Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Certificate_of_registration.exe

Overview

General Information

Sample name:Certificate_of_registration.exe
Analysis ID:1465318
MD5:74306ff01db05a602a39c5da423b8d00
SHA1:f9326efd199cc26ebbc48109c3903e9be25f0b0c
SHA256:9fa768cb5a871346c0831394150d09b4697c564536ae523b539aa12a17d015b6
Tags:exe
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Certificate_of_registration.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\Certificate_of_registration.exe" MD5: 74306FF01DB05A602A39C5DA423B8D00)
    • vbc.exe (PID: 7328 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
      • WerFault.exe (PID: 7516 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 516 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • cmd.exe (PID: 7340 cmdline: "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7436 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7496 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 7532 cmdline: "cmd.exe" /C copy "C:\Users\user\Desktop\Certificate_of_registration.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Phtos.exe (PID: 7620 cmdline: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe MD5: 74306FF01DB05A602A39C5DA423B8D00)
    • vbc.exe (PID: 7764 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
      • WerFault.exe (PID: 7816 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7764 -s 528 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • cmd.exe (PID: 7772 cmdline: "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7860 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7896 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 7916 cmdline: "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Phtos.exe (PID: 6808 cmdline: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe MD5: 74306FF01DB05A602A39C5DA423B8D00)
    • vbc.exe (PID: 7180 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • cmd.exe (PID: 5544 cmdline: "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7368 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7468 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 7460 cmdline: "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Phtos.exe (PID: 7776 cmdline: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe MD5: 74306FF01DB05A602A39C5DA423B8D00)
    • vbc.exe (PID: 7864 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • cmd.exe (PID: 7880 cmdline: "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7916 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 2668 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 3052 cmdline: "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Phtos.exe (PID: 5224 cmdline: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe MD5: 74306FF01DB05A602A39C5DA423B8D00)
    • vbc.exe (PID: 7004 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • cmd.exe (PID: 7184 cmdline: "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7360 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7368 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 7440 cmdline: "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Phtos.exe (PID: 4556 cmdline: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe MD5: 74306FF01DB05A602A39C5DA423B8D00)
    • vbc.exe (PID: 1720 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • cmd.exe (PID: 7552 cmdline: "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 504 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6112 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 6108 cmdline: "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "morrrw.ddns.net:6609:0", "Assigned name": "GOD HOPE", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-Q2SG61", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000037.00000002.3847813442.0000000000C67000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000025.00000002.2647024450.000000000046B000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
    • 0x14a8:$a1: Remcos restarted by watchdog!
    • 0x1a20:$a3: %02i:%02i:%02i:%03i
    0000001B.00000002.4154025246.0000000000627000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000002E.00000002.3247652736.0000000005337000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000001B.00000002.4154025246.000000000063B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          Click to see the 20 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.vbc.exe.800000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            1.2.vbc.exe.800000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              1.2.vbc.exe.800000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x6aaa8:$a1: Remcos restarted by watchdog!
              • 0x6b020:$a3: %02i:%02i:%02i:%03i
              1.2.vbc.exe.800000.0.unpackREMCOS_RAT_variantsunknownunknown
              • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
              • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x64b6c:$str_b2: Executing file:
              • 0x65bec:$str_b3: GetDirectListeningPort
              • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x65718:$str_b7: \update.vbs
              • 0x64b94:$str_b9: Downloaded file:
              • 0x64b80:$str_b10: Downloading file:
              • 0x64c24:$str_b12: Failed to upload file:
              • 0x65bb4:$str_b13: StartForward
              • 0x65bd4:$str_b14: StopForward
              • 0x65670:$str_b15: fso.DeleteFile "
              • 0x65604:$str_b16: On Error Resume Next
              • 0x656a0:$str_b17: fso.DeleteFolder "
              • 0x64c14:$str_b18: Uploaded file:
              • 0x64bd4:$str_b19: Unable to delete:
              • 0x65638:$str_b20: while fso.FileExists("
              • 0x650b1:$str_c0: [Firefox StoredLogins not found]
              1.2.vbc.exe.800000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
              • 0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
              • 0x6497c:$s1: CoGetObject
              • 0x64990:$s1: CoGetObject
              • 0x649ac:$s1: CoGetObject
              • 0x6e938:$s1: CoGetObject
              • 0x6493c:$s2: Elevation:Administrator!new:
              Click to see the 18 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f, CommandLine: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7436, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f, ProcessId: 7496, ProcessName: schtasks.exe
              Sigma detected: Local Accounts Discovery
              Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos", CommandLine: "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Certificate_of_registration.exe", ParentImage: C:\Users\user\Desktop\Certificate_of_registration.exe, ParentProcessId: 7264, ParentProcessName: Certificate_of_registration.exe, ProcessCommandLine: "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos", ProcessId: 7340, ProcessName: cmd.exe

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: Registry Key setAuthor: Joe Security: Data: Details: 25 5B 00 D1 94 36 81 4D 85 7F 4D 66 A7 D2 C9 AF 38 46 A5 F3 34 29 5C 6C 66 62 26 51 15 83 B9 D2 0B 31 B2 AE EB 6E F8 97 7E A1 57 5E 0F 98 DF 9B FE 26 6D 69 AC 58 4F 21 41 F4 73 E6 9E A5 95 31 1E 54 0C 1F 65 D6 79 08 FD 0A 73 67 F0 63 B8 9B BE DA CA A0 72 58 36 91 CC 91 03 D8 EF E5 6C B8 68 D5 E4 FD 9F DD 88 2F 48 C0 46 D6 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, ProcessId: 7180, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-Q2SG61\exepath

