Opcode ID: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                            • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                            • Opcode Fuzzy Hash: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                            • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                            Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                            • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                              • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Find$CreateFirstNext
                            • String ID: 8SG$PXG$PXG$NG$PG
                            • API String ID: 341183262-3812160132
                            • Opcode ID: 82314eeff241e38e25ba769843facc622900e81eecec2918aec2115619fdd9a6
                            • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                            • Opcode Fuzzy Hash: 82314eeff241e38e25ba769843facc622900e81eecec2918aec2115619fdd9a6
                            • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                            Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                            • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                            • GetLastError.KERNEL32 ref: 0040A2ED
                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                            • TranslateMessage.USER32(?), ref: 0040A34A
                            • DispatchMessageA.USER32(?), ref: 0040A355
                            Strings
                            • Keylogger initialization failure: error , xrefs: 0040A301
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                            • String ID: Keylogger initialization failure: error
                            • API String ID: 3219506041-952744263
                            • Opcode ID: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
                            • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                            • Opcode Fuzzy Hash: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
                            • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                            Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                            Download Yara Rule
                            APIs
                            • GetForegroundWindow.USER32 ref: 0040A416
                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                            • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                            • GetKeyState.USER32(00000010), ref: 0040A433
                            • GetKeyboardState.USER32(?), ref: 0040A43E
                            • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                            • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                            • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                            • String ID:
                            • API String ID: 1888522110-0
                            • Opcode ID: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                            • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                            • Opcode Fuzzy Hash: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                            • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                            Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
                            • GetProcAddress.KERNEL32(00000000), ref: 00414271
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressCloseCreateLibraryLoadProcsend
                            • String ID: SHDeleteKeyW$Shlwapi.dll
                            • API String ID: 2127411465-314212984
                            • Opcode ID: 503daa7f3cf37e559493f2b38fbdbd662be014167a3854e37f89a3b2555f4814
                            • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                            • Opcode Fuzzy Hash: 503daa7f3cf37e559493f2b38fbdbd662be014167a3854e37f89a3b2555f4814
                            • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                            Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 00449212
                            • _free.LIBCMT ref: 00449236
                            • _free.LIBCMT ref: 004493BD
                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                            • _free.LIBCMT ref: 00449589
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                            • String ID:
                            • API String ID: 314583886-0
                            • Opcode ID: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
                            • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                            • Opcode Fuzzy Hash: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
                            • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                            Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                              • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                              • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                              • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                              • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                            • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                            • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                            • GetProcAddress.KERNEL32(00000000), ref: 00416872
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                            • String ID: !D@$PowrProf.dll$SetSuspendState
                            • API String ID: 1589313981-2876530381
                            • Opcode ID: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
                            • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                            • Opcode Fuzzy Hash: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
                            • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                            Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                            • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                            • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoLocale
                            • String ID: ACP$OCP$['E
                            • API String ID: 2299586839-2532616801
                            • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                            • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                            • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                            • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                            Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                            • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                            • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                            • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                            • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                            Strings
                            • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleOpen$FileRead
                            • String ID: http://geoplugin.net/json.gp
                            • API String ID: 3121278467-91888290
                            • Opcode ID: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
                            • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                            • Opcode Fuzzy Hash: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
                            • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                            Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                            Download Yara Rule
                            APIs
                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                            • GetLastError.KERNEL32 ref: 0040BA58
                            Strings
                            • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                            • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                            • UserProfile, xrefs: 0040BA1E
                            • [Chrome StoredLogins not found], xrefs: 0040BA72
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: DeleteErrorFileLast
                            • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                            • API String ID: 2018770650-1062637481
                            • Opcode ID: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
                            • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                            • Opcode Fuzzy Hash: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
                            • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                            Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                            • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                            • GetLastError.KERNEL32 ref: 0041799D
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                            • String ID: SeShutdownPrivilege
                            • API String ID: 3534403312-3733053543
                            • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                            • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                            • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                            • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                            Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00409258
                              • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                            • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                            • FindClose.KERNEL32(00000000), ref: 004093C1
                              • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                              • Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
                              • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                            • FindClose.KERNEL32(00000000), ref: 004095B9
                              • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                              • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                            • String ID:
                            • API String ID: 1824512719-0
                            • Opcode ID: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
                            • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                            • Opcode Fuzzy Hash: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
                            • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                            Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                            • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                            • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                            • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                            • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                            • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ManagerStart
                            • String ID:
                            • API String ID: 276877138-0
                            • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                            • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                            • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                            • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                            Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                            • _wcschr.LIBVCRUNTIME ref: 00451E4A
                            • _wcschr.LIBVCRUNTIME ref: 00451E58
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                            • String ID: sJD
                            • API String ID: 4212172061-3536923933
                            • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                            • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                            • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                            • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                            Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00413549: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
                              • Part of subcall function 00413549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                              • Part of subcall function 00413549: RegCloseKey.ADVAPI32(00000000), ref: 00413592
                            • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                            • ExitProcess.KERNEL32 ref: 0040F8CA
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseExitOpenProcessQuerySleepValue
                            • String ID: 5.0.0 Pro$override$pth_unenc
                            • API String ID: 2281282204-3992771774
                            • Opcode ID: bc1be6459073602c737430f7b82db798cb6416b862091f8f7e094519bbbbbb63
                            • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                            • Opcode Fuzzy Hash: bc1be6459073602c737430f7b82db798cb6416b862091f8f7e094519bbbbbb63
                            • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                            Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                            • wsprintfW.USER32 ref: 0040B1F3
                              • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: EventLocalTimewsprintf
                            • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                            • API String ID: 1497725170-248792730
                            • Opcode ID: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
                            • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                            • Opcode Fuzzy Hash: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
                            • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                            Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                            Download Yara Rule
                            APIs
                            • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                            • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                            • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                            • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Resource$FindLoadLockSizeof
                            • String ID: SETTINGS
                            • API String ID: 3473537107-594951305
                            • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                            • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                            • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                            • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                            Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 0040966A
                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                            • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                            • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstH_prologNext
                            • String ID:
                            • API String ID: 1157919129-0
                            • Opcode ID: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
                            • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                            • Opcode Fuzzy Hash: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
                            • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                            Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00408811
                            • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                            • String ID:
                            • API String ID: 1771804793-0
                            • Opcode ID: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
                            • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                            • Opcode Fuzzy Hash: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
                            • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                            Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                            Download Yara Rule
                            APIs
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                            • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: DownloadExecuteFileShell
                            • String ID: C:\Users\user\Desktop\MT103-7543324334.exe$open
                            • API String ID: 2825088817-3108581492
                            • Opcode ID: 903ef72eab6148293137c055818a011c76bde3dbc710c06b1fe0eac6d764652a
                            • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                            • Opcode Fuzzy Hash: 903ef72eab6148293137c055818a011c76bde3dbc710c06b1fe0eac6d764652a
                            • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                            Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                            • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileFind$FirstNextsend
                            • String ID: XPG$XPG
                            • API String ID: 4113138495-1962359302
                            • Opcode ID: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
                            • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                            • Opcode Fuzzy Hash: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
                            • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                            Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                            • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                              • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                              • Part of subcall function 0041376F: RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                              • Part of subcall function 0041376F: RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateInfoParametersSystemValue
                            • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                            • API String ID: 4127273184-3576401099
                            • Opcode ID: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
                            • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                            • Opcode Fuzzy Hash: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
                            • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                            Function 004432B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG,00446136,00000003), ref: 004432D6
                            • TerminateProcess.KERNEL32(00000000), ref: 004432DD
                            • ExitProcess.KERNEL32 ref: 004432EF
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CurrentExitTerminate
                            • String ID: PkGNG
                            • API String ID: 1703294689-263838557
                            • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                            • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                            • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                            • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                            Function 004461F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 464COMMONLIBRARYCODE
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: PkGNG
                            • API String ID: 0-263838557
                            • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                            • Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
                            • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                            • Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85
                            Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                              • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorInfoLastLocale$_free$_abort
                            • String ID:
                            • API String ID: 2829624132-0
                            • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                            • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                            • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                            • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                            Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
                            • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                            • String ID:
                            • API String ID: 3906539128-0
                            • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                            • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                            • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                            • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                            Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,004334BF,00000034,?,?,00000000), ref: 00433849
                            • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?), ref: 0043385F
                            • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?,0041E251), ref: 00433871
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Crypt$Context$AcquireRandomRelease
                            • String ID:
                            • API String ID: 1815803762-0
                            • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                            • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                            • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                            • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                            Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                            Download Yara Rule
                            APIs
                            • OpenClipboard.USER32(00000000), ref: 0040B711
                            • GetClipboardData.USER32(0000000D), ref: 0040B71D
                            • CloseClipboard.USER32 ref: 0040B725
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Clipboard$CloseDataOpen
                            • String ID:
                            • API String ID: 2058664381-0
                            • Opcode ID: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                            • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                            • Opcode Fuzzy Hash: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                            • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                            Function 00434C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                            Download Yara Rule
                            APIs
                            • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: FeaturePresentProcessor
                            • String ID:
                            • API String ID: 2325560087-3916222277
                            • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                            • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                            • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                            • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                            Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: .
                            • API String ID: 0-248832578
                            • Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                            • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
                            • Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                            • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
                            Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                            • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                            • String ID: lJD
                            • API String ID: 1084509184-3316369744
                            • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                            • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                            • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                            • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                            Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                            • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                            • String ID: lJD
                            • API String ID: 1084509184-3316369744
                            • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                            • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                            • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                            • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                            Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoLocale
                            • String ID: GetLocaleInfoEx
                            • API String ID: 2299586839-2904428671
                            • Opcode ID: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                            • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                            • Opcode Fuzzy Hash: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                            • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                            Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                            • HeapFree.KERNEL32(00000000), ref: 004120EE
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$FreeProcess
                            • String ID:
                            • API String ID: 3859560861-0
                            • Opcode ID: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
                            • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                            • Opcode Fuzzy Hash: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
                            • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                            Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                              • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$_free$InfoLocale_abort
                            • String ID:
                            • API String ID: 1663032902-0
                            • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                            • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                            • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                            • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                            Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$InfoLocale_abort_free
                            • String ID:
                            • API String ID: 2692324296-0
                            • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                            • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                            • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                            • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                            Function 0041B60D Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                            Download Yara Rule
                            APIs
                            • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: NameUser
                            • String ID:
                            • API String ID: 2645101109-0
                            • Opcode ID: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                            • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                            • Opcode Fuzzy Hash: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                            • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                            Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(?,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                            • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalEnterEnumLocalesSectionSystem
                            • String ID:
                            • API String ID: 1272433827-0
                            • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                            • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                            • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                            • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                            Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                            • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                            • String ID:
                            • API String ID: 1084509184-0
                            • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                            • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                            • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                            • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                            Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                            • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.0.0 Pro), ref: 0040F8E5
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoLocale
                            • String ID:
                            • API String ID: 2299586839-0
                            • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                            • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                            • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                            • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                            Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                            Download Yara Rule
                            APIs
                            • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExceptionFilterUnhandled
                            • String ID:
                            • API String ID: 3192549508-0
                            • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                            • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                            • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                            • Instruction Fuzzy Hash:
                            Function 00418E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                            • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                              • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                            • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                            • DeleteDC.GDI32(00000000), ref: 00418F2A
                            • DeleteDC.GDI32(00000000), ref: 00418F2D
                            • DeleteObject.GDI32(00000000), ref: 00418F30
                            • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                            • DeleteDC.GDI32(00000000), ref: 00418F62
                            • DeleteDC.GDI32(00000000), ref: 00418F65
                            • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                            • GetIconInfo.USER32(?,?), ref: 00418FBD
                            • DeleteObject.GDI32(?), ref: 00418FEC
                            • DeleteObject.GDI32(?), ref: 00418FF9
                            • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                            • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                            • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                            • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                            • DeleteDC.GDI32(?), ref: 0041917C
                            • DeleteDC.GDI32(00000000), ref: 0041917F
                            • DeleteObject.GDI32(00000000), ref: 00419182
                            • GlobalFree.KERNEL32(?), ref: 0041918D
                            • DeleteObject.GDI32(00000000), ref: 00419241
                            • GlobalFree.KERNEL32(?), ref: 00419248
                            • DeleteDC.GDI32(?), ref: 00419258
                            • DeleteDC.GDI32(00000000), ref: 00419263
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                            • String ID: DISPLAY
                            • API String ID: 479521175-865373369
                            • Opcode ID: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
                            • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                            • Opcode Fuzzy Hash: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
                            • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                            Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                            • GetProcAddress.KERNEL32(00000000), ref: 00418139
                            • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                            • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                            • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                            • GetProcAddress.KERNEL32(00000000), ref: 00418161
                            • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                            • GetProcAddress.KERNEL32(00000000), ref: 00418175
                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                            • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                            • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                            • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                            • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                            • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                            • ResumeThread.KERNEL32(?), ref: 00418435
                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                            • GetCurrentProcess.KERNEL32(?), ref: 00418457
                            • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                            • GetLastError.KERNEL32 ref: 0041847A
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                            • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                            • API String ID: 4188446516-3035715614
                            • Opcode ID: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                            • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                            • Opcode Fuzzy Hash: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                            • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                            Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                              • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                              • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                              • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                              • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                              • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                            • ExitProcess.KERNEL32 ref: 0040D7D0
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                            • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                            • API String ID: 1861856835-332907002
                            • Opcode ID: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
                            • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                            • Opcode Fuzzy Hash: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
                            • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                            Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                              • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                              • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                              • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                              • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                              • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                            • ExitProcess.KERNEL32 ref: 0040D419
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                            • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                            • API String ID: 3797177996-2557013105
                            • Opcode ID: d286f588f5818cca07a6e4c27455efb45431ebdc6a01d8eb82299511fc22b521
                            • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                            • Opcode Fuzzy Hash: d286f588f5818cca07a6e4c27455efb45431ebdc6a01d8eb82299511fc22b521
                            • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                            Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                            • ExitProcess.KERNEL32(00000000), ref: 004124A0
                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                            • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                            • CloseHandle.KERNEL32(00000000), ref: 0041253B
                            • GetCurrentProcessId.KERNEL32 ref: 00412541
                            • PathFileExistsW.SHLWAPI(?), ref: 00412572
                            • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                            • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                            • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                              • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                            • Sleep.KERNEL32(000001F4), ref: 00412682
                            • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                            • CloseHandle.KERNEL32(00000000), ref: 004126A9
                            • GetCurrentProcessId.KERNEL32 ref: 004126AF
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                            • String ID: .exe$8SG$WDH$exepath$open$temp_
                            • API String ID: 2649220323-436679193
                            • Opcode ID: 5afe557bd59fe2fb36d972248b29c5deb24c09acede0227067c4c091f693347a
                            • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                            • Opcode Fuzzy Hash: 5afe557bd59fe2fb36d972248b29c5deb24c09acede0227067c4c091f693347a
                            • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                            Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                            • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                            • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                            • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                            • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                            • SetEvent.KERNEL32 ref: 0041B219
                            • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                            • CloseHandle.KERNEL32 ref: 0041B23A
                            • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                            • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                            • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                            • API String ID: 738084811-2094122233
                            • Opcode ID: 1af6777f4b26f00d2594b4f9da1b5597036d5e91d20fdc05908bc04bace6597c
                            • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                            • Opcode Fuzzy Hash: 1af6777f4b26f00d2594b4f9da1b5597036d5e91d20fdc05908bc04bace6597c
                            • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                            Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                            • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                            • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                            • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                            • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                            • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                            • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                            • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                            • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                            • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Write$Create
                            • String ID: RIFF$WAVE$data$fmt
                            • API String ID: 1602526932-4212202414
                            • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                            • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                            • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                            • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                            Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\MT103-7543324334.exe,00000001,0040764D,C:\Users\user\Desktop\MT103-7543324334.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                            • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                            • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                            • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                            • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                            • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                            • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                            • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressHandleModuleProc
                            • String ID: C:\Users\user\Desktop\MT103-7543324334.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                            • API String ID: 1646373207-3699314326
                            • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                            • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                            • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                            • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                            Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenW.KERNEL32(?), ref: 0041C036
                            • _memcmp.LIBVCRUNTIME ref: 0041C04E
                            • lstrlenW.KERNEL32(?), ref: 0041C067
                            • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                            • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                            • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                            • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                            • _wcslen.LIBCMT ref: 0041C13B
                            • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                            • GetLastError.KERNEL32 ref: 0041C173
                            • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                            • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                            • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                            • GetLastError.KERNEL32 ref: 0041C1D0
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                            • String ID: ?
                            • API String ID: 3941738427-1684325040
                            • Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                            • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                            • Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                            • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                            Function 00414D86 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                            • LoadLibraryA.KERNEL32(?), ref: 00414E17
                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                            • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                            • LoadLibraryA.KERNEL32(?), ref: 00414E76
                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                            • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                            • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Library$AddressFreeProc$Load$DirectorySystem
                            • String ID: IA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                            • API String ID: 2490988753-1941338355
                            • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                            • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                            • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                            • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                            Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$EnvironmentVariable$_wcschr
                            • String ID:
                            • API String ID: 3899193279-0
                            • Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                            • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                            • Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                            • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                            Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                              • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                              • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                              • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                            • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                            • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                            • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                            • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                            • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                            • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                            • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                            • Sleep.KERNEL32(00000064), ref: 00412E94
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                            • String ID: /stext "$0TG$0TG$NG$NG
                            • API String ID: 1223786279-2576077980
                            • Opcode ID: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
                            • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                            • Opcode Fuzzy Hash: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
                            • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                            Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                            • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
                            • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEnumOpen
                            • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                            • API String ID: 1332880857-3714951968
                            • Opcode ID: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
                            • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                            • Opcode Fuzzy Hash: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
                            • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                            Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                            Download Yara Rule
                            APIs
                            • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                            • GetCursorPos.USER32(?), ref: 0041D5E9
                            • SetForegroundWindow.USER32(?), ref: 0041D5F2
                            • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                            • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                            • ExitProcess.KERNEL32 ref: 0041D665
                            • CreatePopupMenu.USER32 ref: 0041D66B
                            • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                            • String ID: Close
                            • API String ID: 1657328048-3535843008
                            • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                            • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                            • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                            • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                            Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                            • SetEvent.KERNEL32(?), ref: 00404E43
                            • CloseHandle.KERNEL32(?), ref: 00404E4C
                            • closesocket.WS2_32(?), ref: 00404E5A
                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404E91
                            • SetEvent.KERNEL32(?), ref: 00404EA2
                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404EA9
                            • SetEvent.KERNEL32(?), ref: 00404EBA
                            • CloseHandle.KERNEL32(?), ref: 00404EBF
                            • CloseHandle.KERNEL32(?), ref: 00404EC4
                            • SetEvent.KERNEL32(?), ref: 00404ED1
                            • CloseHandle.KERNEL32(?), ref: 00404ED6
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                            • String ID: PkGNG
                            • API String ID: 3658366068-263838557
                            • Opcode ID: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                            • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                            • Opcode Fuzzy Hash: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                            • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                            Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$Info
                            • String ID:
                            • API String ID: 2509303402-0
                            • Opcode ID: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                            • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                            • Opcode Fuzzy Hash: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                            • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                            Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                            • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                            • __aulldiv.LIBCMT ref: 00408D4D
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                            • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                            • CloseHandle.KERNEL32(00000000), ref: 00408F64
                            • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                            • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                            • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                            • API String ID: 3086580692-2582957567
                            • Opcode ID: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
                            • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                            • Opcode Fuzzy Hash: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
                            • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                            Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNEL32(00001388), ref: 0040A740
                              • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                              • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                              • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                              • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                            • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                            • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                              • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                            • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0040A927
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                            • String ID: 8SG$8SG$pQG$pQG$PG$PG
                            • API String ID: 3795512280-1152054767
                            • Opcode ID: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
                            • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                            • Opcode Fuzzy Hash: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
                            • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                            Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                            Download Yara Rule
                            APIs
                            • connect.WS2_32(?,?,?), ref: 004048E0
                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                            • WSAGetLastError.WS2_32 ref: 00404A21
                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateEvent$ErrorLastLocalTimeconnect
                            • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                            • API String ID: 994465650-3229884001
                            • Opcode ID: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
                            • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                            • Opcode Fuzzy Hash: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
                            • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                            Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • ___free_lconv_mon.LIBCMT ref: 0045130A
                              • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                              • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                              • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                              • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                              • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                              • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                              • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                              • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                              • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                              • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                              • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                              • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                              • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                            • _free.LIBCMT ref: 004512FF
                              • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                            • _free.LIBCMT ref: 00451321
                            • _free.LIBCMT ref: 00451336
                            • _free.LIBCMT ref: 00451341
                            • _free.LIBCMT ref: 00451363
                            • _free.LIBCMT ref: 00451376
                            • _free.LIBCMT ref: 00451384
                            • _free.LIBCMT ref: 0045138F
                            • _free.LIBCMT ref: 004513C7
                            • _free.LIBCMT ref: 004513CE
                            • _free.LIBCMT ref: 004513EB
                            • _free.LIBCMT ref: 00451403
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                            • String ID:
                            • API String ID: 161543041-0
                            • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                            • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                            • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                            • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                            Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00419FB9
                            • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                            • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                            • GetLocalTime.KERNEL32(?), ref: 0041A105
                            • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                            • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                            • API String ID: 489098229-1431523004
                            • Opcode ID: a44948d284f133504734d697ca6f7e31c11da472c88381ebf6f8b069d30e9c47
                            • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                            • Opcode Fuzzy Hash: a44948d284f133504734d697ca6f7e31c11da472c88381ebf6f8b069d30e9c47
                            • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                            Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                              • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                              • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
                              • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
                              • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                            • ExitProcess.KERNEL32 ref: 0040D9C4
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                            • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                            • API String ID: 1913171305-3159800282
                            • Opcode ID: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
                            • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                            • Opcode Fuzzy Hash: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
                            • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                            Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                            • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                            • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                            • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                            Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                            • GetLastError.KERNEL32 ref: 00455CEF
                            • __dosmaperr.LIBCMT ref: 00455CF6
                            • GetFileType.KERNEL32(00000000), ref: 00455D02
                            • GetLastError.KERNEL32 ref: 00455D0C
                            • __dosmaperr.LIBCMT ref: 00455D15
                            • CloseHandle.KERNEL32(00000000), ref: 00455D35
                            • CloseHandle.KERNEL32(?), ref: 00455E7F
                            • GetLastError.KERNEL32 ref: 00455EB1
                            • __dosmaperr.LIBCMT ref: 00455EB8
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                            • String ID: H
                            • API String ID: 4237864984-2852464175
                            • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                            • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                            • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                            • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                            Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                            Download Yara Rule
                            APIs
                            • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                            • __alloca_probe_16.LIBCMT ref: 00453EEA
                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                            • __alloca_probe_16.LIBCMT ref: 00453F94
                            • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                            • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                            • __freea.LIBCMT ref: 00454003
                            • __freea.LIBCMT ref: 0045400F
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                            • String ID: \@E
                            • API String ID: 201697637-1814623452
                            • Opcode ID: 347d6d77569ccb8731e03be0652f4f39992ef0e8e93efb01081f6886d5a4a2b8
                            • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                            • Opcode Fuzzy Hash: 347d6d77569ccb8731e03be0652f4f39992ef0e8e93efb01081f6886d5a4a2b8
                            • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                            Function 0044AC49 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,$C,0043EA24,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006), ref: 0044ACA3
                            • __alloca_probe_16.LIBCMT ref: 0044ACDB
                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006,?,?,?), ref: 0044AD29
                            • __alloca_probe_16.LIBCMT ref: 0044ADC0
                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                            • __freea.LIBCMT ref: 0044AE30
                              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                            • __freea.LIBCMT ref: 0044AE39
                            • __freea.LIBCMT ref: 0044AE5E
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                            • String ID: $C$PkGNG
                            • API String ID: 3864826663-3740547665
                            • Opcode ID: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                            • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                            • Opcode Fuzzy Hash: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                            • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                            Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free
                            • String ID: \&G$\&G$`&G
                            • API String ID: 269201875-253610517
                            • Opcode ID: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
                            • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                            • Opcode Fuzzy Hash: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
                            • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                            Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 65535$udp
                            • API String ID: 0-1267037602
                            • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                            • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                            • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                            • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                            Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                            Download Yara Rule
                            APIs
                            • __Init_thread_footer.LIBCMT ref: 0040AD38
                            • Sleep.KERNEL32(000001F4), ref: 0040AD43
                            • GetForegroundWindow.USER32 ref: 0040AD49
                            • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                            • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                            • Sleep.KERNEL32(000003E8), ref: 0040AE54
                              • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                            • String ID: [${ User has been idle for $ minutes }$]
                            • API String ID: 911427763-3954389425
                            • Opcode ID: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
                            • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                            • Opcode Fuzzy Hash: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
                            • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                            Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                            • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                            • __dosmaperr.LIBCMT ref: 0043A8A6
                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                            • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                            • __dosmaperr.LIBCMT ref: 0043A8E3
                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                            • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                            • __dosmaperr.LIBCMT ref: 0043A937
                            • _free.LIBCMT ref: 0043A943
                            • _free.LIBCMT ref: 0043A94A
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                            • String ID:
                            • API String ID: 2441525078-0
                            • Opcode ID: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                            • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                            • Opcode Fuzzy Hash: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                            • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                            Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • SetEvent.KERNEL32(?,?), ref: 004054BF
                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                            • TranslateMessage.USER32(?), ref: 0040557E
                            • DispatchMessageA.USER32(?), ref: 00405589
                            • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                            • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                            • String ID: CloseChat$DisplayMessage$GetMessage
                            • API String ID: 2956720200-749203953
                            • Opcode ID: fef61f91b449ae31e274f9846cb3759d0d19ea8c240772b62dae1734d23b140a
                            • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                            • Opcode Fuzzy Hash: fef61f91b449ae31e274f9846cb3759d0d19ea8c240772b62dae1734d23b140a
                            • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                            Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                            • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                            • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                            • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                            • String ID: 0VG$0VG$<$@$Temp
                            • API String ID: 1704390241-2575729100
                            • Opcode ID: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
                            • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                            • Opcode Fuzzy Hash: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
                            • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                            Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                            Download Yara Rule
                            APIs
                            • OpenClipboard.USER32 ref: 00416941
                            • EmptyClipboard.USER32 ref: 0041694F
                            • CloseClipboard.USER32 ref: 00416955
                            • OpenClipboard.USER32 ref: 0041695C
                            • GetClipboardData.USER32(0000000D), ref: 0041696C
                            • GlobalLock.KERNEL32(00000000), ref: 00416975
                            • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                            • CloseClipboard.USER32 ref: 00416984
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                            • String ID: !D@
                            • API String ID: 2172192267-604454484
                            • Opcode ID: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
                            • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                            • Opcode Fuzzy Hash: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
                            • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                            Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                            • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                            • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                            • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                            • CloseHandle.KERNEL32(00000000), ref: 0041345F
                            • CloseHandle.KERNEL32(?), ref: 00413465
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                            • String ID:
                            • API String ID: 297527592-0
                            • Opcode ID: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                            • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                            • Opcode Fuzzy Hash: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                            • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                            Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                            • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ControlManager
                            • String ID:
                            • API String ID: 221034970-0
                            • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                            • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                            • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                            • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                            Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 00448135
                              • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                            • _free.LIBCMT ref: 00448141
                            • _free.LIBCMT ref: 0044814C
                            • _free.LIBCMT ref: 00448157
                            • _free.LIBCMT ref: 00448162
                            • _free.LIBCMT ref: 0044816D
                            • _free.LIBCMT ref: 00448178
                            • _free.LIBCMT ref: 00448183
                            • _free.LIBCMT ref: 0044818E
                            • _free.LIBCMT ref: 0044819C
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                            • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                            • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                            • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                            Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Eventinet_ntoa
                            • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                            • API String ID: 3578746661-3604713145
                            • Opcode ID: a7bd2cf574d9c29f0f452118638ed50856907e78b238ba203f6b8faaf9cf41f8
                            • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                            • Opcode Fuzzy Hash: a7bd2cf574d9c29f0f452118638ed50856907e78b238ba203f6b8faaf9cf41f8
                            • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                            Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: DecodePointer
                            • String ID: acos$asin$exp$log$log10$pow$sqrt
                            • API String ID: 3527080286-3064271455
                            • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                            • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
                            • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                            • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
                            Function 0044B3BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                            • __fassign.LIBCMT ref: 0044B479
                            • __fassign.LIBCMT ref: 0044B494
                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                            • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B4D9
                            • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B512
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                            • String ID: PkGNG
                            • API String ID: 1324828854-263838557
                            • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                            • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                            • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                            • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                            Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                            Download Yara Rule
                            APIs
                            • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                              • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                            • Sleep.KERNEL32(00000064), ref: 00417521
                            • DeleteFileW.KERNEL32(00000000), ref: 00417555
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CreateDeleteExecuteShellSleep
                            • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                            • API String ID: 1462127192-2001430897
                            • Opcode ID: 1f6a825730162cc8d70e4a327bcc3a42f02bec4a5cc2bca23683888e0af1c848
                            • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                            • Opcode Fuzzy Hash: 1f6a825730162cc8d70e4a327bcc3a42f02bec4a5cc2bca23683888e0af1c848
                            • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                            Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                            • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Users\user\Desktop\MT103-7543324334.exe), ref: 0040749E
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentProcess
                            • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                            • API String ID: 2050909247-4242073005
                            • Opcode ID: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
                            • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                            • Opcode Fuzzy Hash: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
                            • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                            Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • _strftime.LIBCMT ref: 00401D50
                              • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                            • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                            • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                            • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                            • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                            • API String ID: 3809562944-243156785
                            • Opcode ID: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
                            • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                            • Opcode Fuzzy Hash: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
                            • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                            Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                            Download Yara Rule
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                            • int.LIBCPMT ref: 00410E81
                              • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                              • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                            • std::_Facet_Register.LIBCPMT ref: 00410EC1
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                            • __Init_thread_footer.LIBCMT ref: 00410F29
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                            • String ID: ,kG$0kG
                            • API String ID: 3815856325-2015055088
                            • Opcode ID: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
                            • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                            • Opcode Fuzzy Hash: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
                            • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                            Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                            • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                            • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                            • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                            • waveInStart.WINMM ref: 00401CFE
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                            • String ID: dMG$|MG$PG
                            • API String ID: 1356121797-532278878
                            • Opcode ID: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
                            • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                            • Opcode Fuzzy Hash: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
                            • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                            Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                              • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                              • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                              • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                            • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                            • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                            • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                            • TranslateMessage.USER32(?), ref: 0041D4E9
                            • DispatchMessageA.USER32(?), ref: 0041D4F3
                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                            • String ID: Remcos
                            • API String ID: 1970332568-165870891
                            • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                            • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                            • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                            • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                            Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
                            • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                            • Opcode Fuzzy Hash: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
                            • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                            Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                            • _memcmp.LIBVCRUNTIME ref: 00445423
                            • _free.LIBCMT ref: 00445494
                            • _free.LIBCMT ref: 004454AD
                            • _free.LIBCMT ref: 004454DF
                            • _free.LIBCMT ref: 004454E8
                            • _free.LIBCMT ref: 004454F4
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorLast$_abort_memcmp
                            • String ID: C
                            • API String ID: 1679612858-1037565863
                            • Opcode ID: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
                            • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                            • Opcode Fuzzy Hash: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
                            • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                            Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: tcp$udp
                            • API String ID: 0-3725065008
                            • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                            • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                            • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                            • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                            Function 00411CFE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                            • SetLastError.KERNEL32(000000C1,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                            • GetNativeSystemInfo.KERNEL32(?,?,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                            • SetLastError.KERNEL32(0000000E), ref: 00411DC9
                              • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,00411DE7,?,00000000,00003000,00000040,00000000), ref: 00411CB3
                            • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00411E10
                            • HeapAlloc.KERNEL32(00000000), ref: 00411E17
                            • SetLastError.KERNEL32(0000045A), ref: 00411F2A
                              • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                              • Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                            • String ID: t^F
                            • API String ID: 3950776272-389975521
                            • Opcode ID: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                            • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                            • Opcode Fuzzy Hash: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                            • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                            Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                            Download Yara Rule
                            APIs
                            • __Init_thread_footer.LIBCMT ref: 004018BE
                            • ExitThread.KERNEL32 ref: 004018F6
                            • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                              • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                            • String ID: PkG$XMG$NG$NG
                            • API String ID: 1649129571-3151166067
                            • Opcode ID: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
                            • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                            • Opcode Fuzzy Hash: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
                            • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                            Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                            • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                            • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                            • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                            • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                              • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                              • Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                            • String ID: .part
                            • API String ID: 1303771098-3499674018
                            • Opcode ID: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
                            • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                            • Opcode Fuzzy Hash: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
                            • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                            Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                            • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: InputSend
                            • String ID:
                            • API String ID: 3431551938-0
                            • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                            • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                            • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                            • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                            Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: __freea$__alloca_probe_16_free
                            • String ID: a/p$am/pm$zD
                            • API String ID: 2936374016-2723203690
                            • Opcode ID: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                            • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                            • Opcode Fuzzy Hash: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                            • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                            Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                            • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Enum$InfoQueryValue
                            • String ID: [regsplt]$xUG$TG
                            • API String ID: 3554306468-1165877943
                            • Opcode ID: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
                            • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                            • Opcode Fuzzy Hash: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
                            • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                            Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free
                            • String ID: D[E$D[E
                            • API String ID: 269201875-3695742444
                            • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                            • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                            • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                            • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                            Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                              • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                              • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEnumInfoOpenQuerysend
                            • String ID: xUG$NG$NG$TG
                            • API String ID: 3114080316-2811732169
                            • Opcode ID: f2e89265f4d2f0cfb10cd8f2c72011435137814bee02f1038c413f2e8c362d66
                            • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                            • Opcode Fuzzy Hash: f2e89265f4d2f0cfb10cd8f2c72011435137814bee02f1038c413f2e8c362d66
                            • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                            Function 0045112C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F8C8,?,00000000,?,00000001,?,000000FF,00000001,0043F8C8,?), ref: 00451179
                            • __alloca_probe_16.LIBCMT ref: 004511B1
                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451202
                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451214
                            • __freea.LIBCMT ref: 0045121D
                              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                            • String ID: PkGNG
                            • API String ID: 313313983-263838557
                            • Opcode ID: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                            • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                            • Opcode Fuzzy Hash: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                            • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                            Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                              • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                              • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                              • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                            • _wcslen.LIBCMT ref: 0041B763
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                            • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                            • API String ID: 37874593-122982132
                            • Opcode ID: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
                            • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                            • Opcode Fuzzy Hash: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
                            • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                            Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                              • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                              • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                            • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                            • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                            • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                            • API String ID: 1133728706-4073444585
                            • Opcode ID: 44b5265c6c0164f295b1527da2f4df424204d8919945bee9dcb633f0f8b76136
                            • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                            • Opcode Fuzzy Hash: 44b5265c6c0164f295b1527da2f4df424204d8919945bee9dcb633f0f8b76136
                            • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                            Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                            • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                            • Opcode Fuzzy Hash: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                            • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                            Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                            • _free.LIBCMT ref: 00450F48
                              • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                            • _free.LIBCMT ref: 00450F53
                            • _free.LIBCMT ref: 00450F5E
                            • _free.LIBCMT ref: 00450FB2
                            • _free.LIBCMT ref: 00450FBD
                            • _free.LIBCMT ref: 00450FC8
                            • _free.LIBCMT ref: 00450FD3
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                            • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                            • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                            • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                            Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                            Download Yara Rule
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                            • int.LIBCPMT ref: 00411183
                              • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                              • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                            • std::_Facet_Register.LIBCPMT ref: 004111C3
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                            • String ID: (mG
                            • API String ID: 2536120697-4059303827
                            • Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                            • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                            • Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                            • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                            Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                            • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLastValue___vcrt_
                            • String ID:
                            • API String ID: 3852720340-0
                            • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                            • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                            • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                            • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                            Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                            • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\MT103-7543324334.exe), ref: 004075D0
                              • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                              • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                            • CoUninitialize.OLE32 ref: 00407629
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: InitializeObjectUninitialize_wcslen
                            • String ID: C:\Users\user\Desktop\MT103-7543324334.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                            • API String ID: 3851391207-2015217214
                            • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                            • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                            • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                            • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                            Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                            Download Yara Rule
                            APIs
                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                            • GetLastError.KERNEL32 ref: 0040BAE7
                            Strings
                            • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                            • [Chrome Cookies not found], xrefs: 0040BB01
                            • UserProfile, xrefs: 0040BAAD
                            • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: DeleteErrorFileLast
                            • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                            • API String ID: 2018770650-304995407
                            • Opcode ID: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
                            • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                            • Opcode Fuzzy Hash: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
                            • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                            Function 0041CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                            Download Yara Rule
                            APIs
                            • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                            • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                            • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Console$AllocOutputShowWindow
                            • String ID: Remcos v$5.0.0 Pro$CONOUT$
                            • API String ID: 2425139147-2278869229
                            • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                            • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                            • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                            • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                            Function 0044333A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044335A
                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                            • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG), ref: 00443390
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$PkGNG$mscoree.dll
                            • API String ID: 4061214504-213444651
                            • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                            • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                            • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                            • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                            Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                            Download Yara Rule
                            APIs
                            • __allrem.LIBCMT ref: 0043AC69
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                            • __allrem.LIBCMT ref: 0043AC9C
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                            • __allrem.LIBCMT ref: 0043ACD1
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                            • String ID:
                            • API String ID: 1992179935-0
                            • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                            • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                            • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                            • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                            Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNEL32(00000000,?), ref: 004044C4
                              • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: H_prologSleep
                            • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                            • API String ID: 3469354165-3054508432
                            • Opcode ID: 08fcd3a8c76131e8007374677ce5b6c0692de0a008e8c0ef5a68710063425739
                            • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                            • Opcode Fuzzy Hash: 08fcd3a8c76131e8007374677ce5b6c0692de0a008e8c0ef5a68710063425739
                            • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                            Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: __cftoe
                            • String ID:
                            • API String ID: 4189289331-0
                            • Opcode ID: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
                            • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                            • Opcode Fuzzy Hash: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
                            • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                            Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                            • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ChangeConfigManager
                            • String ID:
                            • API String ID: 493672254-0
                            • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                            • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                            • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                            • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                            Function 0044A004 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: __alldvrm$_strrchr
                            • String ID: PkGNG
                            • API String ID: 1036877536-263838557
                            • Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                            • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                            • Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                            • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                            Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                            • _free.LIBCMT ref: 0044824C
                            • _free.LIBCMT ref: 00448274
                            • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                            • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                            • _abort.LIBCMT ref: 00448293
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$_free$_abort
                            • String ID:
                            • API String ID: 3160817290-0
                            • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                            • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                            • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                            • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                            Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                            • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ControlManager
                            • String ID:
                            • API String ID: 221034970-0
                            • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                            • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                            • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                            • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                            Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                            • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ControlManager
                            • String ID:
                            • API String ID: 221034970-0
                            • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                            • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                            • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                            • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                            Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                            • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ControlManager
                            • String ID:
                            • API String ID: 221034970-0
                            • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                            • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                            • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                            • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                            Function 00442801 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: PkGNG
                            • API String ID: 0-263838557
                            • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                            • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                            • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                            • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                            Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                            Download Yara Rule
                            APIs
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                            • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404DD2
                            • CloseHandle.KERNEL32(?), ref: 00404DDB
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Create$CloseEventHandleObjectSingleThreadWait
                            • String ID: PkGNG
                            • API String ID: 3360349984-263838557
                            • Opcode ID: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
                            • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                            • Opcode Fuzzy Hash: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
                            • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                            Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                            • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                            • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSizeSleep
                            • String ID: XQG
                            • API String ID: 1958988193-3606453820
                            • Opcode ID: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
                            • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                            • Opcode Fuzzy Hash: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
                            • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                            Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegisterClassExA.USER32(00000030), ref: 0041D55B
                            • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                            • GetLastError.KERNEL32 ref: 0041D580
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ClassCreateErrorLastRegisterWindow
                            • String ID: 0$MsgWindowClass
                            • API String ID: 2877667751-2410386613
                            • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                            • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                            • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                            • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                            Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                            • CloseHandle.KERNEL32(?), ref: 004077AA
                            • CloseHandle.KERNEL32(?), ref: 004077AF
                            Strings
                            • C:\Windows\System32\cmd.exe, xrefs: 00407796
                            • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandle$CreateProcess
                            • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                            • API String ID: 2922976086-4183131282
                            • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                            • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                            • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                            • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                            Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: SG$C:\Users\user\Desktop\MT103-7543324334.exe
                            • API String ID: 0-2756191953
                            • Opcode ID: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
                            • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                            • Opcode Fuzzy Hash: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
                            • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                            Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                            • SetEvent.KERNEL32(?), ref: 0040512C
                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                            • CloseHandle.KERNEL32(?), ref: 00405140
                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                            • String ID: KeepAlive | Disabled
                            • API String ID: 2993684571-305739064
                            • Opcode ID: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
                            • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                            • Opcode Fuzzy Hash: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
                            • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                            Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                            • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                            • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                            • Sleep.KERNEL32(00002710), ref: 0041AE07
                            • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: PlaySound$HandleLocalModuleSleepTime
                            • String ID: Alarm triggered
                            • API String ID: 614609389-2816303416
                            • Opcode ID: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
                            • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                            • Opcode Fuzzy Hash: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
                            • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                            Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                            • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                            • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                            • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                            Strings
                            • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Console$AttributeText$BufferHandleInfoScreen
                            • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                            • API String ID: 3024135584-2418719853
                            • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                            • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                            • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                            • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                            Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                            • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                            • Opcode Fuzzy Hash: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                            • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                            Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                            • _free.LIBCMT ref: 00444E06
                            • _free.LIBCMT ref: 00444E1D
                            • _free.LIBCMT ref: 00444E3C
                            • _free.LIBCMT ref: 00444E57
                            • _free.LIBCMT ref: 00444E6E
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$AllocateHeap
                            • String ID:
                            • API String ID: 3033488037-0
                            • Opcode ID: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
                            • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                            • Opcode Fuzzy Hash: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
                            • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                            Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                            • _free.LIBCMT ref: 004493BD
                              • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                            • _free.LIBCMT ref: 00449589
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                            • String ID:
                            • API String ID: 1286116820-0
                            • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                            • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                            • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                            • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                            Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                            • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                            • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                              • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                              • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                              • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                            • String ID:
                            • API String ID: 4269425633-0
                            • Opcode ID: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
                            • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                            • Opcode Fuzzy Hash: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
                            • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                            Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                            • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                            • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                            • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                            Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                            • _free.LIBCMT ref: 0044F3BF
                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                            • String ID:
                            • API String ID: 336800556-0
                            • Opcode ID: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                            • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                            • Opcode Fuzzy Hash: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                            • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                            Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C44D
                            • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C459
                            • WriteFile.KERNEL32(00000000,00000000,00000000,00406F85,00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C46A
                            • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C477
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseHandle$CreatePointerWrite
                            • String ID:
                            • API String ID: 1852769593-0
                            • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                            • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                            • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                            • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                            Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044829E
                            • _free.LIBCMT ref: 004482D3
                            • _free.LIBCMT ref: 004482FA
                            • SetLastError.KERNEL32(00000000), ref: 00448307
                            • SetLastError.KERNEL32(00000000), ref: 00448310
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$_free
                            • String ID:
                            • API String ID: 3170660625-0
                            • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                            • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                            • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                            • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                            Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 004509D4
                              • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                            • _free.LIBCMT ref: 004509E6
                            • _free.LIBCMT ref: 004509F8
                            • _free.LIBCMT ref: 00450A0A
                            • _free.LIBCMT ref: 00450A1C
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                            • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                            • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                            • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                            Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 00444066
                              • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                            • _free.LIBCMT ref: 00444078
                            • _free.LIBCMT ref: 0044408B
                            • _free.LIBCMT ref: 0044409C
                            • _free.LIBCMT ref: 004440AD
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                            • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                            • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                            • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                            Function 0044BA37 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: PkGNG
                            • API String ID: 0-263838557
                            • Opcode ID: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                            • Instruction ID: 56b21f6c39f874414c878b072b89285690216c2d241c0ad811085e1835033e53
                            • Opcode Fuzzy Hash: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                            • Instruction Fuzzy Hash: 1B51B271D00249AAEF14DFA9C885FAFBBB8EF45314F14015FE400A7291DB78D901CBA9
                            Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                            Download Yara Rule
                            APIs
                            • _strpbrk.LIBCMT ref: 0044E738
                            • _free.LIBCMT ref: 0044E855
                              • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,?,?,?,?,?,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
                              • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD3D
                              • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000), ref: 0043BD44
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                            • String ID: *?$.