              Snort Signatures

              Timestamp:07/01/24-15:25:45.207024
              SID:2032776
              Source Port:65041
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:11.964955
              SID:2032776
              Source Port:65051
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:27:27.411379
              SID:2032776
              Source Port:65084
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:24:35.331133
              SID:2032776
              Source Port:65021
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:35.883110
              SID:2032776
              Source Port:65061
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:19.335200
              SID:2032776
              Source Port:65054
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:42.627925
              SID:2032776
              Source Port:65064
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:25:15.132296
              SID:2032776
              Source Port:65031
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:27:04.316898
              SID:2032776
              Source Port:65074
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:25:37.348818
              SID:2032776
              Source Port:65039
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:06.646770
              SID:2032776
              Source Port:65049
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:24:24.145023
              SID:2032776
              Source Port:65016
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:25:01.128070
              SID:2032776
              Source Port:65026
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:53.628264
              SID:2032776
              Source Port:65069
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:27:21.393883
              SID:2032776
              Source Port:65081
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:31.284169
              SID:2032776
              Source Port:65059
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:27:14.924903
              SID:2032776
              Source Port:65079
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:57.943013
              SID:2032776
              Source Port:65071
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:25:29.005387
              SID:2032776
              Source Port:65036
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:47.066776
              SID:2032776
              Source Port:65066
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:25:58.878054
              SID:2032776
              Source Port:65046
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:24.128641
              SID:2032776
              Source Port:65056
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:24:07.525230
              SID:2032776
              Source Port:65010
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:25:03.862558
              SID:2032776
              Source Port:65027
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:25:31.762504
              SID:2032776
              Source Port:65037
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:27:08.518309
              SID:2032776
              Source Port:65076
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:25:09.607910
              SID:2032776
              Source Port:65029
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:33.582063
              SID:2032776
              Source Port:65060
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:01.504961
              SID:2032776
              Source Port:65047
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:26.566287
              SID:2032776
              Source Port:65057
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:24:29.643725
              SID:2032776
              Source Port:65019
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:09.430868
              SID:2032776
              Source Port:65050
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:55.801295
              SID:2032776
              Source Port:65070
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:24:32.409260
              SID:2032776
              Source Port:65020
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:24:10.336005
              SID:2032776
              Source Port:65011
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:25:12.348073
              SID:2032776
              Source Port:65030
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:25:40.098748
              SID:2032776
              Source Port:65040
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:25:06.690311
              SID:2032776
              Source Port:65028
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:49.254965
              SID:2032776
              Source Port:65067
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:27:10.758909
              SID:2032776
              Source Port:65077
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:25:34.567194
              SID:2032776
              Source Port:65038
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:04.097811
              SID:2032776
              Source Port:65048
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:24:26.910069
              SID:2032776
              Source Port:65018
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:28.972972
              SID:2032776
              Source Port:65058
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:24:21.393725
              SID:2032776
              Source Port:65015
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:27:12.878111
              SID:2032776
              Source Port:65078
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:25:56.210942
              SID:2032776
              Source Port:65045
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:24:46.425252
              SID:2032776
              Source Port:65025
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:27:16.956017
              SID:2032776
              Source Port:65080
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:51.456195
              SID:2032776
              Source Port:65068
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:25:26.271089
              SID:2032776
              Source Port:65035
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:25:17.880097
              SID:2032776
              Source Port:65032
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:27:06.458335
              SID:2032776
              Source Port:65075
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:24:38.086325
              SID:2032776
              Source Port:65022
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:25:47.971884
              SID:2032776
              Source Port:65042
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:44.862195
              SID:2032776
              Source Port:65065
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:24:13.081534
              SID:2032776
              Source Port:65012
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:14.442904
              SID:2032776
              Source Port:65052
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:21.741976
              SID:2032776
              Source Port:65055
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:24:40.835018
              SID:2032776
              Source Port:65023
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:24:15.846359
              SID:2032776
              Source Port:65013
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:16.882919
              SID:2032776
              Source Port:65053
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:27:00.087100
              SID:2032776
              Source Port:65072
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:38.159216
              SID:2032776
              Source Port:65062
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:27:23.394998
              SID:2032776
              Source Port:65082
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:25:50.722833
              SID:2032776
              Source Port:65043
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:25:20.662826
              SID:2032776
              Source Port:65033
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:24:43.659135
              SID:2032776
              Source Port:65024
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:24:18.628066
              SID:2032776
              Source Port:65014
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:26:40.409174
              SID:2032776
              Source Port:65063
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:25:53.519275
              SID:2032776
              Source Port:65044
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:27:25.394991
              SID:2032776
              Source Port:65083
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:27:02.211847
              SID:2032776
              Source Port:65073
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:25:23.409769
              SID:2032776
              Source Port:65034
              Destination Port:6609
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000037.00000002.3847813442.0000000000C67000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "morrrw.ddns.net:6609:0", "Assigned name": "GOD HOPE", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-Q2SG61", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeReversingLabs: Detection: 44%
              Multi AV Scanner detection for submitted file
              Source: Certificate_of_registration.exeReversingLabs: Detection: 44%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Certificate_of_registration.exe.3ecdf90.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Certificate_of_registration.exe.3e55570.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000037.00000002.3847813442.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.4154025246.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002E.00000002.3247652736.0000000005337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.4154025246.000000000063B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.2648148319.00000000051D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1883825441.0000000000859000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Certificate_of_registration.exe PID: 7264, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7328, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7180, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7864, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7004, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1720, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: Certificate_of_registration.exeJoe Sandbox ML: detected
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,37_2_00433837
              Source: Certificate_of_registration.exe, 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_3d111913-e

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Certificate_of_registration.exe.3ecdf90.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Certificate_of_registration.exe.3e55570.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.1883825441.0000000000859000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Certificate_of_registration.exe PID: 7264, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7328, type: MEMORYSTR
              Source: Certificate_of_registration.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: Certificate_of_registration.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0040880C FindFirstFileW,FindNextFileW,FindClose,37_2_0040880C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0040783C FindFirstFileW,FindNextFileW,37_2_0040783C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_00419AF5 FindFirstFileW,37_2_00419AF5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,37_2_0041C291
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,37_2_0040C34D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,37_2_0040BB30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_00409665 FindFirstFileW,FindNextFileW,FindClose,FindClose,37_2_00409665

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65010 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65011 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65012 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65013 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65014 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65015 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65016 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65018 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65019 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65020 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65021 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65022 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65023 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65024 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65025 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65026 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65027 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65028 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65029 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65030 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65031 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65032 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65033 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65034 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65035 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65036 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65037 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65038 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65039 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65040 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65041 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65042 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65043 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65044 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65045 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65046 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65047 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65048 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65049 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65050 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65051 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65052 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65053 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65054 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65055 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65056 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65057 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65058 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65059 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65060 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65061 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65062 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65063 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65064 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65065 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65066 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65067 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65068 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65069 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65070 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65071 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65072 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65073 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65074 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65075 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65076 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65077 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65078 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65079 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65080 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65081 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65082 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65083 -> 109.248.151.250:6609
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65084 -> 109.248.151.250:6609
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: morrrw.ddns.net
              Uses dynamic DNS services
              Source: unknownDNS query: name: busbuctomorrrw.ddns.net
              Source: global trafficTCP traffic: 192.168.2.4:65010 -> 109.248.151.250:6609
              Source: Joe Sandbox ViewASN Name: DATACLUBLV DATACLUBLV
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,37_2_0041B380
              Source: global trafficDNS traffic detected: DNS query: busbuctomorrrw.ddns.net
              Source: Certificate_of_registration.exe, 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000001.00000002.1883825441.0000000000859000.00000002.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.1892847188.000000000061B000.00000002.00000400.00020000.00000000.sdmp, vbc.exe, 00000025.00000002.2647024450.000000000046B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to register a low level keyboard hook
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,0000000037_2_0040A2B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,37_2_0040B70E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,37_2_0040B70E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,37_2_0040A3E0

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Certificate_of_registration.exe.3ecdf90.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Certificate_of_registration.exe.3e55570.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000037.00000002.3847813442.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.4154025246.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002E.00000002.3247652736.0000000005337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.4154025246.000000000063B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.2648148319.00000000051D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1883825441.0000000000859000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Certificate_of_registration.exe PID: 7264, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7328, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7180, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7864, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7004, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1720, type: MEMORYSTR