                            • API String ID: 2812119850-3972193922
                            • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                            • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                            • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                            • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                            Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CountEventTick
                            • String ID: !D@$NG
                            • API String ID: 180926312-2721294649
                            • Opcode ID: c3905e8113842b235930180e7962ad7fd0473fd9621d9de76edd9e6bfbddcfc2
                            • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                            • Opcode Fuzzy Hash: c3905e8113842b235930180e7962ad7fd0473fd9621d9de76edd9e6bfbddcfc2
                            • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                            Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                            Download Yara Rule
                            APIs
                            • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                              • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                              • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFileKeyboardLayoutNameconnectsend
                            • String ID: XQG$NG$PG
                            • API String ID: 1634807452-3565412412
                            • Opcode ID: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
                            • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                            • Opcode Fuzzy Hash: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
                            • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                            Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                            Download Yara Rule
                            APIs
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                            • String ID: `#D$`#D
                            • API String ID: 885266447-2450397995
                            • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                            • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                            • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                            • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                            Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\MT103-7543324334.exe,00000104), ref: 00443475
                            • _free.LIBCMT ref: 00443540
                            • _free.LIBCMT ref: 0044354A
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$FileModuleName
                            • String ID: C:\Users\user\Desktop\MT103-7543324334.exe
                            • API String ID: 2506810119-3153004419
                            • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                            • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                            • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                            • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                            Function 0044B81F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BB7E,?,00000000,FF8BC35D), ref: 0044B8D2
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B900
                            • GetLastError.KERNEL32 ref: 0044B931
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharErrorFileLastMultiWideWrite
                            • String ID: PkGNG
                            • API String ID: 2456169464-263838557
                            • Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                            • Instruction ID: a4f89274a665815b2d7bd0a52cbb4c71b9b2878c435ac706d73e761117ab6cd9
                            • Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                            • Instruction Fuzzy Hash: 18317271A002199FDB14DF59DC809EAB7B8EB48305F0444BEE90AD7260DB34ED80CBA4
                            Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                              • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                              • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                              • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                              • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                            • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                            • String ID: /sort "Visit Time" /stext "$0NG
                            • API String ID: 368326130-3219657780
                            • Opcode ID: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
                            • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                            • Opcode Fuzzy Hash: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
                            • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                            Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                            Download Yara Rule
                            APIs
                            • _wcslen.LIBCMT ref: 004162F5
                              • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                              • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                              • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                              • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: _wcslen$CloseCreateValue
                            • String ID: !D@$okmode$PG
                            • API String ID: 3411444782-3370592832
                            • Opcode ID: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
                            • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                            • Opcode Fuzzy Hash: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
                            • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                            Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                            • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                            • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                            Strings
                            • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                            • User Data\Default\Network\Cookies, xrefs: 0040C603
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExistsFilePath
                            • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                            • API String ID: 1174141254-1980882731
                            • Opcode ID: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
                            • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                            • Opcode Fuzzy Hash: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
                            • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                            Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                            • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                            • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                            Strings
                            • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                            • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExistsFilePath
                            • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                            • API String ID: 1174141254-1980882731
                            • Opcode ID: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
                            • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                            • Opcode Fuzzy Hash: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
                            • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                            Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                            Download Yara Rule
                            APIs
                            • CreateThread.KERNEL32(00000000,00000000,0040A27D,004750F0,00000000,00000000), ref: 0040A1FE
                            • CreateThread.KERNEL32(00000000,00000000,0040A267,004750F0,00000000,00000000), ref: 0040A20E
                            • CreateThread.KERNEL32(00000000,00000000,0040A289,004750F0,00000000,00000000), ref: 0040A21A
                              • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                              • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateThread$LocalTimewsprintf
                            • String ID: Offline Keylogger Started
                            • API String ID: 465354869-4114347211
                            • Opcode ID: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
                            • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                            • Opcode Fuzzy Hash: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
                            • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                            Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                              • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                            • CreateThread.KERNEL32(00000000,00000000,0040A267,?,00000000,00000000), ref: 0040AF6E
                            • CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040AF7A
                            • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateThread$LocalTime$wsprintf
                            • String ID: Online Keylogger Started
                            • API String ID: 112202259-1258561607
                            • Opcode ID: be6d66d5fa79c5f31e74c778d4d5e15bc8bc5d5b3a82591b70bbeab99a5f0c5b
                            • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                            • Opcode Fuzzy Hash: be6d66d5fa79c5f31e74c778d4d5e15bc8bc5d5b3a82591b70bbeab99a5f0c5b
                            • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                            Function 0041B4EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: LocalTime
                            • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                            • API String ID: 481472006-3277280411
                            • Opcode ID: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
                            • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                            • Opcode Fuzzy Hash: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
                            • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                            Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                            Download Yara Rule
                            APIs
                            • GetLocalTime.KERNEL32(?), ref: 00404F81
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                            • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                            Strings
                            • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Create$EventLocalThreadTime
                            • String ID: KeepAlive | Enabled | Timeout:
                            • API String ID: 2532271599-1507639952
                            • Opcode ID: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
                            • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                            • Opcode Fuzzy Hash: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
                            • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                            Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                            • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: CryptUnprotectData$crypt32
                            • API String ID: 2574300362-2380590389
                            • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                            • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                            • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                            • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                            Function 0044C253 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C302,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C28C
                            • GetLastError.KERNEL32 ref: 0044C296
                            • __dosmaperr.LIBCMT ref: 0044C29D
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorFileLastPointer__dosmaperr
                            • String ID: PkGNG
                            • API String ID: 2336955059-263838557
                            • Opcode ID: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                            • Instruction ID: 03228b3a5a263cac3d3762c0c6cb9bea0ee6cefe7ee70a3785aa569069518732
                            • Opcode Fuzzy Hash: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                            • Instruction Fuzzy Hash: 9E016D32A11104BBDF008FE9CC4089E3719FB86320B28039AF810A7290EAB5DC118B64
                            Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                            • CloseHandle.KERNEL32(?), ref: 004051CA
                            • SetEvent.KERNEL32(?), ref: 004051D9
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEventHandleObjectSingleWait
                            • String ID: Connection Timeout
                            • API String ID: 2055531096-499159329
                            • Opcode ID: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
                            • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                            • Opcode Fuzzy Hash: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
                            • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                            Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                            Download Yara Rule
                            APIs
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Exception@8Throw
                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                            • API String ID: 2005118841-1866435925
                            • Opcode ID: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                            • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                            • Opcode Fuzzy Hash: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                            • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                            Function 0041CAE1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                            Download Yara Rule
                            APIs
                            • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB09
                            • LocalFree.KERNEL32(?,?), ref: 0041CB2F
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: FormatFreeLocalMessage
                            • String ID: @J@$PkGNG
                            • API String ID: 1427518018-1416487119
                            • Opcode ID: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
                            • Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
                            • Opcode Fuzzy Hash: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
                            • Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659
                            Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                            Download Yara Rule
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                              • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                              • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                            • String ID: bad locale name
                            • API String ID: 3628047217-1405518554
                            • Opcode ID: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
                            • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                            • Opcode Fuzzy Hash: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
                            • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                            Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                            • RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                            • RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID: Control Panel\Desktop
                            • API String ID: 1818849710-27424756
                            • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                            • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                            • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                            • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                            Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                            Download Yara Rule
                            APIs
                            • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                            • ShowWindow.USER32(00000009), ref: 00416C61
                            • SetForegroundWindow.USER32 ref: 00416C6D
                              • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                              • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                              • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                            • String ID: !D@
                            • API String ID: 3446828153-604454484
                            • Opcode ID: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
                            • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                            • Opcode Fuzzy Hash: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
                            • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                            Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExecuteShell
                            • String ID: /C $cmd.exe$open
                            • API String ID: 587946157-3896048727
                            • Opcode ID: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
                            • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                            • Opcode Fuzzy Hash: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
                            • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                            Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                            • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressHandleModuleProc
                            • String ID: GetCursorInfo$User32.dll
                            • API String ID: 1646373207-2714051624
                            • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                            • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
                            • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                            • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
                            Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                            • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: GetLastInputInfo$User32.dll
                            • API String ID: 2574300362-1519888992
                            • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                            • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
                            • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                            • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
                            Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                            • Cleared browsers logins and cookies., xrefs: 0040C0F5
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep
                            • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                            • API String ID: 3472027048-1236744412
                            • Opcode ID: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
                            • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                            • Opcode Fuzzy Hash: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
                            • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                            Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                              • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                              • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                            • Sleep.KERNEL32(000001F4), ref: 0040A573
                            • Sleep.KERNEL32(00000064), ref: 0040A5FD
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$SleepText$ForegroundLength
                            • String ID: [ $ ]
                            • API String ID: 3309952895-93608704
                            • Opcode ID: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                            • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                            • Opcode Fuzzy Hash: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                            • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                            Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                            • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                            • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                            • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                            Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                            • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                            • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                            • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                            Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                            • GetLastError.KERNEL32(?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: LibraryLoad$ErrorLast
                            • String ID:
                            • API String ID: 3177248105-0
                            • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                            • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                            • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                            • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                            Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                            • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4B2
                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4D7
                            • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E74), ref: 0041C4E5
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleReadSize
                            • String ID:
                            • API String ID: 3919263394-0
                            • Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                            • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                            • Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                            • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                            Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                            • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleOpenProcess
                            • String ID:
                            • API String ID: 39102293-0
                            • Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                            • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                            • Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                            • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                            Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                              • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                            • _UnwindNestedFrames.LIBCMT ref: 00439891
                            • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                            • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                            • String ID:
                            • API String ID: 2633735394-0
                            • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                            • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                            • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                            • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                            Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                            • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                            • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                            • GetSystemMetrics.USER32(0000004F), ref: 00419402
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: MetricsSystem
                            • String ID:
                            • API String ID: 4116985748-0
                            • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                            • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                            • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                            • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                            Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                            Download Yara Rule
                            APIs
                            • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                            • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                            • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                              • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                            • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                            • String ID:
                            • API String ID: 1761009282-0
                            • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                            • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                            • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                            • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                            Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                            Download Yara Rule
                            APIs
                            • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorHandling__start
                            • String ID: pow
                            • API String ID: 3213639722-2276729525
                            • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                            • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                            • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                            • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                            Function 00449E3C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F0F
                            • GetLastError.KERNEL32 ref: 00449F2B
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharErrorLastMultiWide
                            • String ID: PkGNG
                            • API String ID: 203985260-263838557
                            • Opcode ID: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
                            • Instruction ID: 5218313022fb824330162c1b3e1e252a07855a0508c927524b2412b0d5c8e50b
                            • Opcode Fuzzy Hash: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
                            • Instruction Fuzzy Hash: A531F831600205EBEB21EF56C845BAB77A8DF55711F24416BF9048B3D1DB38CD41E7A9
                            Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                            • __Init_thread_footer.LIBCMT ref: 0040B797
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Init_thread_footer__onexit
                            • String ID: [End of clipboard]$[Text copied to clipboard]
                            • API String ID: 1881088180-3686566968
                            • Opcode ID: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
                            • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                            • Opcode Fuzzy Hash: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
                            • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                            Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ACP$OCP
                            • API String ID: 0-711371036
                            • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                            • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                            • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                            • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                            Function 0044B731 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB6E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B7DB
                            • GetLastError.KERNEL32 ref: 0044B804
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorFileLastWrite
                            • String ID: PkGNG
                            • API String ID: 442123175-263838557
                            • Opcode ID: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                            • Instruction ID: 56933c973e2243a1a9a6e47b5ff38ff3048756f5123006952a384074424e161b
                            • Opcode Fuzzy Hash: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                            • Instruction Fuzzy Hash: 12319331A00619DBCB24CF59CD809DAB3F9EF88311F1445AAE509D7361D734ED81CB68
                            Function 0044B652 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB8E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B6ED
                            • GetLastError.KERNEL32 ref: 0044B716
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorFileLastWrite
                            • String ID: PkGNG
                            • API String ID: 442123175-263838557
                            • Opcode ID: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                            • Instruction ID: 12ef57d8ab414bd2a6c5914f5c8b73f84ca543b1ee1fc2f1adbb6bb6aefc8993
                            • Opcode Fuzzy Hash: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                            • Instruction Fuzzy Hash: 6C21B435600219DFCB14CF69C980BE9B3F8EB48302F1044AAE94AD7351D734ED81CB64
                            Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                            • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                            Strings
                            • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: LocalTime
                            • String ID: KeepAlive | Enabled | Timeout:
                            • API String ID: 481472006-1507639952
                            • Opcode ID: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
                            • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                            • Opcode Fuzzy Hash: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
                            • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                            Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNEL32 ref: 00416640
                            • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: DownloadFileSleep
                            • String ID: !D@
                            • API String ID: 1931167962-604454484
                            • Opcode ID: 2ae7695c40f29ee67dd386e4d97dc8b30bdd8952bcd1bbd735126d4dc73e8781
                            • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                            • Opcode Fuzzy Hash: 2ae7695c40f29ee67dd386e4d97dc8b30bdd8952bcd1bbd735126d4dc73e8781
                            • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                            Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                            Download Yara Rule
                            APIs
                            • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExistsFilePath
                            • String ID: alarm.wav$hYG
                            • API String ID: 1174141254-2782910960
                            • Opcode ID: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
                            • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                            • Opcode Fuzzy Hash: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
                            • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                            Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                              • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                            • CloseHandle.KERNEL32(?), ref: 0040B0B4
                            • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                            • String ID: Online Keylogger Stopped
                            • API String ID: 1623830855-1496645233
                            • Opcode ID: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
                            • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                            • Opcode Fuzzy Hash: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
                            • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                            Function 00448BB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,73E85006,00000001,?,0043CE55), ref: 00448C24
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: String
                            • String ID: LCMapStringEx$PkGNG
                            • API String ID: 2568140703-1065776982
                            • Opcode ID: 6176356b550008225c45ed95f9c308570f022b01c1c57b82113652449518e224
                            • Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
                            • Opcode Fuzzy Hash: 6176356b550008225c45ed95f9c308570f022b01c1c57b82113652449518e224
                            • Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99
                            Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                            • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: wave$BufferHeaderPrepare
                            • String ID: XMG
                            • API String ID: 2315374483-813777761
                            • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                            • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                            • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                            • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                            Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: LocaleValid
                            • String ID: IsValidLocaleName$JD
                            • API String ID: 1901932003-2234456777
                            • Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                            • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                            • Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                            • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                            Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                            Download Yara Rule
                            APIs
                            • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExistsFilePath
                            • String ID: UserProfile$\AppData\Local\Google\Chrome\
                            • API String ID: 1174141254-4188645398
                            • Opcode ID: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
                            • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                            • Opcode Fuzzy Hash: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
                            • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                            Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                            Download Yara Rule
                            APIs
                            • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExistsFilePath
                            • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                            • API String ID: 1174141254-2800177040
                            • Opcode ID: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
                            • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                            • Opcode Fuzzy Hash: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
                            • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                            Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                            Download Yara Rule
                            APIs
                            • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExistsFilePath
                            • String ID: AppData$\Opera Software\Opera Stable\
                            • API String ID: 1174141254-1629609700
                            • Opcode ID: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
                            • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                            • Opcode Fuzzy Hash: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
                            • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                            Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyState.USER32(00000011), ref: 0040B64B
                              • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                              • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                              • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                              • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                              • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                              • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                              • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                              • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                            • String ID: [AltL]$[AltR]
                            • API String ID: 2738857842-2658077756
                            • Opcode ID: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
                            • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                            • Opcode Fuzzy Hash: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
                            • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                            Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                            Download Yara Rule
                            APIs
                            • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                            • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: uD
                            • API String ID: 0-2547262877
                            • Opcode ID: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                            • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                            • Opcode Fuzzy Hash: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                            • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                            Function 00448957 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$FileSystem
                            • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                            • API String ID: 2086374402-949981407
                            • Opcode ID: 14ade04f60bc73be69f0a8e2d41fd66075f217d790f0afe8d3aaf6a6c36f91f3
                            • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
                            • Opcode Fuzzy Hash: 14ade04f60bc73be69f0a8e2d41fd66075f217d790f0afe8d3aaf6a6c36f91f3
                            • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
                            Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExecuteShell
                            • String ID: !D@$open
                            • API String ID: 587946157-1586967515
                            • Opcode ID: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
                            • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                            • Opcode Fuzzy Hash: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
                            • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                            Function 0045554B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • ___initconout.LIBCMT ref: 0045555B
                              • Part of subcall function 00456B1D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00455560,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000), ref: 00456B30
                            • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB19,?), ref: 0045557E
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ConsoleCreateFileWrite___initconout
                            • String ID: PkGNG
                            • API String ID: 3087715906-263838557
                            • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                            • Instruction ID: e84ccb038854987deafcb7b601af55b429ad8f27f18c1f17be9b2782bd97289a
                            • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                            • Instruction Fuzzy Hash: 10E02B70500508BBD610CB64DC25EB63319EB003B1F600315FE25C72D1EB34DD44C759
                            Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyState.USER32(00000012), ref: 0040B6A5
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: State
                            • String ID: [CtrlL]$[CtrlR]
                            • API String ID: 1649606143-2446555240
                            • Opcode ID: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
                            • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                            • Opcode Fuzzy Hash: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
                            • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                            Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                            • __Init_thread_footer.LIBCMT ref: 00410F29
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: Init_thread_footer__onexit
                            • String ID: ,kG$0kG
                            • API String ID: 1881088180-2015055088
                            • Opcode ID: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                            • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                            • Opcode Fuzzy Hash: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                            • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                            Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D4CE,00000000,?,00000000), ref: 00413A31
                            • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A45
                            Strings
                            • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: DeleteOpenValue
                            • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                            • API String ID: 2654517830-1051519024
                            • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                            • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                            • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                            • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                            Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                            • GetLastError.KERNEL32 ref: 00440D35