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0041C9E2 SystemParametersInfoW,37_2_0041C9E2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.Certificate_of_registration.exe.3ecdf90.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.Certificate_of_registration.exe.3ecdf90.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.Certificate_of_registration.exe.3e55570.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.Certificate_of_registration.exe.3e55570.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000025.00000002.2647024450.000000000046B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000001.00000002.1883825441.0000000000859000.00000002.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000D.00000002.1892847188.000000000061B000.00000002.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: Certificate_of_registration.exe PID: 7264, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: vbc.exe PID: 7328, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: vbc.exe PID: 7764, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: vbc.exe PID: 7864, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess Stats: CPU usage > 49%
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,37_2_004132D2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,37_2_0041BB09
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,37_2_0041BB35
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0041D58F NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,37_2_0041D58F
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeCode function: 0_2_02C34F58 CreateProcessAsUserA,0_2_02C34F58
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_004167B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,37_2_004167B9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0043E0CC37_2_0043E0CC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_004378FE37_2_004378FE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0043394637_2_00433946
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_004461F037_2_004461F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0043E2FB37_2_0043E2FB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0045332B37_2_0045332B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_004374E637_2_004374E6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0043E55837_2_0043E558
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_00435E5E37_2_00435E5E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0043DE9D37_2_0043DE9D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_00436FEA37_2_00436FEA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0041DB6237_2_0041DB62
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 00434E10 appears 54 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 516
              Source: Certificate_of_registration.exe, 00000000.00000002.1738576793.000000000104E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Certificate_of_registration.exe
              Source: Certificate_of_registration.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.Certificate_of_registration.exe.3ecdf90.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.Certificate_of_registration.exe.3ecdf90.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.Certificate_of_registration.exe.3e55570.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.Certificate_of_registration.exe.3e55570.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000025.00000002.2647024450.000000000046B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000001.00000002.1883825441.0000000000859000.00000002.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000D.00000002.1892847188.000000000061B000.00000002.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: Certificate_of_registration.exe PID: 7264, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: vbc.exe PID: 7328, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: vbc.exe PID: 7764, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: vbc.exe PID: 7864, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Certificate_of_registration.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: Phtos.exe.10.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: Certificate_of_registration.exe, --.csCryptographic APIs: 'CreateDecryptor'
              Source: Certificate_of_registration.exe, --.csCryptographic APIs: 'TransformFinalBlock'
              Source: Certificate_of_registration.exe, --.csCryptographic APIs: 'TransformFinalBlock'
              Source: Phtos.exe.10.dr, --.csCryptographic APIs: 'CreateDecryptor'
              Source: Phtos.exe.10.dr, --.csCryptographic APIs: 'TransformFinalBlock'
              Source: Phtos.exe.10.dr, --.csCryptographic APIs: 'TransformFinalBlock'
              Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@83/13@4/1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,37_2_00417952
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0040F8FD CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,37_2_0040F8FD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,37_2_0041B4A8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,37_2_0041AA4A
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Certificate_of_registration.exe.logJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5348:120:WilError_03
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3384:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7868:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2116:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7764
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-Q2SG61
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7328
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5052:120:WilError_03
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeFile created: C:\Users\user\AppData\Local\Temp\PhtosJump to behavior
              Source: Certificate_of_registration.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: Certificate_of_registration.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Certificate_of_registration.exeReversingLabs: Detection: 44%
              Source: unknownProcess created: C:\Users\user\Desktop\Certificate_of_registration.exe "C:\Users\user\Desktop\Certificate_of_registration.exe"
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 516
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\Desktop\Certificate_of_registration.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7764 -s 528
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"Jump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /fJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\Desktop\Certificate_of_registration.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /fJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /fJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /fJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /fJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: winmm.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: urlmon.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: wininet.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: iertutil.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: srvcli.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: netutils.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: rstrtmgr.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ncrypt.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ntasn1.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: cryptbase.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: winmm.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: urlmon.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: wininet.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: iertutil.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: srvcli.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: netutils.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: rstrtmgr.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ncrypt.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ntasn1.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeSection loaded: cryptbase.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: winmm.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: urlmon.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: wininet.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: iertutil.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: srvcli.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: netutils.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: rstrtmgr.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ncrypt.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ntasn1.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: Certificate_of_registration.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Certificate_of_registration.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_00406A63 LoadLibraryA,GetProcAddress,37_2_00406A63
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_00457106 push ecx; ret 37_2_00457119
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0044E326 push esp; retf 37_2_0044E327
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0044DD28 push esp; retf 37_2_0044DD30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_00434E56 push ecx; ret 37_2_00434E69
              Source: Certificate_of_registration.exeStatic PE information: section name: .text entropy: 7.949760157390658
              Source: Phtos.exe.10.drStatic PE information: section name: .text entropy: 7.949760157390658
              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,37_2_0041AA4A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_00435E5E GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,37_2_00435E5E
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Delayed program exit found
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0040F7A7 Sleep,ExitProcess,37_2_0040F7A7
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeMemory allocated: 2C30000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeMemory allocated: 2E50000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeMemory allocated: 4E50000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory allocated: 17D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory allocated: 31A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory allocated: 1990000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory allocated: 3170000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory allocated: 32C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory allocated: 52C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory allocated: FC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory allocated: 2A30000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory allocated: 27F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory allocated: DF0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory allocated: 2BB0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory allocated: 2910000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory allocated: 1700000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory allocated: 3090000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory allocated: 5090000 memory reserve | memory write watch
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,37_2_0041A748
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWindow / User API: threadDelayed 9856Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeAPI coverage: 2.1 %
              Source: C:\Users\user\Desktop\Certificate_of_registration.exe TID: 7284Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe TID: 7640Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe TID: 4320Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 6740Thread sleep count: 100 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 6740Thread sleep time: -300000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 6740Thread sleep count: 9856 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 6740Thread sleep time: -29568000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe TID: 7840Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe TID: 5444Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe TID: 5724Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0040880C FindFirstFileW,FindNextFileW,FindClose,37_2_0040880C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0040783C FindFirstFileW,FindNextFileW,37_2_0040783C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_00419AF5 FindFirstFileW,37_2_00419AF5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,37_2_0041C291
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,37_2_0040C34D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,37_2_0040BB30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_00409665 FindFirstFileW,FindNextFileW,FindClose,FindClose,37_2_00409665
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeThread delayed: delay time: 922337203685477
              Source: Amcache.hve.9.drBinary or memory string: VMware
              Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
              Source: vbc.exe, 0000001B.00000002.4154025246.000000000063B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
              Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.9.drBinary or memory string: vmci.sys
              Source: Amcache.hve.9.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
              Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
              Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.9.drBinary or memory string: VMware20,1
              Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeAPI call chain: ExitProcess graph end nodegraph_37-34115
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeAPI call chain: ExitProcess graph end nodegraph_37-34114
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,37_2_004349F9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_00406A63 LoadLibraryA,GetProcAddress,37_2_00406A63
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_004432B5 mov eax, dword ptr fs:[00000030h]37_2_004432B5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_00412077 GetProcessHeap,HeapFree,37_2_00412077
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,37_2_004349F9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_004349F8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,37_2_004349F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_00434B47 SetUnhandledExceptionFilter,37_2_00434B47
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,37_2_0043BB22
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,37_2_00434FDC
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 800000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5B0000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 800000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5B0000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 800000Jump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 801000Jump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 859000Jump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 871000Jump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 877000Jump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 878000Jump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 879000Jump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 87E000Jump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 7FF008Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5B0000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5B1000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 609000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 621000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 627000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 628000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 629000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 62E000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 230008Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 459000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 471000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 477000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 478000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 479000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 47E000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 374008Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 459000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 471000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 477000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 478000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 479000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 47E000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: A89008Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 459000
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 471000
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 477000
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 478000
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 479000
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 47E000
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: C54008
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 459000
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 471000
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 477000
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 478000
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 479000
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 47E000
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 7D1008
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_00419627 mouse_event,37_2_00419627
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"Jump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /fJump to behavior
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\Desktop\Certificate_of_registration.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /fJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /fJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /fJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /fJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
              Source: vbc.exe, 0000001B.00000002.4154025246.000000000063B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWe
              Source: vbc.exe, 0000001B.00000002.4154025246.000000000063B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerqe
              Source: vbc.exe, 0000001B.00000002.4154025246.0000000000627000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000001B.00000002.4154025246.000000000063B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_00434C52 cpuid 37_2_00434C52
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: EnumSystemLocalesW,37_2_00452036
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: GetLocaleInfoW,37_2_004488ED
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: GetLocaleInfoW,37_2_00452313
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: EnumSystemLocalesW,37_2_00448404
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,37_2_0045243C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,37_2_00451CD8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: GetLocaleInfoW,37_2_00452543
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,37_2_00452610
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: EnumSystemLocalesW,37_2_00451F50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: EnumSystemLocalesW,37_2_00451F9B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: GetLocaleInfoA,37_2_0040F8D1
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeQueries volume information: C:\Users\user\Desktop\Certificate_of_registration.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_00448957 GetSystemTimeAsFileTime,37_2_00448957
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_0041B60D GetComputerNameExW,GetUserNameW,37_2_0041B60D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 37_2_004493AD _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,37_2_004493AD
              Source: C:\Users\user\Desktop\Certificate_of_registration.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Certificate_of_registration.exe.3ecdf90.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Certificate_of_registration.exe.3e55570.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000037.00000002.3847813442.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.4154025246.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002E.00000002.3247652736.0000000005337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.4154025246.000000000063B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.2648148319.00000000051D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1883825441.0000000000859000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Certificate_of_registration.exe PID: 7264, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7328, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7180, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7864, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7004, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1720, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-Q2SG61Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-Q2SG61
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-Q2SG61
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-Q2SG61
              Yara detected Remcos RAT
              Source: Yara matchFile source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Certificate_of_registration.exe.3ecdf90.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Certificate_of_registration.exe.3e55570.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000037.00000002.3847813442.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.4154025246.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002E.00000002.3247652736.0000000005337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.4154025246.000000000063B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.2648148319.00000000051D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1883825441.0000000000859000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Certificate_of_registration.exe PID: 7264, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7328, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7180, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7864, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7004, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1720, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure1
              Valid Accounts              		1
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		111
              Input Capture              		2
              System Time Discovery              		Remote Services12
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Scheduled Task/Job              		1
              Valid Accounts              		1
              Valid Accounts              		11
              Deobfuscate/Decode Files or Information              		LSASS Memory1
              Account Discovery              		Remote Desktop Protocol111
              Input Capture              		2
              Encrypted Channel              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts2
              Service Execution              		1
              Windows Service              		11
              Access Token Manipulation              		3
              Obfuscated Files or Information              		Security Account Manager1
              System Service Discovery              		SMB/Windows Admin Shares2
              Clipboard Data              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron1
              Scheduled Task/Job              		1
              Windows Service              		2
              Software Packing              		NTDS1
              File and Directory Discovery              		Distributed Component Object ModelInput Capture1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script312
              Process Injection              		1
              DLL Side-Loading              		LSA Secrets33
              System Information Discovery              		SSHKeylogging1
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
              Scheduled Task/Job              		1
              Masquerading              		Cached Domain Credentials141
              Security Software Discovery              		VNCGUI Input Capture21
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Valid Accounts              		DCSync41
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
              Virtualization/Sandbox Evasion              		Proc Filesystem2
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
              Access Token Manipulation              		/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron312
              Process Injection              		Network Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465318 Sample: Certificate_of_registration.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 63 busbuctomorrrw.ddns.net 2->63 77 Snort IDS alert for network traffic 2->77 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 85 7 other signatures 2->85 8 Certificate_of_registration.exe 2 2->8         started        12 Phtos.exe 1 2->12         started        14 Phtos.exe 2->14         started        16 3 other processes 2->16 signatures3 83 Uses dynamic DNS services 63->83 process4 file5 61 C:\...\Certificate_of_registration.exe.log, CSV 8->61 dropped 87 Writes to foreign memory regions 8->87 89 Allocates memory in foreign processes 8->89 91 Injects a PE file into a foreign processes 8->91 18 vbc.exe 8->18         started        21 cmd.exe 3 8->21         started        24 cmd.exe 2 8->24         started        26 cmd.exe 1 8->26         started        93 Multi AV Scanner detection for dropped file 12->93 95 Machine Learning detection for dropped file 12->95 33 4 other processes 12->33 28 vbc.exe 3 14->28         started        35 3 other processes 14->35 31 vbc.exe 16->31         started        37 11 other processes 16->37 signatures6 process7 dnsIp8 67 Contains functionalty to change the wallpaper 18->67 69 Contains functionality to register a low level keyboard hook 18->69 71 Delayed program exit found 18->71 39 WerFault.exe 22 16 18->39         started        57 C:\Users\user\AppData\Local\...\Phtos.exe, PE32 21->57 dropped 59 C:\Users\user\...\Phtos.exe:Zone.Identifier, ASCII 21->59 dropped 41 conhost.exe 21->41         started        73 Uses schtasks.exe or at.exe to add and modify task schedules 24->73 43 conhost.exe 24->43         started        45 conhost.exe 26->45         started        47 schtasks.exe 1 26->47         started        65 busbuctomorrrw.ddns.net 109.248.151.250, 65010, 65011, 65012 DATACLUBLV Russian Federation 28->65 75 Detected Remcos RAT 28->75 49 WerFault.exe 21 33->49         started        51 4 other processes 33->51 53 4 other processes 35->53 55 12 other processes 37->55 file9 signatures10 process11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Certificate_of_registration.exe45%ReversingLabsByteCode-MSIL.Trojan.Zusy
              Certificate_of_registration.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe45%ReversingLabsByteCode-MSIL.Trojan.Zusy