                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiWide$ErrorLast
                            • String ID:
                            • API String ID: 1717984340-0
                            • Opcode ID: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                            • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                            • Opcode Fuzzy Hash: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                            • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                            Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                            Download Yara Rule
                            APIs
                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                            • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                            • SetLastError.KERNEL32(0000007F), ref: 00411C7A
                            • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                            Memory Dump Source
                            • Source File: 00000004.00000002.1253903088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_MT103-7543324334.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLastRead
                            • String ID:
                            • API String ID: 4100373531-0
                            • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                            • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                            • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                            • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99

                            Execution Graph

                            Execution Coverage:11.7%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:231
                            Total number of Limit Nodes:8
                            execution_graph 44034 79502b5 44035 79500d4 44034->44035 44036 7950358 44035->44036 44040 7951a66 44035->44040 44058 7951a00 44035->44058 44075 79519f1 44035->44075 44041 79519f4 44040->44041 44043 7951a69 44040->44043 44042 7951a22 44041->44042 44092 79525d6 44041->44092 44097 7952309 44041->44097 44103 7952082 44041->44103 44115 7952222 44041->44115 44120 7952143 44041->44120 44126 7952286 44041->44126 44132 7951fa5 44041->44132 44136 7951f7a 44041->44136 44146 795233b 44041->44146 44151 7951d19 44041->44151 44156 7951e79 44041->44156 44161 79524f1 44041->44161 44167 7952196 44041->44167 44172 7952116 44041->44172 44042->44036 44043->44036 44059 7951a1a 44058->44059 44060 7951a22 44059->44060 44061 79525d6 2 API calls 44059->44061 44062 7952116 2 API calls 44059->44062 44063 7952196 2 API calls 44059->44063 44064 79524f1 3 API calls 44059->44064 44065 7951e79 2 API calls 44059->44065 44066 7951d19 2 API calls 44059->44066 44067 795233b 2 API calls 44059->44067 44068 7951f7a 4 API calls 44059->44068 44069 7951fa5 2 API calls 44059->44069 44070 7952286 3 API calls 44059->44070 44071 7952143 2 API calls 44059->44071 44072 7952222 2 API calls 44059->44072 44073 7952082 6 API calls 44059->44073 44074 7952309 3 API calls 44059->44074 44060->44036 44061->44060 44062->44060 44063->44060 44064->44060 44065->44060 44066->44060 44067->44060 44068->44060 44069->44060 44070->44060 44071->44060 44072->44060 44073->44060 44074->44060 44076 7951a00 44075->44076 44077 79525d6 2 API calls 44076->44077 44078 7952116 2 API calls 44076->44078 44079 7952196 2 API calls 44076->44079 44080 79524f1 3 API calls 44076->44080 44081 7951e79 2 API calls 44076->44081 44082 7951d19 2 API calls 44076->44082 44083 795233b 2 API calls 44076->44083 44084 7951f7a 4 API calls 44076->44084 44085 7951a22 44076->44085 44086 7951fa5 2 API calls 44076->44086 44087 7952286 3 API calls 44076->44087 44088 7952143 2 API calls 44076->44088 44089 7952222 2 API calls 44076->44089 44090 7952082 6 API calls 44076->44090 44091 7952309 3 API calls 44076->44091 44077->44085 44078->44085 44079->44085 44080->44085 44081->44085 44082->44085 44083->44085 44084->44085 44085->44036 44086->44085 44087->44085 44088->44085 44089->44085 44090->44085 44091->44085 44093 79525da 44092->44093 44177 788f6e0 44093->44177 44181 788f6e8 44093->44181 44094 79525f5 44098 7952285 44097->44098 44185 7952b97 44098->44185 44190 7952b98 44098->44190 44195 7952c10 44098->44195 44099 7952525 44099->44042 44226 788f969 44103->44226 44230 788f970 44103->44230 44104 7951f86 44105 7951f98 44104->44105 44107 7951dfd 44104->44107 44234 788f880 44105->44234 44238 788f878 44105->44238 44106 79526ee 44108 7951e73 44107->44108 44218 788fb08 44107->44218 44222 788fafd 44107->44222 44108->44042 44116 79525da 44115->44116 44118 788f6e8 Wow64SetThreadContext 44116->44118 44119 788f6e0 Wow64SetThreadContext 44116->44119 44117 79525f5 44118->44117 44119->44117 44121 79521ad 44120->44121 44122 795224d 44121->44122 44124 788f878 WriteProcessMemory 44121->44124 44125 788f880 WriteProcessMemory 44121->44125 44122->44042 44123 79521ce 44123->44042 44124->44123 44125->44123 44127 79522a0 44126->44127 44129 7952b97 2 API calls 44127->44129 44130 7952c10 3 API calls 44127->44130 44131 7952b98 2 API calls 44127->44131 44128 7952525 44128->44042 44129->44128 44130->44128 44131->44128 44134 788f6e8 Wow64SetThreadContext 44132->44134 44135 788f6e0 Wow64SetThreadContext 44132->44135 44133 7951fbf 44134->44133 44135->44133 44137 7951f86 44136->44137 44138 7951f98 44137->44138 44140 7951dfd 44137->44140 44144 788f878 WriteProcessMemory 44138->44144 44145 788f880 WriteProcessMemory 44138->44145 44139 79526ee 44141 7951e73 44140->44141 44142 788fb08 CreateProcessA 44140->44142 44143 788fafd CreateProcessA 44140->44143 44141->44042 44142->44141 44143->44141 44144->44139 44145->44139 44147 795235e 44146->44147 44149 788f878 WriteProcessMemory 44147->44149 44150 788f880 WriteProcessMemory 44147->44150 44148 795277e 44149->44148 44150->44148 44152 7951d5b 44151->44152 44153 7951e73 44152->44153 44154 788fb08 CreateProcessA 44152->44154 44155 788fafd CreateProcessA 44152->44155 44153->44042 44154->44153 44155->44153 44158 7951e4f 44156->44158 44157 7951e73 44157->44042 44158->44157 44159 788fb08 CreateProcessA 44158->44159 44160 788fafd CreateProcessA 44158->44160 44159->44157 44160->44157 44162 7952512 44161->44162 44164 7952b97 2 API calls 44162->44164 44165 7952c10 3 API calls 44162->44165 44166 7952b98 2 API calls 44162->44166 44163 7952525 44163->44042 44164->44163 44165->44163 44166->44163 44168 795219c 44167->44168 44170 788f878 WriteProcessMemory 44168->44170 44171 788f880 WriteProcessMemory 44168->44171 44169 79521ce 44169->44042 44170->44169 44171->44169 44173 795211c 44172->44173 44242 788f7c0 44173->44242 44246 788f7b8 44173->44246 44174 79524c7 44178 788f6e8 Wow64SetThreadContext 44177->44178 44180 788f775 44178->44180 44180->44094 44182 788f72d Wow64SetThreadContext 44181->44182 44184 788f775 44182->44184 44184->44094 44186 7952ba1 44185->44186 44204 788f1f8 44186->44204 44208 788f200 44186->44208 44187 7952bc0 44187->44099 44191 7952ba1 44190->44191 44193 788f1f8 ResumeThread 44191->44193 44194 788f200 ResumeThread 44191->44194 44192 7952bc0 44192->44099 44193->44192 44194->44192 44196 7952c13 44195->44196 44197 7952ba1 44195->44197 44196->44197 44199 7952c17 44196->44199 44202 788f1f8 ResumeThread 44197->44202 44203 788f200 ResumeThread 44197->44203 44198 7952bc0 44198->44099 44200 7952de6 44199->44200 44212 7952f32 44199->44212 44200->44099 44202->44198 44203->44198 44205 788f240 ResumeThread 44204->44205 44207 788f271 44205->44207 44207->44187 44209 788f240 ResumeThread 44208->44209 44211 788f271 44209->44211 44211->44187 44213 7952ec5 44212->44213 44215 7952f37 44212->44215 44216 7952ed1 PostMessageW 44213->44216 44215->44200 44217 7952f0c 44216->44217 44217->44212 44219 788fb91 CreateProcessA 44218->44219 44221 788fd53 44219->44221 44223 788fb08 CreateProcessA 44222->44223 44225 788fd53 44223->44225 44227 788f970 ReadProcessMemory 44226->44227 44229 788f9ff 44227->44229 44229->44104 44231 788f9bb ReadProcessMemory 44230->44231 44233 788f9ff 44231->44233 44233->44104 44235 788f8c8 WriteProcessMemory 44234->44235 44237 788f91f 44235->44237 44237->44106 44239 788f8c8 WriteProcessMemory 44238->44239 44241 788f91f 44239->44241 44241->44106 44243 788f800 VirtualAllocEx 44242->44243 44245 788f83d 44243->44245 44245->44174 44247 788f7c0 VirtualAllocEx 44246->44247 44249 788f83d 44247->44249 44249->44174 44250 1374df0 44251 1374df9 44250->44251 44252 1374dff 44251->44252 44254 1374eeb 44251->44254 44255 1374f0d 44254->44255 44259 1375400 44255->44259 44263 13753ef 44255->44263 44256 1374f17 44256->44252 44260 1375427 44259->44260 44261 1375504 44260->44261 44267 1374fe4 44260->44267 44264 1375362 44263->44264 44265 13753f3 44263->44265 44264->44256 44264->44264 44265->44264 44266 1374fe4 CreateActCtxA 44265->44266 44266->44264 44268 1376490 CreateActCtxA 44267->44268 44270 1376553 44268->44270 44304 137dcc0 DuplicateHandle 44305 137dd56 44304->44305 44306 7881670 44307 788168e 44306->44307 44310 7880b24 44307->44310 44309 78816ad 44312 7880b2f 44310->44312 44311 7881751 44311->44309 44312->44311 44316 7882670 44312->44316 44319 7882662 44312->44319 44313 7881855 44313->44309 44326 7881ac4 44316->44326 44320 788266a 44319->44320 44322 78826e0 DrawTextExW 44319->44322 44321 7881ac4 DrawTextExW 44320->44321 44324 788268d 44321->44324 44325 788274e 44322->44325 44324->44313 44325->44313 44327 78826a8 DrawTextExW 44326->44327 44329 788268d 44327->44329 44329->44313 44271 137da78 44272 137dabe GetCurrentProcess 44271->44272 44274 137db10 GetCurrentThread 44272->44274 44275 137db09 44272->44275 44276 137db46 44274->44276 44277 137db4d GetCurrentProcess 44274->44277 44275->44274 44276->44277 44278 137db83 GetCurrentThreadId 44277->44278 44280 137dbdc 44278->44280 44281 137b6f8 44284 137b7e3 44281->44284 44282 137b707 44285 137b7f0 44284->44285 44286 137b824 44285->44286 44292 137ba78 44285->44292 44296 137ba88 44285->44296 44286->44282 44287 137b81c 44287->44286 44288 137ba28 GetModuleHandleW 44287->44288 44289 137ba55 44288->44289 44289->44282 44293 137ba84 44292->44293 44294 137bac1 44293->44294 44300 137b230 44293->44300 44294->44287 44297 137ba9c 44296->44297 44298 137bac1 44297->44298 44299 137b230 LoadLibraryExW 44297->44299 44298->44287 44299->44298 44301 137bc68 LoadLibraryExW 44300->44301 44303 137bce1 44301->44303 44303->44294

                            Executed Functions

                            Function 090B0040 Relevance: 2.6, Instructions: 2597COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a84a15462dc4034be9157b05b15fab56d8f1f14ee8d46105b175cf9fcda99c61
                            • Instruction ID: e5f6782b7066127f330aebe7bb9c30f651082aab9ff63d9b3814c3043fbcba3d
                            • Opcode Fuzzy Hash: a84a15462dc4034be9157b05b15fab56d8f1f14ee8d46105b175cf9fcda99c61
                            • Instruction Fuzzy Hash: 3243E574A01219CFDB68DF68C998ADDB7B2BF89310F158599E419AB365CB30ED81CF40
                            Function 090BBE21 Relevance: .1, Instructions: 66COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 06255004cfc92e4b03272ce756cb8c19c866230f903b0d755da0455f7ad56a43
                            • Instruction ID: 03270c5ee2eab19f2a80ed941f13f24ed4002af02c3d2aad66a7b74efa23746f
                            • Opcode Fuzzy Hash: 06255004cfc92e4b03272ce756cb8c19c866230f903b0d755da0455f7ad56a43
                            • Instruction Fuzzy Hash: 422116B0D046588BEB18CFAAD9547EEFFF6AFC9300F04C46AD409AA265DB740945CF50
                            Function 0137DA78 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0137DAF6
                            • GetCurrentThread.KERNEL32 ref: 0137DB33
                            • GetCurrentProcess.KERNEL32 ref: 0137DB70
                            • GetCurrentThreadId.KERNEL32 ref: 0137DBC9
                            Memory Dump Source
                            • Source File: 00000006.00000002.1295416102.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_1370000_QQ.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 12c665b44850334a787254a2e5270b54e77f980b0b24989982721e6b6ce94f0b
                            • Instruction ID: e429099d05ac65e9da4a8e72d1096e9821acfb1ea8f2f3ff16bd26221a562865
                            • Opcode Fuzzy Hash: 12c665b44850334a787254a2e5270b54e77f980b0b24989982721e6b6ce94f0b
                            • Instruction Fuzzy Hash: E65178B4D013098FDB14DFAAD549BAEBBF1EF88314F208459D009A7390DB386845CF65
                            Function 0788FAFD Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1015 788fafd-788fb9d 1018 788fb9f-788fba9 1015->1018 1019 788fbd6-788fbf6 1015->1019 1018->1019 1020 788fbab-788fbad 1018->1020 1024 788fbf8-788fc02 1019->1024 1025 788fc2f-788fc5e 1019->1025 1022 788fbaf-788fbb9 1020->1022 1023 788fbd0-788fbd3 1020->1023 1026 788fbbb 1022->1026 1027 788fbbd-788fbcc 1022->1027 1023->1019 1024->1025 1029 788fc04-788fc06 1024->1029 1033 788fc60-788fc6a 1025->1033 1034 788fc97-788fd51 CreateProcessA 1025->1034 1026->1027 1027->1027 1028 788fbce 1027->1028 1028->1023 1030 788fc08-788fc12 1029->1030 1031 788fc29-788fc2c 1029->1031 1035 788fc14 1030->1035 1036 788fc16-788fc25 1030->1036 1031->1025 1033->1034 1037 788fc6c-788fc6e 1033->1037 1047 788fd5a-788fde0 1034->1047 1048 788fd53-788fd59 1034->1048 1035->1036 1036->1036 1038 788fc27 1036->1038 1039 788fc70-788fc7a 1037->1039 1040 788fc91-788fc94 1037->1040 1038->1031 1042 788fc7c 1039->1042 1043 788fc7e-788fc8d 1039->1043 1040->1034 1042->1043 1043->1043 1044 788fc8f 1043->1044 1044->1040 1058 788fdf0-788fdf4 1047->1058 1059 788fde2-788fde6 1047->1059 1048->1047 1061 788fe04-788fe08 1058->1061 1062 788fdf6-788fdfa 1058->1062 1059->1058 1060 788fde8 1059->1060 1060->1058 1064 788fe18-788fe1c 1061->1064 1065 788fe0a-788fe0e 1061->1065 1062->1061 1063 788fdfc 1062->1063 1063->1061 1067 788fe2e-788fe35 1064->1067 1068 788fe1e-788fe24 1064->1068 1065->1064 1066 788fe10 1065->1066 1066->1064 1069 788fe4c 1067->1069 1070 788fe37-788fe46 1067->1070 1068->1067 1072 788fe4d 1069->1072 1070->1069 1072->1072
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0788FD3E
                            Memory Dump Source
                            • Source File: 00000006.00000002.1309669663.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7880000_QQ.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: d913360019a36b59eeb35ae67491cfe9c1434cac906ddd4bc0355df0ce6a4af2
                            • Instruction ID: 7819722c17d37ade383c8bf512e4fcd04bbb1b76f35a9ebe3ed7374fe3ffcd79
                            • Opcode Fuzzy Hash: d913360019a36b59eeb35ae67491cfe9c1434cac906ddd4bc0355df0ce6a4af2
                            • Instruction Fuzzy Hash: BBA16CB1D0021ADFEB64DF68C840BDDBBB2BF58320F1485A9E908E7240DB749985CF91
                            Function 0788FB08 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1073 788fb08-788fb9d 1075 788fb9f-788fba9 1073->1075 1076 788fbd6-788fbf6 1073->1076 1075->1076 1077 788fbab-788fbad 1075->1077 1081 788fbf8-788fc02 1076->1081 1082 788fc2f-788fc5e 1076->1082 1079 788fbaf-788fbb9 1077->1079 1080 788fbd0-788fbd3 1077->1080 1083 788fbbb 1079->1083 1084 788fbbd-788fbcc 1079->1084 1080->1076 1081->1082 1086 788fc04-788fc06 1081->1086 1090 788fc60-788fc6a 1082->1090 1091 788fc97-788fd51 CreateProcessA 1082->1091 1083->1084 1084->1084 1085 788fbce 1084->1085 1085->1080 1087 788fc08-788fc12 1086->1087 1088 788fc29-788fc2c 1086->1088 1092 788fc14 1087->1092 1093 788fc16-788fc25 1087->1093 1088->1082 1090->1091 1094 788fc6c-788fc6e 1090->1094 1104 788fd5a-788fde0 1091->1104 1105 788fd53-788fd59 1091->1105 1092->1093 1093->1093 1095 788fc27 1093->1095 1096 788fc70-788fc7a 1094->1096 1097 788fc91-788fc94 1094->1097 1095->1088 1099 788fc7c 1096->1099 1100 788fc7e-788fc8d 1096->1100 1097->1091 1099->1100 1100->1100 1101 788fc8f 1100->1101 1101->1097 1115 788fdf0-788fdf4 1104->1115 1116 788fde2-788fde6 1104->1116 1105->1104 1118 788fe04-788fe08 1115->1118 1119 788fdf6-788fdfa 1115->1119 1116->1115 1117 788fde8 1116->1117 1117->1115 1121 788fe18-788fe1c 1118->1121 1122 788fe0a-788fe0e 1118->1122 1119->1118 1120 788fdfc 1119->1120 1120->1118 1124 788fe2e-788fe35 1121->1124 1125 788fe1e-788fe24 1121->1125 1122->1121 1123 788fe10 1122->1123 1123->1121 1126 788fe4c 1124->1126 1127 788fe37-788fe46 1124->1127 1125->1124 1129 788fe4d 1126->1129 1127->1126 1129->1129
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0788FD3E
                            Memory Dump Source
                            • Source File: 00000006.00000002.1309669663.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7880000_QQ.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: c1cb74507d1e58f1c760c4cb22d72d3fd5dd5f597ba9d50eca4ed4b83ad0e646
                            • Instruction ID: 47e8bbd44f16714c1937b6f1e23fa9d96de8820663f46d0c39a7c0cf313f7513
                            • Opcode Fuzzy Hash: c1cb74507d1e58f1c760c4cb22d72d3fd5dd5f597ba9d50eca4ed4b83ad0e646
                            • Instruction Fuzzy Hash: 9B915CB1D0022ACFEB64DF68C841B9DBBB2BF58314F1485A9E908E7240DB749985CF91
                            Function 0137B7E3 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1130 137b7e3-137b7ee 1131 137b7f2-137b7ff 1130->1131 1132 137b7f0-137b7f1 1130->1132 1133 137b801-137b80e call 137a1f8 1131->1133 1134 137b82b-137b82f 1131->1134 1132->1131 1139 137b824 1133->1139 1140 137b810 1133->1140 1136 137b843-137b884 1134->1136 1137 137b831-137b83b 1134->1137 1143 137b886-137b88e 1136->1143 1144 137b891-137b89f 1136->1144 1137->1136 1139->1134 1187 137b816 call 137ba78 1140->1187 1188 137b816 call 137ba88 1140->1188 1143->1144 1145 137b8c3-137b8c5 1144->1145 1146 137b8a1-137b8a6 1144->1146 1151 137b8c8-137b8cf 1145->1151 1148 137b8b1 1146->1148 1149 137b8a8-137b8af call 137b1d4 1146->1149 1147 137b81c-137b81e 1147->1139 1150 137b960-137ba20 1147->1150 1153 137b8b3-137b8c1 1148->1153 1149->1153 1182 137ba22-137ba25 1150->1182 1183 137ba28-137ba53 GetModuleHandleW 1150->1183 1154 137b8d1-137b8d9 1151->1154 1155 137b8dc-137b8e3 1151->1155 1153->1151 1154->1155 1157 137b8e5-137b8ed 1155->1157 1158 137b8f0-137b8f9 call 137b1e4 1155->1158 1157->1158 1163 137b906-137b90b 1158->1163 1164 137b8fb-137b903 1158->1164 1165 137b90d-137b914 1163->1165 1166 137b929-137b92d 1163->1166 1164->1163 1165->1166 1168 137b916-137b926 call 137b1f4 call 137b204 1165->1168 1189 137b930 call 137bd60 1166->1189 1190 137b930 call 137bd88 1166->1190 1168->1166 1171 137b933-137b936 1173 137b959-137b95f 1171->1173 1174 137b938-137b956 1171->1174 1174->1173 1182->1183 1184 137ba55-137ba5b 1183->1184 1185 137ba5c-137ba70 1183->1185 1184->1185 1187->1147 1188->1147 1189->1171 1190->1171
                            Memory Dump Source
                            • Source File: 00000006.00000002.1295416102.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_1370000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f90bd3cd46fdd5dfa31ceefac3bb6616c57b1589d627918c6a1c2d4ff4cf6854
                            • Instruction ID: 0aa139e3775ec8131dd584130ad34d1ab76ed3ea1f1538d40296bca7e85540d1
                            • Opcode Fuzzy Hash: f90bd3cd46fdd5dfa31ceefac3bb6616c57b1589d627918c6a1c2d4ff4cf6854
                            • Instruction Fuzzy Hash: 77815870A00B459FEB35DF6AD44076ABBF1FF88204F00892DD59AD7A54D738E846CB90
                            Function 090B4AB4 Relevance: 1.7, Strings: 1, Instructions: 428COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1191 90b4ab4-90b4ad7 1192 90b4ad9-90b4adb 1191->1192 1193 90b4add-90b4ae4 1191->1193 1192->1193 1194 90b4aea-90b4af5 1193->1194 1195 90b4f21-90b4f28 1193->1195 1198 90b4afb-90b4b25 1194->1198 1199 90b4f62-90b4f68 1194->1199 1196 90b4f2a 1195->1196 1197 90b4f2f-90b4f36 1195->1197 1196->1197 1202 90b4b93-90b4b9a 1198->1202 1203 90b4f6a-90b4fae call 90b5008 1199->1203 1204 90b4fc8-90b4fd3 1199->1204 1205 90b4b9c-90b4bd6 1202->1205 1206 90b4b27-90b4b30 1202->1206 1218 90b4fb4-90b4fc7 1203->1218 1224 90b4bd8-90b4bde 1205->1224 1225 90b4bee-90b4c0d 1205->1225 1206->1199 1207 90b4b36-90b4b3e 1206->1207 1210 90b4b49-90b4b57 1207->1210 1211 90b4b40-90b4b47 1207->1211 1215 90b4b59-90b4b61 1210->1215 1216 90b4b8d-90b4b90 1210->1216 1211->1205 1215->1199 1219 90b4b67-90b4b6c 1215->1219 1216->1202 1218->1204 1222 90b4b7f-90b4b8b 1219->1222 1223 90b4b6e-90b4b7d 1219->1223 1222->1215 1222->1216 1223->1216 1226 90b4be2-90b4be4 1224->1226 1227 90b4be0 1224->1227 1232 90b4c0f-90b4c24 1225->1232 1233 90b4c33-90b4c7d 1225->1233 1226->1225 1227->1225 1240 90b4eef-90b4f1b 1232->1240 1244 90b4caf-90b4d2e 1233->1244 1245 90b4c7f-90b4c85 1233->1245 1240->1194 1240->1195 1257 90b4d5c-90b4d63 1244->1257 1258 90b4d30-90b4d56 1244->1258 1245->1199 1247 90b4c8b-90b4cad 1245->1247 1247->1244 1247->1245 1259 90b4d91-90b4d98 1257->1259 1260 90b4d65-90b4d8b 1257->1260 1258->1257 1261 90b4d9a-90b4dc0 1259->1261 1262 90b4dc6-90b4dcd 1259->1262 1260->1259 1261->1262 1263 90b4dcf-90b4ddf 1262->1263 1264 90b4e24-90b4e57 1262->1264 1263->1264 1265 90b4de1-90b4e22 1263->1265 1268 90b4e59-90b4e6e 1264->1268 1269 90b4e70-90b4e7c 1264->1269 1265->1264 1270 90b4e85-90b4ede 1268->1270 1269->1270 1273 90b4ee6 1270->1273 1273->1240
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID: &jP
                            • API String ID: 0-3383443750
                            • Opcode ID: 237b44aa36e480ecc7ed1242594d1aa39fdd320b19e7502cf892d379ab39318e
                            • Instruction ID: 7b6119ad4bb4135860f3729790604b95f478122d247584e356d8648b1cba7c69
                            • Opcode Fuzzy Hash: 237b44aa36e480ecc7ed1242594d1aa39fdd320b19e7502cf892d379ab39318e
                            • Instruction Fuzzy Hash: C302D376A00214DFCB49DF98C984E99BBB2FF48324B1A8598E6099F272C731ED51DF50
                            Function 01376485 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1292 1376485-1376551 CreateActCtxA 1294 1376553-1376559 1292->1294 1295 137655a-13765b4 1292->1295 1294->1295 1302 13765b6-13765b9 1295->1302 1303 13765c3-13765c7 1295->1303 1302->1303 1304 13765c9-13765d5 1303->1304 1305 13765d8 1303->1305 1304->1305 1307 13765d9 1305->1307 1307->1307
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 01376541
                            Memory Dump Source
                            • Source File: 00000006.00000002.1295416102.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_1370000_QQ.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: bc56a28914ae23cd2c8164a23f6a4840dd5d8060572d6a93cff161e187ae1176
                            • Instruction ID: c13914946b1bc43922032f269f2d3e8b54a0018160d8ad6d08adc3b5875c6e60
                            • Opcode Fuzzy Hash: bc56a28914ae23cd2c8164a23f6a4840dd5d8060572d6a93cff161e187ae1176
                            • Instruction Fuzzy Hash: 4A41D2B1C0071DCBEB24CFA9C855BDDBBB2BF88314F20816AD408AB255DB75594ACF90
                            Function 01374FE4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1275 1374fe4-1376551 CreateActCtxA 1278 1376553-1376559 1275->1278 1279 137655a-13765b4 1275->1279 1278->1279 1286 13765b6-13765b9 1279->1286 1287 13765c3-13765c7 1279->1287 1286->1287 1288 13765c9-13765d5 1287->1288 1289 13765d8 1287->1289 1288->1289 1291 13765d9 1289->1291 1291->1291
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 01376541
                            Memory Dump Source
                            • Source File: 00000006.00000002.1295416102.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_1370000_QQ.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 594b46aa39ac257b2dfbaf7d46164026a52da6ffef15c6a9e394ff39ea9bf16a
                            • Instruction ID: f8ca4e604a958dd8afcab00896fbb5cac9f99a3f6d830a63a607d0aec5711a95
                            • Opcode Fuzzy Hash: 594b46aa39ac257b2dfbaf7d46164026a52da6ffef15c6a9e394ff39ea9bf16a
                            • Instruction Fuzzy Hash: 404103B0C40B1DCBEB24CFA9C855B9DBBF6BF48314F20806AD408AB255DB756946CF90
                            Function 078826A0 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1308 78826a0-78826a1 1309 7882630-7882656 1308->1309 1310 78826a3-78826f4 1308->1310 1313 78826ff-788270e 1310->1313 1314 78826f6-78826fc 1310->1314 1315 7882710 1313->1315 1316 7882713-788274c DrawTextExW 1313->1316 1314->1313 1315->1316 1317 788274e-7882754 1316->1317 1318 7882755-7882772 1316->1318 1317->1318
                            APIs
                            • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0788268D,?,?), ref: 0788273F
                            Memory Dump Source
                            • Source File: 00000006.00000002.1309669663.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7880000_QQ.jbxd
                            Similarity
                            • API ID: DrawText
                            • String ID:
                            • API String ID: 2175133113-0
                            • Opcode ID: 405725e2f8471505fe75ce30893e82445a9c1a41e63511c961f0e1c56ad2dd14
                            • Instruction ID: 24a2d94a144ccd9aedf6c46441ecffa71a10ba91c53c4c08c52b9cfc07fe39ca
                            • Opcode Fuzzy Hash: 405725e2f8471505fe75ce30893e82445a9c1a41e63511c961f0e1c56ad2dd14
                            • Instruction Fuzzy Hash: 1931E0B59003099FCB10DF9AD884A9EFBF5FF98320F14842EE919E7250D774A905CBA0
                            Function 07881AC4 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1322 7881ac4-78826f4 1324 78826ff-788270e 1322->1324 1325 78826f6-78826fc 1322->1325 1326 7882710 1324->1326 1327 7882713-788274c DrawTextExW 1324->1327 1325->1324 1326->1327 1328 788274e-7882754 1327->1328 1329 7882755-7882772 1327->1329 1328->1329
                            APIs
                            • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0788268D,?,?), ref: 0788273F
                            Memory Dump Source
                            • Source File: 00000006.00000002.1309669663.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7880000_QQ.jbxd
                            Similarity
                            • API ID: DrawText
                            • String ID:
                            • API String ID: 2175133113-0
                            • Opcode ID: ab679b94c73ea9a04708e94969fd5b9681ef4b991e21971ee4b9745327cf048d
                            • Instruction ID: b428d4e35c0459e7c96bc8af99a3c03d028d34a03f03fae137b244dd8e4cc07a
                            • Opcode Fuzzy Hash: ab679b94c73ea9a04708e94969fd5b9681ef4b991e21971ee4b9745327cf048d
                            • Instruction Fuzzy Hash: 6E31DFB5D0020A9FDB10DF9AD884A9EFBF5FB58320F14842AE919E7250D774A945CFA0
                            Function 07882662 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1332 7882662-7882668 1333 788266a-7882688 call 7881ac4 1332->1333 1334 78826e0-78826f4 1332->1334 1343 788268d-788268f 1333->1343 1336 78826ff-788270e 1334->1336 1337 78826f6-78826fc 1334->1337 1339 7882710 1336->1339 1340 7882713-788274c DrawTextExW 1336->1340 1337->1336 1339->1340 1341 788274e-7882754 1340->1341 1342 7882755-7882772 1340->1342 1341->1342
                            APIs
                            • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0788268D,?,?), ref: 0788273F
                            Memory Dump Source
                            • Source File: 00000006.00000002.1309669663.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7880000_QQ.jbxd
                            Similarity
                            • API ID: DrawText
                            • String ID:
                            • API String ID: 2175133113-0
                            • Opcode ID: a7f334bef762d1c7545715bd9437f3afd1e856d61c19de7788c82ad9c0e66c8c
                            • Instruction ID: c3bbdc1955521d81dcad511f71dd9d844d3263c7c5c771a62be608f9dd8e23cb
                            • Opcode Fuzzy Hash: a7f334bef762d1c7545715bd9437f3afd1e856d61c19de7788c82ad9c0e66c8c
                            • Instruction Fuzzy Hash: 1E215AB6900309AFCB01DF99D840A9EBBF5FF58310F18801AE914E7211D731E915CFA0
                            Function 0788F878 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1346 788f878-788f8ce 1348 788f8de-788f91d WriteProcessMemory 1346->1348 1349 788f8d0-788f8dc 1346->1349 1351 788f91f-788f925 1348->1351 1352 788f926-788f956 1348->1352 1349->1348 1351->1352
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0788F910
                            Memory Dump Source
                            • Source File: 00000006.00000002.1309669663.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7880000_QQ.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: 0360576b75386199ce42f31fe025eed731c60e0bf10e6d9d08a10042e3a3aa60
                            • Instruction ID: d26be0c72840f3ff02c9cd9fdeeb62c30b05f9581bea99074bca0d093e5f3095
                            • Opcode Fuzzy Hash: 0360576b75386199ce42f31fe025eed731c60e0bf10e6d9d08a10042e3a3aa60
                            • Instruction Fuzzy Hash: 172127B1D003499FDB10DFA9C881BEEBBF5FF88310F10842AE958A7250D7789945CB64
                            Function 0788F880 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1356 788f880-788f8ce 1358 788f8de-788f91d WriteProcessMemory 1356->1358 1359 788f8d0-788f8dc 1356->1359 1361 788f91f-788f925 1358->1361 1362 788f926-788f956 1358->1362 1359->1358 1361->1362
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0788F910
                            Memory Dump Source
                            • Source File: 00000006.00000002.1309669663.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7880000_QQ.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: 25e4ec400169170ccf6a91374275ed6abb1ef009b416f1fdccd4e8bc4ba317b4
                            • Instruction ID: 644abbf9c79e0ece3bec5b8ae9ce17c793fe00a34e539940b303306c60258697
                            • Opcode Fuzzy Hash: 25e4ec400169170ccf6a91374275ed6abb1ef009b416f1fdccd4e8bc4ba317b4
                            • Instruction Fuzzy Hash: 702136B1D003099FDB10DFAAC881BEEBBF5FF48310F10842AE958A7240D7789945CBA4
                            Function 0788F6E0 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1366 788f6e0-788f733 1369 788f743-788f773 Wow64SetThreadContext 1366->1369 1370 788f735-788f741 1366->1370 1372 788f77c-788f7ac 1369->1372 1373 788f775-788f77b 1369->1373 1370->1369 1373->1372
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0788F766
                            Memory Dump Source
                            • Source File: 00000006.00000002.1309669663.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7880000_QQ.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: fbb26945b3baff62da185555ff13440eecacc9b88d12c92972f1d2caee07f948
                            • Instruction ID: 61a852c094b5fbb515ad5b072f2575fce5b4204a3fe5b258e29f759489ab963d
                            • Opcode Fuzzy Hash: fbb26945b3baff62da185555ff13440eecacc9b88d12c92972f1d2caee07f948
                            • Instruction Fuzzy Hash: D82139B1D003099FDB10DFAAC4857EEBBF4EF48324F54842AD559A7240DB789945CFA4
                            Function 0788F969 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1377 788f969-788f9fd ReadProcessMemory 1381 788f9ff-788fa05 1377->1381 1382 788fa06-788fa36 1377->1382 1381->1382
                            APIs
                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0788F9F0
                            Memory Dump Source
                            • Source File: 00000006.00000002.1309669663.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7880000_QQ.jbxd
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: b6c69bf74404da038ca13ebd3bab3bc888e0090ff3e694055b3be92a12d6f486
                            • Instruction ID: 36b567de31d57814f9ff5365a9c06a25c08010d75c5ba604c45b7989585ae5c0
                            • Opcode Fuzzy Hash: b6c69bf74404da038ca13ebd3bab3bc888e0090ff3e694055b3be92a12d6f486
                            • Instruction Fuzzy Hash: 5D21F6B1C003599FDB10DF9AC841BEEBBF5FF48320F50842AE959A7240DB799941CBA5
                            Function 0788F6E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1386 788f6e8-788f733 1388 788f743-788f773 Wow64SetThreadContext 1386->1388 1389 788f735-788f741 1386->1389 1391 788f77c-788f7ac 1388->1391 1392 788f775-788f77b 1388->1392 1389->1388 1392->1391
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0788F766
                            Memory Dump Source
                            • Source File: 00000006.00000002.1309669663.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7880000_QQ.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: 006025e4b5ff248faa1bad1b5aa27d1a9f43f9d663e3259a98e302c12f144121
                            • Instruction ID: 8d4622b0abfe5334cae9c313d678bea9f1401bab1d74b475a3c9db0415bc73d9
                            • Opcode Fuzzy Hash: 006025e4b5ff248faa1bad1b5aa27d1a9f43f9d663e3259a98e302c12f144121
                            • Instruction Fuzzy Hash: 632149B1D003098FDB10EFAAC4857EEBBF4EF48320F54842AD519A7240CB789945CFA4
                            Function 0788F970 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                            Download Yara Rule
                            APIs
                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0788F9F0
                            Memory Dump Source
                            • Source File: 00000006.00000002.1309669663.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7880000_QQ.jbxd
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: a9baf77619c26c40f8b25016731915937e5feb8aabd5b108004c95449c58b88d
                            • Instruction ID: 9f26b46e8d3bc6611d24376435dd6364c31788198989759d9a17bd241b1f57d6
                            • Opcode Fuzzy Hash: a9baf77619c26c40f8b25016731915937e5feb8aabd5b108004c95449c58b88d
                            • Instruction Fuzzy Hash: 0F2116B1C003599FDB10DFAAC841BEEBBF5FF48320F50842AE959A7240C7399941CBA4
                            Function 0137DCC0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0137DD47
                            Memory Dump Source
                            • Source File: 00000006.00000002.1295416102.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_1370000_QQ.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: de62f0cf2d6e2a5d30900e87d59c403ec7e5f5033b3bf30c548fc0fcc9a9b358
                            • Instruction ID: ade33fba89d9065a6aea4ecfb02b2b2d6887b677c7694ab7f411ce9d205f607a
                            • Opcode Fuzzy Hash: de62f0cf2d6e2a5d30900e87d59c403ec7e5f5033b3bf30c548fc0fcc9a9b358
                            • Instruction Fuzzy Hash: C321E3B5D002099FDB10CF9AD984ADEFBF5EF48310F14801AE914A3250C378A944CFA4
                            Function 0788F7B8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0788F82E
                            Memory Dump Source
                            • Source File: 00000006.00000002.1309669663.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7880000_QQ.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: a6a7fa7017fd9615f8192d6440661980a318074603ab600a286c618db5bab794
                            • Instruction ID: 33957f5d7cec272ce53fcf26c3bdf94661c500e121df2d1d57e907f8322207e0
                            • Opcode Fuzzy Hash: a6a7fa7017fd9615f8192d6440661980a318074603ab600a286c618db5bab794
                            • Instruction Fuzzy Hash: 6D116A71D003099FDB20DFAAC845BEEBBF5EF48320F14841AE919A7250CB399951CFA5
                            Function 0137B230 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0137BAC1,00000800,00000000,00000000), ref: 0137BCD2
                            Memory Dump Source
                            • Source File: 00000006.00000002.1295416102.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_1370000_QQ.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: ba5d5c47b15231488f1be79ee4165bf86b1f4b2ee6af65ce6171189a5876c933
                            • Instruction ID: bbe220ad7eb1b96567106261d469306ee5f227c0c48200f298a643d2fd659234
                            • Opcode Fuzzy Hash: ba5d5c47b15231488f1be79ee4165bf86b1f4b2ee6af65ce6171189a5876c933
                            • Instruction Fuzzy Hash: AA1114B6C003499FDB20CF9AC544B9EFBF8EB88314F10842AD519A7200C779A545CFA4
                            Function 0788F7C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0788F82E
                            Memory Dump Source
                            • Source File: 00000006.00000002.1309669663.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7880000_QQ.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 060b2c057cf157b66538056f9da29417af397a362b58c94ee86da6bfbee14881
                            • Instruction ID: 4e791635723710702fdedac6dbdd8a606cadd1ff3b196f9ba6fd78675d32775b
                            • Opcode Fuzzy Hash: 060b2c057cf157b66538056f9da29417af397a362b58c94ee86da6bfbee14881
                            • Instruction Fuzzy Hash: F3113771C003499FDB20DFAAC845BDEBBF5EF88320F14841AE915A7250CB799941CFA0
                            Function 0137BC61 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0137BAC1,00000800,00000000,00000000), ref: 0137BCD2
                            Memory Dump Source
                            • Source File: 00000006.00000002.1295416102.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_1370000_QQ.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 43f8629726ee77fd27ca5d2e9bdf2c9fa7380f5d0dfdb7ccc084b6edfa6a8213
                            • Instruction ID: 33e774911f5db03c4c2e41cfe85d5102c7cb32a902258c4ac84ee396812d1f7b
                            • Opcode Fuzzy Hash: 43f8629726ee77fd27ca5d2e9bdf2c9fa7380f5d0dfdb7ccc084b6edfa6a8213
                            • Instruction Fuzzy Hash: FB1114B6C003498FDB24CF9AD545BDEFBF4AB88310F10842AD919A7640C779A545CFA4
                            Function 0788F1F8 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1309669663.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7880000_QQ.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 4fa1dc77325c29db0b2d3e2e40b26a7e082bc4d784ec013ceea1578a48277c83
                            • Instruction ID: 208fb1949b59e4095a360853e7626a8272422b0e55f8d1b4e50a5b240afaf4fd
                            • Opcode Fuzzy Hash: 4fa1dc77325c29db0b2d3e2e40b26a7e082bc4d784ec013ceea1578a48277c83
                            • Instruction Fuzzy Hash: FE1149B5D003498FDB20DFAAC4457EEFBF5AB88220F248419D559A7340CB399945CB90
                            Function 0788F200 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1309669663.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7880000_QQ.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 9faa5b2eeabe6f7e0f0ccf119193ce08af08cf0734f2f8551afb97203aee1ad0
                            • Instruction ID: 17fa10972de6c7287c893be2985f19c2d463142d1c16ec9cdd9ee2d50852b6b4
                            • Opcode Fuzzy Hash: 9faa5b2eeabe6f7e0f0ccf119193ce08af08cf0734f2f8551afb97203aee1ad0
                            • Instruction Fuzzy Hash: 0B113AB5D003498FDB20DFAAC4457EEFBF5EB88320F24841AD519A7240CB79A945CFA4
                            Function 07952E98 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07952EFD
                            Memory Dump Source
                            • Source File: 00000006.00000002.1310030884.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7950000_QQ.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: 6ca8e7a97a221dadf1441b20dc8366322fee292cd5d6f59757961e688f1fa595
                            • Instruction ID: 17e9bb2e8f5065dbfdc81d51121eddfcd881f25faee17cb06aefb80f03c19b7f
                            • Opcode Fuzzy Hash: 6ca8e7a97a221dadf1441b20dc8366322fee292cd5d6f59757961e688f1fa595
                            • Instruction Fuzzy Hash: B511E3B58003599FDB20DF9AD845BDEFFF8EB48324F20845AD958A7640C375A944CFA1
                            Function 0137B9E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0137BA46
                            Memory Dump Source
                            • Source File: 00000006.00000002.1295416102.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_1370000_QQ.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 7d2ac3049078f8383f08300a1300010848753b9c97fbb74525a974cbda50ab30
                            • Instruction ID: eb56b75d3ab14d7a523eb32e36bc370ffea999b00080fe12e1ee0dbd8104a661
                            • Opcode Fuzzy Hash: 7d2ac3049078f8383f08300a1300010848753b9c97fbb74525a974cbda50ab30
                            • Instruction Fuzzy Hash: A1110FB5C002498FDB20EF9AD444BDEFBF4AF88224F10842AD528B7200C379A545CFA1
                            Function 07952ED1 Relevance: 1.5, APIs: 1, Instructions: 30windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07952EFD
                            Memory Dump Source
                            • Source File: 00000006.00000002.1310030884.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7950000_QQ.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: e1e4ef4b828ba4a7d2dc5977dcb4da1508348d26a4f63f45d581d6d35caf4357
                            • Instruction ID: 931d64b347075d7cfa5bf0c7fde35dcb58a8012e496e65f66b2a883b1dba203a
                            • Opcode Fuzzy Hash: e1e4ef4b828ba4a7d2dc5977dcb4da1508348d26a4f63f45d581d6d35caf4357
                            • Instruction Fuzzy Hash: 40F0E2B68003599FDB20DF89D885BDEBBF4FB48324F10841AE958A7250C379A584CFA1
                            Function 090B86F0 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID: 3
                            • API String ID: 0-1842515611
                            • Opcode ID: 4cda27eb98331f0bfeadb122e9fb471e08c554ede107954d9d469ca9d2e015f5
                            • Instruction ID: f98c1e82711781caa27151b9a7d1b0c552d02c8b77336a6c7c80724417369562
                            • Opcode Fuzzy Hash: 4cda27eb98331f0bfeadb122e9fb471e08c554ede107954d9d469ca9d2e015f5
                            • Instruction Fuzzy Hash: 62212935689244DFC315CB54C850AAEBBB9EB95398F25C99AD8068F3B2C632DC42C751
                            Function 090B39D0 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID: O
                            • API String ID: 0-878818188
                            • Opcode ID: ede60269e9ef45501f92668be6145c89327cab8d0de138c94076737e360fbfa7
                            • Instruction ID: e10153090277cef5c045f2460e2c4b4034bbf20fc9fbcebaf7757bd1a40599f2
                            • Opcode Fuzzy Hash: ede60269e9ef45501f92668be6145c89327cab8d0de138c94076737e360fbfa7
                            • Instruction Fuzzy Hash: 7021C6706057449FC711DF79C844A6BBBF5EFC9300B00896EE559CB321DB35A905CB51
                            Function 090BE1F9 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID: \)tl
                            • API String ID: 0-2555675624
                            • Opcode ID: 0be82020e49a0083dd4116c5e0f3488ca683a4637f808521eecc204374a9af88
                            • Instruction ID: 1148670acb56673c1801a2473c226b76bf57712398bc41d83ebf728af6a6a676
                            • Opcode Fuzzy Hash: 0be82020e49a0083dd4116c5e0f3488ca683a4637f808521eecc204374a9af88
                            • Instruction Fuzzy Hash: 58F02430908288DFE702DBB8D814BEDBFF59F46300F0098A9C045AB192CB34098ECB52
                            Function 090BC8B1 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID: r
                            • API String ID: 0-1812594589
                            • Opcode ID: 7d41358c0c010d11254facce49d65995ceca06cd57139bd9f87fc67df28c5207
                            • Instruction ID: adfdacae27cab5588a61197c06a4fd24b74cbc271628538ad92071581347e5c9
                            • Opcode Fuzzy Hash: 7d41358c0c010d11254facce49d65995ceca06cd57139bd9f87fc67df28c5207
                            • Instruction Fuzzy Hash: 17F03430918225EBE708CF58D1588ECB3BAFF4A342710EA95C08EAE216C7309842CB10
                            Function 090BE208 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID: \)tl
                            • API String ID: 0-2555675624
                            • Opcode ID: 42a5f8c9596730a9c2334dd6f05b518df7eed80d1922d5d9964749c483d461ab
                            • Instruction ID: 71c8306e941753c6210926ead5d6b4239e4a50a5e00cb72bcc47246cb616d6ff
                            • Opcode Fuzzy Hash: 42a5f8c9596730a9c2334dd6f05b518df7eed80d1922d5d9964749c483d461ab
                            • Instruction Fuzzy Hash: 14F0E570904208DFE700EBA5D909BEE7BF9AF45340F00E835C105AB695CF34558ACB92
                            Function 090B48D0 Relevance: 1.3, Strings: 1, Instructions: 18COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID: *
                            • API String ID: 0-163128923
                            • Opcode ID: 72685396530840e0dc12fb8d763e17630add91e73bad836603fac7a02c207563
                            • Instruction ID: 037e8470e23537d60f78d7c0a809219aac2a043acb87e07bd9a0533a0573047f
                            • Opcode Fuzzy Hash: 72685396530840e0dc12fb8d763e17630add91e73bad836603fac7a02c207563
                            • Instruction Fuzzy Hash: CBD0173250F2C8EFC3068774A8654AD7F7A9F13348B1406DAE4498B6A3D6660E09DB52
                            Function 090BE8E5 Relevance: 1.3, Strings: 1, Instructions: 18COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID: D<Z
                            • API String ID: 0-1559290824
                            • Opcode ID: fcc6536d151559f4760a01603e2b1dd7815809b5891b9534c77239ab198e0dc7
                            • Instruction ID: b93ff7dee77addf5dc1bdb4dee9c61dde25ccd020ea468bb364843ecd84463f4