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://upx.sf.net0%URL Reputationsafe
              http://geoplugin.net/json.gp/C0%URL Reputationsafe
              morrrw.ddns.net0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              busbuctomorrrw.ddns.net
              		109.248.151.250
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                morrrw.ddns.nettrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://upx.sf.netAmcache.hve.9.drfalse
                • URL Reputation: safe
                		unknown
                http://geoplugin.net/json.gp/CCertificate_of_registration.exe, 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000001.00000002.1883825441.0000000000859000.00000002.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.1892847188.000000000061B000.00000002.00000400.00020000.00000000.sdmp, vbc.exe, 00000025.00000002.2647024450.000000000046B000.00000040.00000400.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                109.248.151.250
                		busbuctomorrrw.ddns.netRussian Federation
                		52048DATACLUBLVtrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1465318
                Start date and time:2024-07-01 15:22:37 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 9m 3s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:63
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:Certificate_of_registration.exe
                Detection:MAL
                Classification:mal100.rans.troj.spyw.expl.evad.winEXE@83/13@4/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 81
                • Number of non-executed functions: 166
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 52.182.143.212
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • VT rate limit hit for: Certificate_of_registration.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                09:23:49API Interceptor2x Sleep call for process: WerFault.exe modified
                09:24:43API Interceptor3775573x Sleep call for process: vbc.exe modified
                14:23:36Task SchedulerRun new task: Nafifas path: "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                109.248.151.250OST10906202381608790.exeGet hashmaliciousRemcosBrowse

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  busbuctomorrrw.ddns.netSFwpxUaKtF.exeGet hashmaliciousRemcosBrowse
                  • 194.147.140.146

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  DATACLUBLVDHL AWB - INVOICE & SHIPPING DOCUMENTS.bat.exeGet hashmaliciousGuLoaderBrowse
                  • 109.248.151.29
                  Order 00293884800595.bat.exeGet hashmaliciousGuLoaderBrowse
                  • 109.248.151.29
                  Order 000293884849900.bat.exeGet hashmaliciousGuLoaderBrowse
                  • 109.248.151.29
                  rUniversidadedeBras#U00edlia-ProjetoFMD20240342.vbsGet hashmaliciousUnknownBrowse
                  • 109.248.151.238
                  17194198846f19431fa86ff695fe063dadb4561f59dac5dc011432c27d123f4314e8bbacda424.dat-decoded.exeGet hashmaliciousAveMaria, PrivateLoaderBrowse
                  • 109.248.151.231
                  8x121Y7FNW.jsGet hashmaliciousAveMaria, PrivateLoaderBrowse
                  • 109.248.151.231
                  Product Specifications_pdf.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 109.248.151.238
                  RCBC Plaza Project Quotation.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 109.248.151.238
                  ELMA _CO LLC_pdf.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                  • 109.248.151.238
                  UNIVERSITY OF SHARJAH- Project FMD20240342.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                  • 109.248.151.238

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vbc.exe_2825b1eb36b4aa44d96f8e1ed2caaa682b687d16_521767da_68383f5d-a4e1-485a-893e-15116e2612d2\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.8220779785496444
                  Encrypted:false
                  SSDEEP:192:Or4mMgqn52rRr0BU/IjkZrCqzuiFcZ24IO8/7D:64mMjIrR4BU/IjUzuiFcY4IO8/v
                  MD5:67B349E59B7F0FB86910C3D4D121BCFC
                  SHA1:6966DE0247DEE55ED92A54FCAA7EE6A697FDB831
                  SHA-256:7BF31D5F5111FA76CFE5B79DE4E5D3728BB2800E672E7C47D0B43985EEFB51CE
                  SHA-512:D8AFE143568132B654C8FD1A2172A01CCD72A4356CD883E2BF4DCC517271CA4C2E1226E6CFD2C72D21D3D4A43D1D9512BC6A225083E4E5FC2FF9D778364AB2F8
                  Malicious:false
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.3.1.3.8.1.4.9.3.7.2.7.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.3.1.3.8.1.5.4.8.4.1.5.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.3.8.3.f.5.d.-.a.4.e.1.-.4.8.5.a.-.8.9.3.e.-.1.5.1.1.6.e.2.6.1.2.d.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.f.b.0.4.f.7.1.-.a.0.b.c.-.4.6.1.5.-.9.e.c.9.-.2.5.2.9.c.4.8.c.b.7.7.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.b.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.v.b.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.a.0.-.0.0.0.1.-.0.0.1.4.-.8.6.b.7.-.c.7.d.f.b.9.c.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.7.1.d.f.f.8.7.6.e.4.d.5.e.d.b.6.c.e.a.7.8.f.e.e.7.a.a.1.5.8.4.5.d.4.9.5.0.e.2.4.!.v.b.c...e.x.

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vbc.exe_2825b1eb36b4aa44d96f8e1ed2caaa682b687d16_521767da_6d843bd7-742d-4ce3-af3d-0d2880df641e\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.8219901016841253
                  Encrypted:false
                  SSDEEP:192:ENLqfqn52WKRr0BU/IjkZrCqzuiFcZ24IO8/7D:IqCITR4BU/IjUzuiFcY4IO8/v
                  MD5:48E2DD326111EB5D6080E6CBB563E2AB
                  SHA1:0F7C571C0C54D6308C75429952E9D2E4589DAA71
                  SHA-256:3E34B7009FD7AF268B29A86C2E93BE8BA6B5E529968285C19D72120199E88102
                  SHA-512:41D218324AD893A8AA4F540A38FB567AD2D28B0C6C13861EB89AACC741C0B73A054978A8D7B521AE46DEDDF8F859121FE58BB279BF329713EFDE43450F469768
                  Malicious:false
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.3.1.3.8.2.1.9.1.0.6.5.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.3.1.3.8.2.2.4.1.0.6.6.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.d.8.4.3.b.d.7.-.7.4.2.d.-.4.c.e.3.-.a.f.3.d.-.0.d.2.8.8.0.d.f.6.4.1.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.e.f.5.c.4.8.5.-.d.2.a.f.-.4.3.8.5.-.b.7.2.6.-.b.0.f.9.1.9.e.1.e.1.5.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.b.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.v.b.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.5.4.-.0.0.0.1.-.0.0.1.4.-.4.3.9.a.-.0.1.e.4.b.9.c.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.7.1.d.f.f.8.7.6.e.4.d.5.e.d.b.6.c.e.a.7.8.f.e.e.7.a.a.1.5.8.4.5.d.4.9.5.0.e.2.4.!.v.b.c...e.x.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2493.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 14 streams, Mon Jul 1 13:23:35 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):39164
                  Entropy (8bit):1.8170342439207732
                  Encrypted:false
                  SSDEEP:96:5P8xmbz6OFNeDTVeS+DJxwsX/ei+si7jxQcdYV6gSgdvtpFP0wohk7HFiDcKKuWy:exF7rsX/hO+cOjpFykzBHyst1J
                  MD5:0B3A5CF16FBD291ABC83F07F67B8E217
                  SHA1:FC5AB75F89294F3C9649D6A6DB121126998F2315
                  SHA-256:80B3BC1147AC8EEB376B2831D9DDD3AABB41DC79B7858D052089C0EAECB26D83
                  SHA-512:40DC9861884DE2DD79E1622587A524FC6E4EF5C8CC22AD7BCFBC4D4F36E56309818562B046E395EB1FE4858FE6095B44F1410A894754655AAA8E623BCF500DDA
                  Malicious:false
                  Preview:MDMP..a..... .........f........................................0%..........T.......8...........T...............L...........H...........4...............................................................................eJ..............GenuineIntel............T.............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2530.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8340
                  Entropy (8bit):3.695812956438388
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJIa6mt6Y7c6lgmfnRprj89bdKsf44Ifm:R6lXJd606YQ6lgmfnYdpf449
                  MD5:E4987F0FB2E34EE99B452582749E9A9B
                  SHA1:10654FC1EA3D4EFD20A496719B765BD5D19673C6
                  SHA-256:FD97AACAE3BCC8B1192994B49587D1268C45E39B4B31BAA9E401CE9B2DA59EBD
                  SHA-512:525177463B9994975D000DCEFBED7D8FB55539E4B6B1106276F8A6B4943CBA5AB3120B014D68FDFA176660E0823FF5398CBCC0C37DB9DB67D5FF99AFAA97203E
                  Malicious:false
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.2.8.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2570.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4655
                  Entropy (8bit):4.4746615605687925
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zscrJg77aI9U3WpW8VYQYm8M4JdLqFo+q8R9od2z8d:uIjfcFI7KG7VMJd/OKd2z8d
                  MD5:830C5E9203D5F5411D9AAAC718B5FF59
                  SHA1:288BF9A86822D13F8CC517DF77CD3A9F1079F88E
                  SHA-256:2BFCC092C38CEA4AC86C68CCDD3C170D89C6ED0E782EC6FA0BE6A7FCFE14993C
                  SHA-512:5A40311712CDEED89CF60A13E9B62807C320FFA8B1CDA784F20336D69A55D0C4D17F2BF15EEC378A46E998744DC0D75C2D8276FA39B521ADCE5C9BACF4DED785
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="391946" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER3FCC.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 14 streams, Mon Jul 1 13:23:42 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):39344
                  Entropy (8bit):1.8526289732455095
                  Encrypted:false
                  SSDEEP:96:5C8lYti6OFNeDTVeS+DJxwsX/enwYi7jxQcdUZZTEjHXVuSYIKFIDnWIkWIKXIps:bS7rsX/AhO+cuErXVuSJKE8jcgB0o
                  MD5:A99B84CEE32B1C9D0B5A8AE45B2635E4
                  SHA1:BAEB37BD43D07288A63F26F6CFFCA6D9F687B2D9
                  SHA-256:12FE83DE7C91A4F5DC617EAC0B3C98EA6BD2CDBCEDFFE22990789BA9ACEF0DBE
                  SHA-512:C3DC885F35C5C738424B44E20FAF87A7002CAA71F1170E3AB37CEFCC7248DEE811A3446999C1D1EB12C30851E9C0ED2D1352822EA7FAC440F404DD5C50A5D306
                  Malicious:false
                  Preview:MDMP..a..... .........f........................................0%..........T.......8...........T...........(...............H...........4...............................................................................eJ..............GenuineIntel............T.......T.....f............................. ..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER403A.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8296
                  Entropy (8bit):3.6967423754167092
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJkp6U6Yaf6OgmfnRprp89bVnsfqwnm:R6lXJS6U6YS6Ogmfn6Vsfk
                  MD5:7AFE91C646358BF70B9C1166BFADFF1E
                  SHA1:C5609ABB24242269C8A5E22F185966C0830D4268
                  SHA-256:761EBE86025DBCAE686AE2436F676D1C6E6E5174CEDFEC9EED40CE7B7247D866
                  SHA-512:09B854E18180339183767CD0AE7F11370EC3C8D31D0EC6F7A08D646E55A6ACEDE88265F7743BBFCCE291BCC041597088A325F2FFEA9B605DAB1490E06C633650
                  Malicious:false
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.6.4.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER4079.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4655
                  Entropy (8bit):4.474804506731549
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zscrJg77aI9U3WpW8VYqYm8M4JdLqFgYE+q8R9E2z9d:uIjfcFI7KG7VaJdTjOS2z9d
                  MD5:D9B3ED1EE4A995D0C2E0F7A1E797A290
                  SHA1:5AB329D2B40E784B9A763118B1F59C75D93BF39B
                  SHA-256:81B51422B3C6E0CFCBA48AC4CF6A0F6D21950CE5BF73270CAB45255008692101
                  SHA-512:AA902FE6D2715D3153631A9247F6CEB82A89B50084D4E6EAA01F9D3AAF5003EA8DEC3DC35F18DAEFA1E3327BC1C99A3A7C45B787BCB43A16BC4DF8F31ACD7237
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="391946" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Certificate_of_registration.exe.log