                            • Opcode Fuzzy Hash: fcc6536d151559f4760a01603e2b1dd7815809b5891b9534c77239ab198e0dc7
                            • Instruction Fuzzy Hash: D2E08674D011199FC751EFA9EC045DD7BBAEFA43417009A05D1069FB49D734580A8F51
                            Function 090B6FA0 Relevance: 1.3, Strings: 1, Instructions: 15COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0
                            • API String ID: 0-4108050209
                            • Opcode ID: 191b6c8edc91f76940ad87f3e7f874ef46049bcf686d12fe242e8847ba308829
                            • Instruction ID: 22fbad48fd2322b4ad432f5e8fe08fe71dcf0c84580dbcfeee0280fa2258f083
                            • Opcode Fuzzy Hash: 191b6c8edc91f76940ad87f3e7f874ef46049bcf686d12fe242e8847ba308829
                            • Instruction Fuzzy Hash: E1D0C930406208EFC705DF85D4416ECB7ECEB42361F0846EA96098B621E6325A049795
                            Function 090B48E0 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID: *
                            • API String ID: 0-163128923
                            • Opcode ID: 2ad6cbf755508d8ab2bce94751f1309f250f0b2c17013858ee7c62a1029ea9c1
                            • Instruction ID: 5825344ac052f6858bce8930914b993e046dfc62501d33265c01e99447511c7b
                            • Opcode Fuzzy Hash: 2ad6cbf755508d8ab2bce94751f1309f250f0b2c17013858ee7c62a1029ea9c1
                            • Instruction Fuzzy Hash: 93C08C31A0828DEBC704CB94E9095BDB7FDEB01384F000498E80E47662DBB21F04AA86
                            Function 090B6FA8 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0
                            • API String ID: 0-4108050209
                            • Opcode ID: b83397b6450317f20c125684e54875aacb9bffa9503094028829b491255dfcb8
                            • Instruction ID: ab0325df2ece127b11501864f3153edd8f0c073ac595addab5132ed354446531
                            • Opcode Fuzzy Hash: b83397b6450317f20c125684e54875aacb9bffa9503094028829b491255dfcb8
                            • Instruction Fuzzy Hash: 15C08C3040A20CE7CA00DE81D8017ECF3ACDB012A0F0405CA9A090B201EA321F009286
                            Function 090B3691 Relevance: .3, Instructions: 269COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ba56fa95f2f48ce763b2d1cb75b909cec6a1169934ad58aa9eb0c1f5558c8b3c
                            • Instruction ID: 628242954773129bab7bfc03235ad4cdd71b2e0e1f509725a6ddd90a64a0f7cb
                            • Opcode Fuzzy Hash: ba56fa95f2f48ce763b2d1cb75b909cec6a1169934ad58aa9eb0c1f5558c8b3c
                            • Instruction Fuzzy Hash: 1AA15C346017008FC719EB38D454AAABBE6FF89301F15896DE51ACB361DB35AC46CB91
                            Function 090B3C78 Relevance: .2, Instructions: 232COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 45905b0be20703748d24efc9ba866c1a57b0b30927541cdf52a624041e68cb52
                            • Instruction ID: 467a5e83873273f5865dc4afcb2f071a11b2bdcd51efc31134bccf888d3c6ecb
                            • Opcode Fuzzy Hash: 45905b0be20703748d24efc9ba866c1a57b0b30927541cdf52a624041e68cb52
                            • Instruction Fuzzy Hash: B7916F35A012099FCB05DFA8D4809EEB7F6FF89304B24856AE805EB361EB35DD06CB51
                            Function 07539645 Relevance: .2, Instructions: 199COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1307758403.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7530000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 00cd87589b4928e0f0bdee74264cd113895f8d0f5139216acedffaf19cdead65
                            • Instruction ID: 244f6a96c8eeaed48882791d1a272f4331f186d9043d57d070d5f303a9d6ae64
                            • Opcode Fuzzy Hash: 00cd87589b4928e0f0bdee74264cd113895f8d0f5139216acedffaf19cdead65
                            • Instruction Fuzzy Hash: 1D71BFF1E14259CFEB148B98C844AEDB7B6FB81319F158566E402AF2B5C7B1AC42CF41
                            Function 090B710C Relevance: .2, Instructions: 198COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e42efcebecb7cbff3a15da8b08811edc0f83e3f23cf354691beb17ceea218fa6
                            • Instruction ID: c79187f8351c2f8f3b5ea91489f998dce7060cf9b07e0c4968e15af5c4622883
                            • Opcode Fuzzy Hash: e42efcebecb7cbff3a15da8b08811edc0f83e3f23cf354691beb17ceea218fa6
                            • Instruction Fuzzy Hash: 156191356002059FCB15DF69C890ABEBBF3EFC8350B148D6EE556AB791CB31AD028B51
                            Function 090BFCF8 Relevance: .2, Instructions: 197COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3f52507e4037c09f71ec83eef428c0c0fd20e85e8378122a0c19ea90bc57f9f9
                            • Instruction ID: ae1994c875e14df03260b52e31d3c5f673343f2c1d778356c05395b84b133fb1
                            • Opcode Fuzzy Hash: 3f52507e4037c09f71ec83eef428c0c0fd20e85e8378122a0c19ea90bc57f9f9
                            • Instruction Fuzzy Hash: 1461C631F00206CFCB19AF74C9546ADBBF6EF89244B10096ED616AB392DB318D02C795
                            Function 090B3710 Relevance: .2, Instructions: 195COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a1c8af074b46b01da4acf7466f9c09e2a3cc11f4d5673687385d90f8f7b0bd03
                            • Instruction ID: 6ae906c1267ec6bb84ef276c48bda4726a702c352cc764f74bc45270a2a0508f
                            • Opcode Fuzzy Hash: a1c8af074b46b01da4acf7466f9c09e2a3cc11f4d5673687385d90f8f7b0bd03
                            • Instruction Fuzzy Hash: 1B813734600B048FC759EF38C454A9EBBE6FF89305B11896DD51A8B361EF31AD46CB91
                            Function 0753DF98 Relevance: .2, Instructions: 189COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1307758403.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7530000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8362540d07aa66124608f9308d0b9d6e63d485d27972cce0b2f8d3ed09f0a533
                            • Instruction ID: e06d60d9bffc7078da246ecf8f13d0a7a50e08f5c7283b45e23ca3552c7247c8
                            • Opcode Fuzzy Hash: 8362540d07aa66124608f9308d0b9d6e63d485d27972cce0b2f8d3ed09f0a533
                            • Instruction Fuzzy Hash: A1917C72C10B02CBDB01EF69C884196B7B1FF99314B15CB6AEC997F215EB31A594CB90
                            Function 090BAF40 Relevance: .2, Instructions: 161COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7e0d9d8df47db19baa11681cd0e917007d279622614e06021296a7d23f0ab5e6
                            • Instruction ID: b0c024798f8be8088ccbdbb5cb175424dfe4df5b41558cdcebd7ca5d0e09399d
                            • Opcode Fuzzy Hash: 7e0d9d8df47db19baa11681cd0e917007d279622614e06021296a7d23f0ab5e6
                            • Instruction Fuzzy Hash: 0551E274E04219CFDB08CFAAC984AEEBBB6FF89300F108429D51AAB355DB715906CF50
                            Function 090BC850 Relevance: .2, Instructions: 150COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cdfb0a7efdb7821d503a2f52189b468b258e2ffecb98d51953dcb9a740257589
                            • Instruction ID: 89b90c800f36b391205a55069d522a5cd7e892ac8c6cda1b49b536e4c91935f8
                            • Opcode Fuzzy Hash: cdfb0a7efdb7821d503a2f52189b468b258e2ffecb98d51953dcb9a740257589
                            • Instruction Fuzzy Hash: E9513970905229DFEB04CFA9D5849EDBBFAFF49340F149959E48AAB252C730A981CF50
                            Function 090B5BC5 Relevance: .1, Instructions: 148COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e8e646a988b15f362827bc7f4bd436ac91a119d11dc000d127d9463ebb224a83
                            • Instruction ID: 4e2200298b00ef5670315a0296acdec85120fe012425e54cb32eec68ea5adc1e
                            • Opcode Fuzzy Hash: e8e646a988b15f362827bc7f4bd436ac91a119d11dc000d127d9463ebb224a83
                            • Instruction Fuzzy Hash: 1A518074909788DFC306CB79E954998BFF1EF4A200B2A84D6D484DF2B3D6359D05CB12
                            Function 090B4671 Relevance: .1, Instructions: 147COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b118808b4227fc8c2625f2f97702f734123f7f65f98b4f6d6d1a8f7f0ba6aa31
                            • Instruction ID: 9b057e7e633859b84e36bb467d352508cb7216cb04e1484f4fdcb5921e03800f
                            • Opcode Fuzzy Hash: b118808b4227fc8c2625f2f97702f734123f7f65f98b4f6d6d1a8f7f0ba6aa31
                            • Instruction Fuzzy Hash: F9512E34B001189FD758DBA9D96466EB7F6FFDC254B248069E806E7396CA329C03CB90
                            Function 090BAF30 Relevance: .1, Instructions: 142COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b78a4c97a87ee40027f772e53e97d2a5018dca734326b4e2cfab4d0a5039dad2
                            • Instruction ID: 020d6d10f83ca2c5e0c4624e28b88d8871ba590f95f0f2dfe33511d8d678bd7f
                            • Opcode Fuzzy Hash: b78a4c97a87ee40027f772e53e97d2a5018dca734326b4e2cfab4d0a5039dad2
                            • Instruction Fuzzy Hash: 0751E174E05219CFDB08CFAAC984AEEBBB6FF89304F10842AD519AB355DB715906CB50
                            Function 090BB6C1 Relevance: .1, Instructions: 134COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8dba3e4ad627978028c0bd34979cea6de0068b0dd0145804c1feda6495913306
                            • Instruction ID: cc1b0b5777d9bd664bf6c174ced639e21aa77c47d5196a751ba5a69961cecc98
                            • Opcode Fuzzy Hash: 8dba3e4ad627978028c0bd34979cea6de0068b0dd0145804c1feda6495913306
                            • Instruction Fuzzy Hash: D4418A75E092189BDB08CFAAD9446EEBBF6FF8D341F14D429E409AB251C7344880CF64
                            Function 07533B60 Relevance: .1, Instructions: 127COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1307758403.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7530000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0e6c11fdbcd1ca43ba02e979f619559ea0540da86ea87664f307ad6688ee447f
                            • Instruction ID: 1a30ee34db3d14e3397511331aa922eee6763c8dfc33bb5bef5b6cd00843abb4
                            • Opcode Fuzzy Hash: 0e6c11fdbcd1ca43ba02e979f619559ea0540da86ea87664f307ad6688ee447f
                            • Instruction Fuzzy Hash: C841CD34A04300DBE721DB35C850BBB77A6BF89314F244A59E9668F2D1DB34BD4287A1
                            Function 090B5D7F Relevance: .1, Instructions: 124COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 27eda8148281882dd4659bb9fa64d1e1a0c38e960089a586aa7d346f04991240
                            • Instruction ID: 4ef4ab33db8da98e5a652e18520134900ae22f6dea63a57b9fba46813a19e51d
                            • Opcode Fuzzy Hash: 27eda8148281882dd4659bb9fa64d1e1a0c38e960089a586aa7d346f04991240
                            • Instruction Fuzzy Hash: 08414B74E19219DFCB05CFA4E9849EEBBB4FF0E380B0158A5E462AB312D7309811CF64
                            Function 090B5D90 Relevance: .1, Instructions: 117COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: efdf22fbb9717efa9ec7242f7c48a120d3e0757654c1619a76738be235ebc7d9
                            • Instruction ID: 806e892ed76dbd77d138f1e07dd7b2e0b58d4cb630ca761779349a37c51fe6ac
                            • Opcode Fuzzy Hash: efdf22fbb9717efa9ec7242f7c48a120d3e0757654c1619a76738be235ebc7d9
                            • Instruction Fuzzy Hash: 0E41F574E15219DFCB48CFA8E9848EEBBB4FF4D390B115CA5E426AB312D7309850DB64
                            Function 090B3C69 Relevance: .1, Instructions: 114COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3a491226b6757640f427939fd64e6dd127864f8374dc887bf8837d51cbafe3c4
                            • Instruction ID: 5d61685032993b026cade5278e1ab15cbb7a8d097deac4078f04551f9a0f50b9
                            • Opcode Fuzzy Hash: 3a491226b6757640f427939fd64e6dd127864f8374dc887bf8837d51cbafe3c4
                            • Instruction Fuzzy Hash: 2B418E356012098FCB05DFA4C994AEE7BF6EF49304F1584A9E905AB361DB36ED05CF90
                            Function 090B6653 Relevance: .1, Instructions: 108COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3c65ce48483fbb555688d1bb93f246dabab459037eb3b4e4354bfe062e60aa3b
                            • Instruction ID: 6ed7074210b5bfdad5c5410ff0125fb4670339c7566c1a934f9f9213e5c4f258
                            • Opcode Fuzzy Hash: 3c65ce48483fbb555688d1bb93f246dabab459037eb3b4e4354bfe062e60aa3b
                            • Instruction Fuzzy Hash: F741BA75E0122D9FCB54CFA8C884AEDBBF2BB09310F509825E815FB211DB359981CF14
                            Function 090B5F0E Relevance: .1, Instructions: 104COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 95ec42ef97cb4a9003b000dc09399cad1e000d55c39fb5d31dc3914a62e1cce0
                            • Instruction ID: 5649068ca19e32e9c3da70e8963fa0768c63a3bbf76a0aa68e9f04ddab2fd0e7
                            • Opcode Fuzzy Hash: 95ec42ef97cb4a9003b000dc09399cad1e000d55c39fb5d31dc3914a62e1cce0
                            • Instruction Fuzzy Hash: D041F374E1921DDFCB04CFA8E9848EDBBB4FB0D391F0058A5E426AB312D7319811DB24
                            Function 090B44DA Relevance: .1, Instructions: 93COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6b51da13771c5f190176df92d923213db1b26e09ebab5b4cba4a10902e5a7934
                            • Instruction ID: bf19fef88d535ba35d04a7c312907a8184f2fc2b7d25ddc78308e7c0f36357ea
                            • Opcode Fuzzy Hash: 6b51da13771c5f190176df92d923213db1b26e09ebab5b4cba4a10902e5a7934
                            • Instruction Fuzzy Hash: 98317C34A041099FC705EFA8C864B6EB7A2FF98384F248469E4069F3E7CF7199038B41
                            Function 090BE2B2 Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: be981e6beca105a078fbdb61a06d9bcdab08f01df119160158d563bc4dedab72
                            • Instruction ID: 515e7d6723c4f40795df2a8b0ff23ff452cd75040ef70ab1247e2640aa5b027a
                            • Opcode Fuzzy Hash: be981e6beca105a078fbdb61a06d9bcdab08f01df119160158d563bc4dedab72
                            • Instruction Fuzzy Hash: 703159B4A00258CFDB50EF64D988AEDBBB5FB48340F009299E40ADB746DB305D85CF50
                            Function 0130D4C4 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1294514839.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_130d000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c5f179c2e0b92b30011629f441df8bdc1a7e13e68833efbe6710612b5dc3ee1f
                            • Instruction ID: 319b05416e1f865fa8ac5b4d3fecad83ea1ba4114bc88fdd90a8e4d87739e092
                            • Opcode Fuzzy Hash: c5f179c2e0b92b30011629f441df8bdc1a7e13e68833efbe6710612b5dc3ee1f
                            • Instruction Fuzzy Hash: 0321F171504244DFDB16DF98D9D0B26BFE5FB8832CF20C569EC090B696C336D456CAA2
                            Function 0132D294 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1294648671.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_132d000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7cf20fa923f69620d3d2b75243a856020cf398b8760286f605ba0619631f1743
                            • Instruction ID: 0dfe9a2683c118a3c1425d917def4629f7a85caa6bb66f80bd0cf1527ec60272
                            • Opcode Fuzzy Hash: 7cf20fa923f69620d3d2b75243a856020cf398b8760286f605ba0619631f1743
                            • Instruction Fuzzy Hash: 19210475604304DFDB05EF94D9C4B26BBA5FB88328F24C5ADD9494B742C33AD846CAA1
                            Function 0132D01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1294648671.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_132d000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 39f186cb842e3aed151682409286ede3cad89938ccf3c00f6726ed009374cdef
                            • Instruction ID: 63c4d642cc987f9d36f91a2f765452fb268a18d6fe7a002b9b4ff1bce2d4250d
                            • Opcode Fuzzy Hash: 39f186cb842e3aed151682409286ede3cad89938ccf3c00f6726ed009374cdef
                            • Instruction Fuzzy Hash: 3F212271604344DFDB15EF54D9C4B16BB65FB84318F20C56DD84A0B7A6C33AD807CAA2
                            Function 090B86D9 Relevance: .1, Instructions: 71COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 191fc2b7404916457d97f84e0d91a2c1364b7619727eb2166bb01a6e8fc28067
                            • Instruction ID: b9e01f08a9c1bccf18fd6e3aa487b79acc3054dbf96cdc94ec14d65f9738a221
                            • Opcode Fuzzy Hash: 191fc2b7404916457d97f84e0d91a2c1364b7619727eb2166bb01a6e8fc28067
                            • Instruction Fuzzy Hash: 8F110A35248104DFD315CA04C850AAEB7A9EB95398F15C85AE9064F372C732DC42C791
                            Function 090BC82D Relevance: .1, Instructions: 67COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 84ad54b4ae9be2cb83dffa83fde7beb15d0c15a8215b824cda5c844438b8ebd9
                            • Instruction ID: 7cf93c5523ba5f7944430c30cd5c06824bba2ee318223f545b2ddf143b975eab
                            • Opcode Fuzzy Hash: 84ad54b4ae9be2cb83dffa83fde7beb15d0c15a8215b824cda5c844438b8ebd9
                            • Instruction Fuzzy Hash: A8214871D05228DFDB08CFAAD454AEEBBF6FF89300F248469E449AB352D7755941CB40
                            Function 090BE36B Relevance: .1, Instructions: 67COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2d582d78399cc7eb4507498e7ff5f64a36ac73ffdae1a60951b17c7decda023a
                            • Instruction ID: 823728beb3a528d50e06e1acf1eab0281f6fc859420ede7bda4a49d2c0355831
                            • Opcode Fuzzy Hash: 2d582d78399cc7eb4507498e7ff5f64a36ac73ffdae1a60951b17c7decda023a
                            • Instruction Fuzzy Hash: B2314574A05258CFDB40EF68D948AEDBBBAFB54340F108698D509AB75ADB309D84CF81
                            Function 090B70FD Relevance: .1, Instructions: 66COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4ee2a42eb0e3a5b4ec69217fc810467c5fc5ddd49398a3e8f7bf47c136a0f950
                            • Instruction ID: 391c1b2c2e57e17b79bbd7145c99434096278efa5111ba2cb2435339801e9baa
                            • Opcode Fuzzy Hash: 4ee2a42eb0e3a5b4ec69217fc810467c5fc5ddd49398a3e8f7bf47c136a0f950
                            • Instruction Fuzzy Hash: 1F11C471A007155F8B55EB7D8C405BFB6FAEEC42607148E29E424EB281EF30990547A2
                            Function 090BB838 Relevance: .1, Instructions: 65COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 09ebf43b5c7c50692e2d1a185e40e1ba2d6add121dcd1569c84ae3939c126a34
                            • Instruction ID: 3b0d357042915c0859336a17694a4be1b85dc3004bfffd090cd0ede01538a85e
                            • Opcode Fuzzy Hash: 09ebf43b5c7c50692e2d1a185e40e1ba2d6add121dcd1569c84ae3939c126a34
                            • Instruction Fuzzy Hash: A621C675E09209DFCB44CFA9C1809EEBBF5EF49340F609499D809AB756D7309A41CF61
                            Function 0132D006 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1294648671.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_132d000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fe36ff65e1d88add704992ff0e795cf246e26d9f7bb310df2bff4b546d045409
                            • Instruction ID: a63f5fd76be8f4c4f141195d27a8ffddeb2056cdabb347f95c19ccfb0a50920d
                            • Opcode Fuzzy Hash: fe36ff65e1d88add704992ff0e795cf246e26d9f7bb310df2bff4b546d045409
                            • Instruction Fuzzy Hash: FF2180755083809FCB02DF64D994711BF71EB46318F28C5DAD8898F2A7C33A9816CB62
                            Function 090B5008 Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 608db8fa41574b7b9ca5d89bb88e8b9ba343cb86d9a60e3540800d56730f9713
                            • Instruction ID: 36d1c1975194bb516537d72a636c7a21ceaf70e73605b5e50b21d38d5f904bda
                            • Opcode Fuzzy Hash: 608db8fa41574b7b9ca5d89bb88e8b9ba343cb86d9a60e3540800d56730f9713
                            • Instruction Fuzzy Hash: BB112B30214104DFC745A729DC105AE77AAFFDA3D4B1488EAE4068F396CE325C028BE1
                            Function 090B5CB8 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a0fb0b9cea7c750ffa76bc51aa480fc4ef0c6da9cf5f356450e59dd6536db671
                            • Instruction ID: fabbeda349e7daa3ceae9ee28000c0a67da8f44f30323996736d706681d2ad40
                            • Opcode Fuzzy Hash: a0fb0b9cea7c750ffa76bc51aa480fc4ef0c6da9cf5f356450e59dd6536db671
                            • Instruction Fuzzy Hash: 1921D874A10908DFD704DF6AE684999BBF5FF8C310B6680E8D4489B326EB31EE10DB04
                            Function 090B7A27 Relevance: .1, Instructions: 60COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b2e08b2f79cceccd4cf21ea432d56417918ef8f1f20fe512a5a0b3a73e7e5a28
                            • Instruction ID: 86c83440e4c7991c1354363cc7dc6af852e58fddca4a59ae421078777110645f
                            • Opcode Fuzzy Hash: b2e08b2f79cceccd4cf21ea432d56417918ef8f1f20fe512a5a0b3a73e7e5a28
                            • Instruction Fuzzy Hash: F21191B1A003064F8B56EB795C405BFBBF6EFD4260B248A2DE464DB380EF309A058761
                            Function 090BB848 Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 54f3bb562bc4a6bc4e1107534d6a16f8ca2a229f6eac1be35ca4c24d8b889832
                            • Instruction ID: a81b4593bce951d63ba3ae38ea418dd4e0a5af482317cfefe35f9f9908af7d70
                            • Opcode Fuzzy Hash: 54f3bb562bc4a6bc4e1107534d6a16f8ca2a229f6eac1be35ca4c24d8b889832
                            • Instruction Fuzzy Hash: 2621C5B5E09209DFCB40DFA9C180AEEBBF5EF48340F609459D809A7716D7709A41CF61
                            Function 090B7958 Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5667182ed1a6dd9ed854eb34f9cc22ff73b5acd8520d38f070d179623bc387ea
                            • Instruction ID: caa6836d94a4aa14edf32417e7864d646bf6931e992791678d58346baba300b4
                            • Opcode Fuzzy Hash: 5667182ed1a6dd9ed854eb34f9cc22ff73b5acd8520d38f070d179623bc387ea
                            • Instruction Fuzzy Hash: 7B11FE31F002199BCB55EBB998117EEBBF6AFC4351B20446AD505EB684EB718D01CBA1
                            Function 0130D4BF Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1294514839.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_130d000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                            • Instruction ID: e47a33ae47c9d252c2b3389d0edc7d1fc6a19d7612c73df0a940adbc6875a920
                            • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                            • Instruction Fuzzy Hash: 6511AF76504280CFCB16CF54D5C4B16BFB2FB88328F24C6A9DC490B696C336D45ACBA1
                            Function 090BB930 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a7a88a598e7813971f53602aad925579767ba0b1beb3bc93cc0dd46f156eb033
                            • Instruction ID: 5238b4e7c19dcdbd1c2997c44d39cac0fab3db7e1666c1735b988b3f34d92985
                            • Opcode Fuzzy Hash: a7a88a598e7813971f53602aad925579767ba0b1beb3bc93cc0dd46f156eb033