                  Download File
                  Process:C:\Users\user\Desktop\Certificate_of_registration.exe
                  File Type:CSV text
                  Category:dropped
                  Size (bytes):425
                  Entropy (8bit):5.353683843266035
                  Encrypted:false
                  SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                  MD5:859802284B12C59DDBB85B0AC64C08F0
                  SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                  SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                  SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                  Malicious:true
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Phtos.exe.log

                  Download File
                  Process:C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
                  File Type:CSV text
                  Category:dropped
                  Size (bytes):425
                  Entropy (8bit):5.353683843266035
                  Encrypted:false
                  SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                  MD5:859802284B12C59DDBB85B0AC64C08F0
                  SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                  SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                  SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                  Malicious:false
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                  C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe

                  Download File
                  Process:C:\Windows\SysWOW64\cmd.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):551424
                  Entropy (8bit):7.940163665322343
                  Encrypted:false
                  SSDEEP:12288:W+5mRuKb4KDXUd1rGFlAHloLkMAiNqAJ7aJJJJeV3bJ1JiJp:W+SjDXUrvHUAmqW7aJJJJ43bXJiJ
                  MD5:74306FF01DB05A602A39C5DA423B8D00
                  SHA1:F9326EFD199CC26EBBC48109C3903E9BE25F0B0C
                  SHA-256:9FA768CB5A871346C0831394150D09B4697C564536AE523B539AA12A17D015B6
                  SHA-512:C4B8ED885D1D37B381DA6B603DFE17407F83E9EC7D5AD2E6BEDC614F4BA4A7C449AAD4F0D60BA4EBE42CAE12C786F66C2C2BFAE30ED28440F5065090AA0762D6
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 45%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*\.f.................H... ......#g... ........@.. ....................................@..................................f..J.................................................................................... ............... ..H............text...)G... ...H.................. ..`.rsrc................J..............@..@.reloc...............h..............@..B.................g......H...........DW............................................................(....*:.(......}....*...(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*>+......*s....+...(....*..(....*..(....*...$(....~.... ....(|...~.... ....(|...(....(....}.....(....*...b.....+.+.*(....+.(....+.....0..@.......8....~.... ....8....~.... ....8....(....s.....o......~.... )...(|...~.... ....(|...(....o......~.... J...(|... ....o..........(....~.... g...(|...~.... ....(|...(....(.

                  C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe:Zone.Identifier

                  Download File
                  Process:C:\Windows\SysWOW64\cmd.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:true
                  Preview:[ZoneTransfer]....ZoneId=0

                  C:\Windows\appcompat\Programs\Amcache.hve

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):1835008
                  Entropy (8bit):4.466077219681486
                  Encrypted:false
                  SSDEEP:6144:CIXfpi67eLPU9skLmb0b4uWSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSb6:nXD94uWlLZMM6YFH/+6
                  MD5:4FE11FDA9668E5AA70732D82953A84AC
                  SHA1:2A63BE6F928A97D49C23FA925452A705AC838C1D
                  SHA-256:88B84466EEC02E130C758E9D4480A01B6BE165CE196BB1CBEEEC81C58A7C188F
                  SHA-512:D28063D67FBC16C111C5F79E3C0AC97C39AE6F31A2BC5EFE7698A4F8AB1E28ED5739963562B999A225A5D650EEFBC5E0A148C5034D69E02D0D3127CE49C59BBB
                  Malicious:false
                  Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.(..................................................................................................................................................................................................................................................................................................................................................y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):7.940163665322343
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  • Win32 Executable (generic) a (10002005/4) 49.78%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  • DOS Executable Generic (2002/1) 0.01%
                  File name:Certificate_of_registration.exe
                  File size:551'424 bytes
                  MD5:74306ff01db05a602a39c5da423b8d00
                  SHA1:f9326efd199cc26ebbc48109c3903e9be25f0b0c
                  SHA256:9fa768cb5a871346c0831394150d09b4697c564536ae523b539aa12a17d015b6
                  SHA512:c4b8ed885d1d37b381da6b603dfe17407f83e9ec7d5ad2e6bedc614f4ba4a7c449aad4f0d60ba4ebe42cae12c786f66c2c2bfae30ed28440f5065090aa0762d6
                  SSDEEP:12288:W+5mRuKb4KDXUd1rGFlAHloLkMAiNqAJ7aJJJJeV3bJ1JiJp:W+SjDXUrvHUAmqW7aJJJJ43bXJiJ
                  TLSH:26C4121D77958123C86C88FA949647808333C9778E1ADB2318DEC5FD726A7F888176E7
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*\.f.................H... ......#g... ........@.. ....................................@................................

                  File Icon

                  Icon Hash:64858c9383ecf892

                  Static PE Info

                  General

                  Entrypoint:0x486723
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x66825C2A [Mon Jul 1 07:35:06 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x866d90x4a.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x880000x1ca0.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x8a0000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x847290x84800381cf397bbc1d2cc5d463021d5da4b55False0.9119527564858491data7.949760157390658IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0x880000x1ca00x1e00333f3795461555364a2e916aacf1a4b4False0.7829427083333333data7.238355348179121IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x8a0000xc0x2007dd08fa880aa6fce85c896340a209ddcFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0x8806c0x1778PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8871504660452729
                  RT_GROUP_ICON0x898320x14data1.05
                  RT_VERSION0x898820x1f8dataEnglishUnited States0.49007936507936506
                  RT_MANIFEST0x89ab60x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  07/01/24-15:25:45.207024TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650416609192.168.2.4109.248.151.250
                  07/01/24-15:26:11.964955TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650516609192.168.2.4109.248.151.250
                  07/01/24-15:27:27.411379TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650846609192.168.2.4109.248.151.250
                  07/01/24-15:24:35.331133TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650216609192.168.2.4109.248.151.250
                  07/01/24-15:26:35.883110TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650616609192.168.2.4109.248.151.250
                  07/01/24-15:26:19.335200TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650546609192.168.2.4109.248.151.250
                  07/01/24-15:26:42.627925TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650646609192.168.2.4109.248.151.250
                  07/01/24-15:25:15.132296TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650316609192.168.2.4109.248.151.250
                  07/01/24-15:27:04.316898TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650746609192.168.2.4109.248.151.250
                  07/01/24-15:25:37.348818TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650396609192.168.2.4109.248.151.250
                  07/01/24-15:26:06.646770TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650496609192.168.2.4109.248.151.250
                  07/01/24-15:24:24.145023TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650166609192.168.2.4109.248.151.250
                  07/01/24-15:25:01.128070TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650266609192.168.2.4109.248.151.250
                  07/01/24-15:26:53.628264TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650696609192.168.2.4109.248.151.250
                  07/01/24-15:27:21.393883TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650816609192.168.2.4109.248.151.250
                  07/01/24-15:26:31.284169TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650596609192.168.2.4109.248.151.250
                  07/01/24-15:27:14.924903TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650796609192.168.2.4109.248.151.250
                  07/01/24-15:26:57.943013TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650716609192.168.2.4109.248.151.250
                  07/01/24-15:25:29.005387TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650366609192.168.2.4109.248.151.250
                  07/01/24-15:26:47.066776TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650666609192.168.2.4109.248.151.250
                  07/01/24-15:25:58.878054TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650466609192.168.2.4109.248.151.250
                  07/01/24-15:26:24.128641TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650566609192.168.2.4109.248.151.250
                  07/01/24-15:24:07.525230TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650106609192.168.2.4109.248.151.250
                  07/01/24-15:25:03.862558TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650276609192.168.2.4109.248.151.250
                  07/01/24-15:25:31.762504TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650376609192.168.2.4109.248.151.250
                  07/01/24-15:27:08.518309TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650766609192.168.2.4109.248.151.250
                  07/01/24-15:25:09.607910TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650296609192.168.2.4109.248.151.250
                  07/01/24-15:26:33.582063TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650606609192.168.2.4109.248.151.250
                  07/01/24-15:26:01.504961TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650476609192.168.2.4109.248.151.250
                  07/01/24-15:26:26.566287TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650576609192.168.2.4109.248.151.250
                  07/01/24-15:24:29.643725TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650196609192.168.2.4109.248.151.250
                  07/01/24-15:26:09.430868TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650506609192.168.2.4109.248.151.250
                  07/01/24-15:26:55.801295TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650706609192.168.2.4109.248.151.250
                  07/01/24-15:24:32.409260TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650206609192.168.2.4109.248.151.250
                  07/01/24-15:24:10.336005TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650116609192.168.2.4109.248.151.250
                  07/01/24-15:25:12.348073TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650306609192.168.2.4109.248.151.250
                  07/01/24-15:25:40.098748TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650406609192.168.2.4109.248.151.250
                  07/01/24-15:25:06.690311TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650286609192.168.2.4109.248.151.250
                  07/01/24-15:26:49.254965TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650676609192.168.2.4109.248.151.250
                  07/01/24-15:27:10.758909TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650776609192.168.2.4109.248.151.250
                  07/01/24-15:25:34.567194TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650386609192.168.2.4109.248.151.250
                  07/01/24-15:26:04.097811TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650486609192.168.2.4109.248.151.250
                  07/01/24-15:24:26.910069TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650186609192.168.2.4109.248.151.250
                  07/01/24-15:26:28.972972TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650586609192.168.2.4109.248.151.250
                  07/01/24-15:24:21.393725TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650156609192.168.2.4109.248.151.250
                  07/01/24-15:27:12.878111TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650786609192.168.2.4109.248.151.250
                  07/01/24-15:25:56.210942TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650456609192.168.2.4109.248.151.250
                  07/01/24-15:24:46.425252TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650256609192.168.2.4109.248.151.250
                  07/01/24-15:27:16.956017TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650806609192.168.2.4109.248.151.250
                  07/01/24-15:26:51.456195TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650686609192.168.2.4109.248.151.250
                  07/01/24-15:25:26.271089TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650356609192.168.2.4109.248.151.250
                  07/01/24-15:25:17.880097TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650326609192.168.2.4109.248.151.250
                  07/01/24-15:27:06.458335TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650756609192.168.2.4109.248.151.250
                  07/01/24-15:24:38.086325TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650226609192.168.2.4109.248.151.250
                  07/01/24-15:25:47.971884TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650426609192.168.2.4109.248.151.250
                  07/01/24-15:26:44.862195TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650656609192.168.2.4109.248.151.250
                  07/01/24-15:24:13.081534TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650126609192.168.2.4109.248.151.250
                  07/01/24-15:26:14.442904TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650526609192.168.2.4109.248.151.250
                  07/01/24-15:26:21.741976TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650556609192.168.2.4109.248.151.250
                  07/01/24-15:24:40.835018TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650236609192.168.2.4109.248.151.250
                  07/01/24-15:24:15.846359TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650136609192.168.2.4109.248.151.250
                  07/01/24-15:26:16.882919TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650536609192.168.2.4109.248.151.250
                  07/01/24-15:27:00.087100TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650726609192.168.2.4109.248.151.250
                  07/01/24-15:26:38.159216TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650626609192.168.2.4109.248.151.250
                  07/01/24-15:27:23.394998TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650826609192.168.2.4109.248.151.250
                  07/01/24-15:25:50.722833TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650436609192.168.2.4109.248.151.250
                  07/01/24-15:25:20.662826TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650336609192.168.2.4109.248.151.250
                  07/01/24-15:24:43.659135TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650246609192.168.2.4109.248.151.250
                  07/01/24-15:24:18.628066TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650146609192.168.2.4109.248.151.250
                  07/01/24-15:26:40.409174TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650636609192.168.2.4109.248.151.250
                  07/01/24-15:25:53.519275TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650446609192.168.2.4109.248.151.250
                  07/01/24-15:27:25.394991TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650836609192.168.2.4109.248.151.250
                  07/01/24-15:27:02.211847TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650736609192.168.2.4109.248.151.250
                  07/01/24-15:25:23.409769TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin650346609192.168.2.4109.248.151.250