                            • Instruction Fuzzy Hash: 1E110274D08208EFCB44CFA9C5409EDBFF9EB4A340F149999D459AB312D7309A05DB40
                            Function 0132D28F Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1294648671.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_132d000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                            • Instruction ID: 5559a76df26b1276460ef93c0dfdbd28d4130fbb1477f9d8f2047ef0215ec832
                            • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                            • Instruction Fuzzy Hash: B611BB79504280CFCB06DF54D5C0B15BFA2FB84328F28C6A9D9494B692C33AD40ACBA1
                            Function 075383E8 Relevance: .1, Instructions: 52COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1307758403.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7530000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3264fe5c684067a631545e5c732c447382dc61eb8c029ff9331f088009262129
                            • Instruction ID: 39d8618be8fa03ef9dc766e079cce6fed3f9e58b9522dd026b0cb18dd283c11b
                            • Opcode Fuzzy Hash: 3264fe5c684067a631545e5c732c447382dc61eb8c029ff9331f088009262129
                            • Instruction Fuzzy Hash: 9F116B306083808FE7199635DC507E77B75AB8A324F1845ABE9958F3D2CA35AC02C771
                            Function 090BCC88 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 772352d73f42ec2354624e88a1d665191082e8cdf9afbc68e4dd29f430b5ce86
                            • Instruction ID: 6466fe1931171fbfff50a905fffc0b12d1f29a1c61ebb8d67b61dbc36a4cdfaf
                            • Opcode Fuzzy Hash: 772352d73f42ec2354624e88a1d665191082e8cdf9afbc68e4dd29f430b5ce86
                            • Instruction Fuzzy Hash: D0010C34A49158EFDB01DFB8C695AEDBFF5EF59304F248598D4899B352C6309E05DB00
                            Function 090BCC11 Relevance: .0, Instructions: 42COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6ada513d23bc2977dbcd4471c60aab17dd54d0c5b53adf27b30a8d6f675dc270
                            • Instruction ID: e9bd48d0094f0fd808b30ad83018c728b718d7f27664704d94dd60c634a93218
                            • Opcode Fuzzy Hash: 6ada513d23bc2977dbcd4471c60aab17dd54d0c5b53adf27b30a8d6f675dc270
                            • Instruction Fuzzy Hash: A3012C7090C258DBE705CF69D554AEDBBB8AF6B340F1495AAD0895F212C2305A45DB44
                            Function 090BCC98 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 03e455e056dcb6d04d768b70993e6249d3e4862d30d07a4381d1d51f067c5125
                            • Instruction ID: 1a3813a77704493964e5f383d2e17b6c356011c755bdb9e93327f2f90a524079
                            • Opcode Fuzzy Hash: 03e455e056dcb6d04d768b70993e6249d3e4862d30d07a4381d1d51f067c5125
                            • Instruction Fuzzy Hash: F801FB34A08118EFD704DFA8C685EADBBF9EF5D300F258499E8499B352D630DE04DB40
                            Function 090B4F65 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 679a828f111e474ce8243ed17c5b52210fb330999e64c3f5fdab87482de24f87
                            • Instruction ID: 9aec4fc395aedd0a27e02bd4f00744f84ff79e45d9c43b946487ba9cb0d4e7f9
                            • Opcode Fuzzy Hash: 679a828f111e474ce8243ed17c5b52210fb330999e64c3f5fdab87482de24f87
                            • Instruction Fuzzy Hash: 12F0C82020C1A6AFC605977998205AA3B76DFD7295325499AE246CF3A7DA218D03C761
                            Function 090B4470 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dc38d82f837db4a90acac9ac849e7d908bbfc83c31afc8246086c68e79291e16
                            • Instruction ID: 64fe0f7862c46f1938b4bb6214278994ae0af00559b73404c9739f91aeb9b868
                            • Opcode Fuzzy Hash: dc38d82f837db4a90acac9ac849e7d908bbfc83c31afc8246086c68e79291e16
                            • Instruction Fuzzy Hash: 4201DF31E093949BD7069F78D8646CE7FB0EFC2250F1480AEC4429F3A2CA254C0ECB96
                            Function 090BE5C5 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0fef71b1450b6312a351a0ca0e379fcb1fb8954d59cb4e3e1411b81d8f624d05
                            • Instruction ID: 8a98814d37214598372191444f0e3d28b690fa4b5153c71474c43c27d28f08b3
                            • Opcode Fuzzy Hash: 0fef71b1450b6312a351a0ca0e379fcb1fb8954d59cb4e3e1411b81d8f624d05
                            • Instruction Fuzzy Hash: DE015EB4E04308CFCB50DFB4E85589DBFB5EB98311B209628D515EBB85DB345846CF41
                            Function 090B4F78 Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3a63364d12f54662628e802eeed8ec0a86174036d0c4b3df9b9fc979db495275
                            • Instruction ID: 950a0353359402ca0a74c70d260974765b8c2d29b818eed3959e256d1b030428
                            • Opcode Fuzzy Hash: 3a63364d12f54662628e802eeed8ec0a86174036d0c4b3df9b9fc979db495275
                            • Instruction Fuzzy Hash: C5F08230308026AF8504A66A941096E77AAEBD97D13118869E60BDF357DE31DD0247A0
                            Function 090BE63B Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0e96d3805567ead42096c6aa7f70ea4f90a60fc95ddf3f840637b28837835f7f
                            • Instruction ID: 6c5a656f5e7ef476d14e7f91a62c3b0354b21dce919fb826d112f6f609b9d991
                            • Opcode Fuzzy Hash: 0e96d3805567ead42096c6aa7f70ea4f90a60fc95ddf3f840637b28837835f7f
                            • Instruction Fuzzy Hash: 520119B0A01255DFDB50CFA9C845A9DBBF1EF89240F1084A6D509EB704DB389A468F50
                            Function 090B5F84 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 44c60c69e5e04c325d1fb55e2b47da6e967bcb2c9e1eaf5351771fcb835128af
                            • Instruction ID: aef8552b11c30cb2bad88d1aa148acb59a2c9b15afb53dbff95e3f10010dbb4b
                            • Opcode Fuzzy Hash: 44c60c69e5e04c325d1fb55e2b47da6e967bcb2c9e1eaf5351771fcb835128af
                            • Instruction Fuzzy Hash: B2F0C478E05288EFCF12CFA8C85199CFBB4AF08340F24055AE545A7352D7315912DF11
                            Function 090B5999 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: deb706920a3085f9eb31535409cc1e748b40c35eed2a7ae30b05868d30b400a5
                            • Instruction ID: cb773e4e59045a892ffee11aeb3977f3caa6f18a7bb8ff3f2d2f4c1e382a6323
                            • Opcode Fuzzy Hash: deb706920a3085f9eb31535409cc1e748b40c35eed2a7ae30b05868d30b400a5
                            • Instruction Fuzzy Hash: B8E09B3110D2459FC3065764DC104593BE4DB973A470588D7E54DCF1A3C9615D02C791
                            Function 07535F70 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1307758403.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7530000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d5c305df23b1404fdde1c186e955748351f3a8d68022919bda216506316cf5b8
                            • Instruction ID: 79bc682b7fa5c5d757218b05ca545bf195b704f8f7ab8d0e47e63f7115ad9216
                            • Opcode Fuzzy Hash: d5c305df23b1404fdde1c186e955748351f3a8d68022919bda216506316cf5b8
                            • Instruction Fuzzy Hash: E1E065353111108FDB08EF28E45495D37B5FF8D615B11419EE505CB3B1CB309C01CB85
                            Function 07532F33 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1307758403.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7530000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d3ec5571be7440eee7abffba5dd7d1a5b67a7fe1f3683bbc3525ca0ba371f4e4
                            • Instruction ID: ad3ee082ade63bb39953f4ff6122a51dfe4835051f4422542a29d6412173fda7
                            • Opcode Fuzzy Hash: d3ec5571be7440eee7abffba5dd7d1a5b67a7fe1f3683bbc3525ca0ba371f4e4
                            • Instruction Fuzzy Hash: C3E09A397244248FC708EF28E44499C7BB9EF8EA24B01009AF506CB3A1CF60DC018FC0
                            Function 07532F40 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1307758403.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7530000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 185fa8896cbcf3abbfe4e01586c7032f8fb5cde116c35486f73d09dfe25af5e8
                            • Instruction ID: 7d0def06af6733f7d03ee0e9cc7a39b318c67cbf80badfd0607a8bf96a025db9
                            • Opcode Fuzzy Hash: 185fa8896cbcf3abbfe4e01586c7032f8fb5cde116c35486f73d09dfe25af5e8
                            • Instruction Fuzzy Hash: A2E046343244248F8B08AF28E4548AD37A9EF8EA24301009AFA06CB3A1CF60EC018BC5
                            Function 07534372 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1307758403.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7530000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a6c1ce6265ddc0a99dfe820382d4a2a47dc379ca490b1146ece34e5521609256
                            • Instruction ID: fc15e43d7c82a781336efd7aed39a0ef3c4d4bfd7de0ddbb3dcc3681efaacb1f
                            • Opcode Fuzzy Hash: a6c1ce6265ddc0a99dfe820382d4a2a47dc379ca490b1146ece34e5521609256
                            • Instruction Fuzzy Hash: 22E01A34324424CF8B04EF28E05885C7BA9AF8DB59711419AF906CB361CF70AD018B85
                            Function 07534378 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1307758403.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7530000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9b482e0e497bebe686519dc9cb068ffc3524eb7a567813e24fe911502b495622
                            • Instruction ID: f9d2ef23add4b75d259b213fd704e46b780b4066744b3ce01d1b00d4d9a837cb
                            • Opcode Fuzzy Hash: 9b482e0e497bebe686519dc9cb068ffc3524eb7a567813e24fe911502b495622
                            • Instruction Fuzzy Hash: 96E04F343244248F8A04AB28E45485D37A9AF8DB55301409AF906CB361CF70AC018BD5
                            Function 07535F80 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1307758403.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7530000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eab50810018603a5ca2b258c63801d7db5396fdb781d805b5c050edaca3d9fea
                            • Instruction ID: 83a1b259066f746a75011b63150c26a70937d54b5a0e0cc0a5670ada93f78d0f
                            • Opcode Fuzzy Hash: eab50810018603a5ca2b258c63801d7db5396fdb781d805b5c050edaca3d9fea
                            • Instruction Fuzzy Hash: 6BE0B6353246249F8B08AF29E45886D37A9AF8EA65311419AF906CB3A1CF71AC118BD5
                            Function 07530386 Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1307758403.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7530000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0088b8ca30bd337219cb3fd4918bda363f639b493c57721bdafc18f16eef324f
                            • Instruction ID: 0d591f861f75879f69649a34c47212940a48552fed791361bfa3d215dff04464
                            • Opcode Fuzzy Hash: 0088b8ca30bd337219cb3fd4918bda363f639b493c57721bdafc18f16eef324f
                            • Instruction Fuzzy Hash: 68F08C30A09304CFD721DB30C494B9ABBB2BF41200F64896DC496AB362DB30A846CF51
                            Function 090B55C8 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e3428a9b2f1f6874cae129264c9396b26e30b237e4fae3b354073246c61117ae
                            • Instruction ID: 82ee817d431b1053af75882eeaa325d0e2d7e17706c75feacaf8c8ccec6818dc
                            • Opcode Fuzzy Hash: e3428a9b2f1f6874cae129264c9396b26e30b237e4fae3b354073246c61117ae
                            • Instruction Fuzzy Hash: 74D0A91020C24AC742481529AC3B2FE310B83583C3A904CEBB20BCDA81E9019B020553
                            Function 075303E1 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1307758403.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7530000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6de49780d30356d08871ecd1e422ae6ff55a6e6791ab7a58e63253368e778af6
                            • Instruction ID: 2a97a3caf635d982936619933659ca481cbdea5c29a4a22bc5b6b8f14c698ee9
                            • Opcode Fuzzy Hash: 6de49780d30356d08871ecd1e422ae6ff55a6e6791ab7a58e63253368e778af6
                            • Instruction Fuzzy Hash: 51E012346103058BDA25AB70C0A476E7FB3AB84202F10481CD95B8B750DF39BC478781
                            Function 090B59A8 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cda3bd70456d641552a6bd510cea5d6e5934c0d9706a547a1cae7dc4dfe732d0
                            • Instruction ID: c76f6792705f2b6900b3c701d6c257ba5528c33efec6988b22b1fb7c554d0353
                            • Opcode Fuzzy Hash: cda3bd70456d641552a6bd510cea5d6e5934c0d9706a547a1cae7dc4dfe732d0
                            • Instruction Fuzzy Hash: EAD05B30208119978109575DDC104AE73D9D7853F471088DAB51E8F395CD729C0287D5
                            Function 090B51F2 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f5bac760fa2bdf8766388a94782848d2cd6b129ec02a9fe1de4f0093cb6e23f4
                            • Instruction ID: b6c6885499558af6d71d13bb9ce1d309182aa3558bb09032112fc11dfb68faff
                            • Opcode Fuzzy Hash: f5bac760fa2bdf8766388a94782848d2cd6b129ec02a9fe1de4f0093cb6e23f4
                            • Instruction Fuzzy Hash: 36E0C274904248CFCB45CFE8C89099DBBF2EF49394B148999E806AF349E736A806CF50
                            Function 0753CB48 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1307758403.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7530000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d01a644dd5ed08bfbe66b7854d5da66efe017f2d2a8678a96f8e82477710530b
                            • Instruction ID: 1959d2dd28b851a22f1ef4f2ce9ab1f90febfeb057c679457bd6734efb865620
                            • Opcode Fuzzy Hash: d01a644dd5ed08bfbe66b7854d5da66efe017f2d2a8678a96f8e82477710530b
                            • Instruction Fuzzy Hash: D4E07E75E1020CEFCB40DFA4D9458DDBFB9EB48200F1082EAE80AA2200EA306B55DF80
                            Function 090B6016 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 268bd2436c2f9a7298f8c5e08da19c0c795f060cf829d7780c5229c763348c3c
                            • Instruction ID: d13a2b6f8291a6f4318918ac97221c14752db35f14bd7cdf03344cb5cdeff149
                            • Opcode Fuzzy Hash: 268bd2436c2f9a7298f8c5e08da19c0c795f060cf829d7780c5229c763348c3c
                            • Instruction Fuzzy Hash: A9D05236A0521CCB8B00DAE8E8444EDFB74EB8A3A2B000832EA02EB201C3300811CA14
                            Function 090BFF28 Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9852663bb29758364a41db82b0d49d8b4d9da62c3fcc163c684015831d5f3c47
                            • Instruction ID: b90a582911fb30fd2e4eafdc8c9a317959efd15ef3e97ab88369a493e51aa50a
                            • Opcode Fuzzy Hash: 9852663bb29758364a41db82b0d49d8b4d9da62c3fcc163c684015831d5f3c47
                            • Instruction Fuzzy Hash: 50E0C23090020CEBCB01EFB8D90529C7BB8EF45306F0000ACDA0967381DA301E00D752
                            Function 090B4FD9 Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bafc483a3f76c225c8a547987f5fffcf9c04ea59e2d29198190fc15f1c7a4b28
                            • Instruction ID: 6d53e137320e2c7a1af2083adf411e9aa581872d03fde2ff509f98e81e937b83
                            • Opcode Fuzzy Hash: bafc483a3f76c225c8a547987f5fffcf9c04ea59e2d29198190fc15f1c7a4b28
                            • Instruction Fuzzy Hash: 87E0172004E3C8ABC712D77588257EDBFB89B03218F1985CFD5894B5A3E6661A0C9392
                            Function 07530767 Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1307758403.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_7530000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 188bd81a0680ae477aa0cc99f54203f4d27c31cf160320cd667c651b13911c8f
                            • Instruction ID: f98e5734a514cec01de9ad86e10c469e9ac9ee6f23fc597b252c9bf85c6766bc
                            • Opcode Fuzzy Hash: 188bd81a0680ae477aa0cc99f54203f4d27c31cf160320cd667c651b13911c8f
                            • Instruction Fuzzy Hash: 81E0E534A01700CBD769AB30C498B5ABBB2BB85202F104A2DD85687740DB35A886CB50
                            Function 090B488E Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0e8a3f50f2c9a83addeb79519d405abd3fdc841e2a1fe2743852a718ab796dc8
                            • Instruction ID: 0044400112a7e3c7eb538678cd826ea150f0af6663c60bd3d390f5e53779dad5
                            • Opcode Fuzzy Hash: 0e8a3f50f2c9a83addeb79519d405abd3fdc841e2a1fe2743852a718ab796dc8
                            • Instruction Fuzzy Hash: B0D02225A000C0BBCA041630852C4BCBA168FE02A83288CAAC0039F673CF1A8E6382A1
                            Function 090BA9A7 Relevance: .0, Instructions: 14COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 907fd706c70ac2014bf59b1afca45ab3e5913501055d6bfd9b0b5dbbe3a1750b
                            • Instruction ID: 758bfa1bd619f04838e660ef09c941d04d30f89bee360c2126b57ec53ae21989
                            • Opcode Fuzzy Hash: 907fd706c70ac2014bf59b1afca45ab3e5913501055d6bfd9b0b5dbbe3a1750b
                            • Instruction Fuzzy Hash: 30D05234A02228CFDB60CB14EC80BDCB7B8FB85315F0017A6C00C93102C7312A99CF01
                            Function 090BA581 Relevance: .0, Instructions: 14COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5828bab7bb13709eaa52394bdb5706ef12c34c5613f036bea8bf396d556ea814
                            • Instruction ID: 4835c583d4e163a9b56e422e7376a5f4509468cf6f17b887082c6362a21967dd
                            • Opcode Fuzzy Hash: 5828bab7bb13709eaa52394bdb5706ef12c34c5613f036bea8bf396d556ea814
                            • Instruction Fuzzy Hash: 29D0A7310456488BD3015B75D91E3587FB8EF06205F000059E48D82463C6A51500C756
                            Function 090B7CB0 Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 57ecb1405b7e1e7030e407fd2324acce93bc921044530ff843710ea1c1ad639a
                            • Instruction ID: 6b6b5bccbf980a3a33c1ce12e089c656675ab3014b2ae5ec7eb598ee59f30690
                            • Opcode Fuzzy Hash: 57ecb1405b7e1e7030e407fd2324acce93bc921044530ff843710ea1c1ad639a
                            • Instruction Fuzzy Hash: 8CC012A650F3C2AFE303123018213402F205E7310831900C3C680AD0A3EA12810BDA23
                            Function 090B4FE8 Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2caf5416b814d710057129adf397962fdfe3622a26c82b87f2beab406d8aedfc
                            • Instruction ID: 8d5e26fd4df987c14d22c2a740aded70f015d96b6a72c8f370330fdc13f08110
                            • Opcode Fuzzy Hash: 2caf5416b814d710057129adf397962fdfe3622a26c82b87f2beab406d8aedfc
                            • Instruction Fuzzy Hash: B8C08C3040A20CE7CA10DA85D801BECB3BCC700350F0005CA9A0D0B222EA311F046296
                            Function 090B70E9 Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 41747f85fd0e5daa20b4fa7bd870d00fd07fe500e7ef90b7cca465e533fc103a
                            • Instruction ID: 57552c155392d602dbf3e83815067bcd47e5788f507101c05a5d6a311ef5a850
                            • Opcode Fuzzy Hash: 41747f85fd0e5daa20b4fa7bd870d00fd07fe500e7ef90b7cca465e533fc103a
                            • Instruction Fuzzy Hash: 87C08C3A020200DF8700AB40C880AAA7AB1FF99300B81CC43E1090F430CA22881CEB12
                            Function 090B7921 Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1647d1340650ae399ab8e436c4e66ef0613207b47c121566186b00256774bd5b
                            • Instruction ID: b626875c54973f1d89790b2e570263bacd381e2d4743cbc718d03f21f5b3596f
                            • Opcode Fuzzy Hash: 1647d1340650ae399ab8e436c4e66ef0613207b47c121566186b00256774bd5b
                            • Instruction Fuzzy Hash: E3D0123A21F2C09FEB036B308C61A443F30AE8310870EC0D7C4808E0B3C219941EE722
                            Function 090BC589 Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dd2684c5d2cb5b572a6fdef12eb29eceed2cbaab94acb5b84caaa264f224ac20
                            • Instruction ID: 4731a4073cce98c3738cc89dc4c063c8056bbc906c1fe3579773062dad0bac46
                            • Opcode Fuzzy Hash: dd2684c5d2cb5b572a6fdef12eb29eceed2cbaab94acb5b84caaa264f224ac20
                            • Instruction Fuzzy Hash: B3D0C935549260DFCB558B64C1585A87F79AF0B355B1014D9D08E6F112C7329984CF12
                            Function 090BA590 Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c7a43c3317547772a2cc97b8a98383b911f05b5e13ea45e3f3799cb4a0f170e9
                            • Instruction ID: 06dafbbcd287e83fe78bb5ccbbbcd10f79df667a7177fd56f447dc1aadd453b0
                            • Opcode Fuzzy Hash: c7a43c3317547772a2cc97b8a98383b911f05b5e13ea45e3f3799cb4a0f170e9
                            • Instruction Fuzzy Hash: ACC08C3114120C87D2042FA8E60E72877ACAB0520AF400015A10D410638AB80400CA66
                            Function 090BC60C Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f256633e89616b59a7e7d7c05ea5138edfd1d7a2897cbc23fb2f14a994c3ef56
                            • Instruction ID: c67bf4d12d55300b4f4cf12f8ac8332555f841c598a6fcdcfec150ae729c8f1a
                            • Opcode Fuzzy Hash: f256633e89616b59a7e7d7c05ea5138edfd1d7a2897cbc23fb2f14a994c3ef56
                            • Instruction Fuzzy Hash: 33C01234500214CBC7504A2CC1005947B65EF09642F101598909B9A101CB30D8818B10
                            Function 090B81C5 Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 028dd04afe054a69b89cec938709f64869727a183ad250379c750401bd83507a
                            • Instruction ID: b777aee9c8f742c9a9911280de9a75b76ee0662728b860001299b35acc01bcb9
                            • Opcode Fuzzy Hash: 028dd04afe054a69b89cec938709f64869727a183ad250379c750401bd83507a
                            • Instruction Fuzzy Hash: 47C09B60704D07CF93149B5481511DEA9EEF7DC790B64DC15D4D7DE2A4D520D501D751
                            Function 090B63B8 Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 596da8475d7f9d4a77b6c2e60058ae270768171188962cecd10ab4a2bbfd0e94
                            • Instruction ID: 87c41aa37bc09d1a19c8ade4c4a6b5c38e6cc89a7334051419d1ff5b552698ad
                            • Opcode Fuzzy Hash: 596da8475d7f9d4a77b6c2e60058ae270768171188962cecd10ab4a2bbfd0e94
                            • Instruction Fuzzy Hash: E6D0CA70D09209CFCB00CF90C1486EDB7B4FB08340F204418D01AA6281C335A9068F00
                            Function 090B7194 Relevance: .0, Instructions: 8COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1312409830.00000000090B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_90b0000_QQ.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4d8468d5139322b0352df088f1143a7d5fc4399f02ae7e40ebd6a55c4ee90c3b
                            • Instruction ID: af7420df72e8e3a7a35fb608f31f849dc1739c766f048ecfecd6087c933ee0ae
                            • Opcode Fuzzy Hash: 4d8468d5139322b0352df088f1143a7d5fc4399f02ae7e40ebd6a55c4ee90c3b
                            • Instruction Fuzzy Hash: D4B01275254301E7529176B88D80F2E5821EFF5731B808C1A720949000C4214869DA6B