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 1, 2024 15:24:07.519321918 CEST650106609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:07.524238110 CEST660965010109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:07.524326086 CEST650106609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:07.525229931 CEST650106609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:07.530096054 CEST660965010109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:09.273912907 CEST660965010109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:09.274032116 CEST650106609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:09.274173021 CEST650106609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:09.279589891 CEST660965010109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:10.279764891 CEST650116609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:10.334983110 CEST660965011109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:10.335083008 CEST650116609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:10.336004972 CEST650116609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:10.341327906 CEST660965011109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:12.061078072 CEST660965011109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:12.061146975 CEST650116609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:12.061189890 CEST650116609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:12.066580057 CEST660965011109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:13.075546980 CEST650126609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:13.080941916 CEST660965012109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:13.081048012 CEST650126609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:13.081533909 CEST650126609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:13.086487055 CEST660965012109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:14.827645063 CEST660965012109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:14.827719927 CEST650126609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:14.827811003 CEST650126609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:14.832607031 CEST660965012109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:15.840979099 CEST650136609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:15.845861912 CEST660965013109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:15.845984936 CEST650136609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:15.846359015 CEST650136609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:15.851201057 CEST660965013109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:17.605680943 CEST660965013109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:17.605767965 CEST650136609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:17.605834961 CEST650136609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:17.610826969 CEST660965013109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:18.622354984 CEST650146609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:18.627382040 CEST660965014109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:18.627518892 CEST650146609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:18.628066063 CEST650146609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:18.633111000 CEST660965014109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:20.375720978 CEST660965014109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:20.375806093 CEST650146609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:20.375983953 CEST650146609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:20.380880117 CEST660965014109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:21.388202906 CEST650156609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:21.393237114 CEST660965015109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:21.393352032 CEST650156609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:21.393724918 CEST650156609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:21.401273012 CEST660965015109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:23.126296043 CEST660965015109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:23.126461983 CEST650156609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:23.126548052 CEST650156609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:23.131387949 CEST660965015109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:24.138098955 CEST650166609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:24.144440889 CEST660965016109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:24.144560099 CEST650166609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:24.145023108 CEST650166609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:24.153419018 CEST660965016109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:25.892863035 CEST660965016109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:25.892976999 CEST650166609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:25.893038988 CEST650166609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:25.897783995 CEST660965016109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:26.904320955 CEST650186609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:26.909336090 CEST660965018109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:26.909501076 CEST650186609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:26.910068989 CEST650186609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:26.916650057 CEST660965018109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:28.622314930 CEST660965018109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:28.622411013 CEST650186609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:28.622467995 CEST650186609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:28.627372980 CEST660965018109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:29.638109922 CEST650196609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:29.643085003 CEST660965019109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:29.643225908 CEST650196609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:29.643724918 CEST650196609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:29.649089098 CEST660965019109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:31.393410921 CEST660965019109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:31.393584013 CEST650196609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:31.393691063 CEST650196609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:31.398427963 CEST660965019109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:32.403840065 CEST650206609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:32.408740997 CEST660965020109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:32.408874989 CEST650206609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:32.409260035 CEST650206609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:32.414360046 CEST660965020109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:34.310132980 CEST660965020109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:34.310317039 CEST650206609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:34.310437918 CEST650206609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:34.315375090 CEST660965020109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:35.325511932 CEST650216609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:35.330507994 CEST660965021109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:35.330677986 CEST650216609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:35.331132889 CEST650216609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:35.336122036 CEST660965021109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:37.048693895 CEST660965021109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:37.048762083 CEST650216609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:37.057991028 CEST650216609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:37.062819004 CEST660965021109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:38.075634956 CEST650226609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:38.080545902 CEST660965022109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:38.080676079 CEST650226609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:38.086324930 CEST650226609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:38.091948032 CEST660965022109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:39.810894012 CEST660965022109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:39.810998917 CEST650226609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:39.811057091 CEST650226609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:39.815972090 CEST660965022109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:40.829468012 CEST650236609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:40.834544897 CEST660965023109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:40.834620953 CEST650236609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:40.835017920 CEST650236609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:40.840019941 CEST660965023109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:42.651916027 CEST660965023109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:42.652034998 CEST650236609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:42.652201891 CEST650236609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:42.657090902 CEST660965023109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:43.653697968 CEST650246609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:43.658644915 CEST660965024109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:43.658730984 CEST650246609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:43.659135103 CEST650246609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:43.663949013 CEST660965024109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:45.407882929 CEST660965024109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:45.407942057 CEST650246609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:45.408020020 CEST650246609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:45.412837029 CEST660965024109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:46.419615030 CEST650256609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:46.424686909 CEST660965025109.248.151.250192.168.2.4
                  Jul 1, 2024 15:24:46.424779892 CEST650256609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:46.425251961 CEST650256609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:24:46.430049896 CEST660965025109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:00.107404947 CEST660965025109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:00.107558012 CEST650256609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:00.107666969 CEST650256609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:00.112400055 CEST660965025109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:01.122474909 CEST650266609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:01.127540112 CEST660965026109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:01.127629995 CEST650266609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:01.128070116 CEST650266609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:01.132834911 CEST660965026109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:02.843449116 CEST660965026109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:02.843554020 CEST650266609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:02.843605995 CEST650266609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:02.854841948 CEST660965026109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:03.857013941 CEST650276609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:03.861896038 CEST660965027109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:03.862010002 CEST650276609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:03.862557888 CEST650276609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:03.867455959 CEST660965027109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:05.681719065 CEST660965027109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:05.681938887 CEST650276609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:05.681998014 CEST650276609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:05.686745882 CEST660965027109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:06.684827089 CEST650286609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:06.689637899 CEST660965028109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:06.689724922 CEST650286609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:06.690310955 CEST650286609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:06.695030928 CEST660965028109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:08.433279991 CEST660965028109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:08.433526993 CEST650286609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:08.433620930 CEST650286609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:08.438353062 CEST660965028109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:09.602545977 CEST650296609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:09.607407093 CEST660965029109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:09.607484102 CEST650296609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:09.607909918 CEST650296609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:09.612745047 CEST660965029109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:11.325371027 CEST660965029109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:11.325556993 CEST650296609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:11.325556993 CEST650296609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:11.330408096 CEST660965029109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:12.342480898 CEST650306609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:12.347285032 CEST660965030109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:12.347708941 CEST650306609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:12.348073006 CEST650306609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:12.352998972 CEST660965030109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:14.058881044 CEST660965030109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:14.058981895 CEST650306609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:14.059518099 CEST650306609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:14.064253092 CEST660965030109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:15.075290918 CEST650316609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:15.131818056 CEST660965031109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:15.131968975 CEST650316609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:15.132296085 CEST650316609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:15.137089968 CEST660965031109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:16.856205940 CEST660965031109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:16.856256962 CEST650316609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:16.856302977 CEST650316609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:16.862423897 CEST660965031109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:17.872699022 CEST650326609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:17.879522085 CEST660965032109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:17.879653931 CEST650326609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:17.880096912 CEST650326609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:17.887362957 CEST660965032109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:19.637739897 CEST660965032109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:19.640413046 CEST650326609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:19.640916109 CEST650326609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:19.645973921 CEST660965032109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:20.653661966 CEST650336609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:20.658940077 CEST660965033109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:20.662424088 CEST650336609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:20.662826061 CEST650336609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:20.668776035 CEST660965033109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:22.387864113 CEST660965033109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:22.387990952 CEST650336609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:22.387991905 CEST650336609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:22.404896975 CEST660965033109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:23.404047012 CEST650346609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:23.409002066 CEST660965034109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:23.409157038 CEST650346609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:23.409769058 CEST650346609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:23.414716959 CEST660965034109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:25.122313976 CEST660965034109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:25.122488022 CEST650346609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:25.122488022 CEST650346609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:25.127305984 CEST660965034109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:26.246172905 CEST650356609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:26.251213074 CEST660965035109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:26.254499912 CEST650356609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:26.271089077 CEST650356609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:26.275990009 CEST660965035109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:27.982774973 CEST660965035109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:27.986418962 CEST650356609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:27.986454964 CEST650356609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:27.991259098 CEST660965035109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:28.997421026 CEST650366609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:29.002381086 CEST660965036109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:29.002521992 CEST650366609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:29.005387068 CEST650366609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:29.010308981 CEST660965036109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:30.731443882 CEST660965036109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:30.731511116 CEST650366609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:30.731539011 CEST650366609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:30.736346960 CEST660965036109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:31.747519970 CEST650376609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:31.759336948 CEST660965037109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:31.762168884 CEST650376609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:31.762504101 CEST650376609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:31.768249035 CEST660965037109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:33.545017958 CEST660965037109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:33.550436020 CEST650376609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:33.550484896 CEST650376609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:33.555396080 CEST660965037109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:34.561413050 CEST650386609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:34.566807032 CEST660965038109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:34.566885948 CEST650386609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:34.567193985 CEST650386609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:34.572202921 CEST660965038109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:36.332377911 CEST660965038109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:36.332453966 CEST650386609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:36.332504034 CEST650386609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:36.338280916 CEST660965038109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:37.342154026 CEST650396609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:37.347177029 CEST660965039109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:37.348474979 CEST650396609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:37.348818064 CEST650396609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:37.353681087 CEST660965039109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:39.076282978 CEST660965039109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:39.076402903 CEST650396609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:39.076441050 CEST650396609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:39.081300974 CEST660965039109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:40.091358900 CEST650406609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:40.096662045 CEST660965040109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:40.098457098 CEST650406609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:40.098747969 CEST650406609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:40.105367899 CEST660965040109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:44.184777021 CEST660965040109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:44.186445951 CEST650406609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:44.186491013 CEST650406609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:44.191687107 CEST660965040109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:45.200608969 CEST650416609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:45.206624985 CEST660965041109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:45.206738949 CEST650416609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:45.207024097 CEST650416609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:45.213073015 CEST660965041109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:46.962088108 CEST660965041109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:46.962321997 CEST650416609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:46.962372065 CEST650416609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:46.967816114 CEST660965041109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:47.966422081 CEST650426609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:47.971417904 CEST660965042109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:47.971540928 CEST650426609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:47.971884012 CEST650426609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:47.977243900 CEST660965042109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:49.701855898 CEST660965042109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:49.702012062 CEST650426609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:49.702060938 CEST650426609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:49.707093954 CEST660965042109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:50.716370106 CEST650436609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:50.721323013 CEST660965043109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:50.722481966 CEST650436609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:50.722832918 CEST650436609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:50.727659941 CEST660965043109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:52.529341936 CEST660965043109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:52.530437946 CEST650436609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:52.530478954 CEST650436609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:52.535430908 CEST660965043109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:53.513422012 CEST650446609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:53.518785954 CEST660965044109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:53.518860102 CEST650446609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:53.519274950 CEST650446609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:53.524187088 CEST660965044109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:55.264348984 CEST660965044109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:55.264411926 CEST650446609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:55.264457941 CEST650446609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:55.269445896 CEST660965044109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:56.200637102 CEST650456609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:56.206214905 CEST660965045109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:56.210491896 CEST650456609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:56.210942030 CEST650456609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:56.215783119 CEST660965045109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:57.963409901 CEST660965045109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:57.963481903 CEST650456609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:57.963598967 CEST650456609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:57.968430996 CEST660965045109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:58.872592926 CEST650466609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:58.877619982 CEST660965046109.248.151.250192.168.2.4
                  Jul 1, 2024 15:25:58.877717972 CEST650466609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:58.878053904 CEST650466609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:25:58.882831097 CEST660965046109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:00.614906073 CEST660965046109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:00.614978075 CEST650466609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:00.615016937 CEST650466609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:00.619709969 CEST660965046109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:01.497411966 CEST650476609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:01.502640963 CEST660965047109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:01.504585028 CEST650476609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:01.504961014 CEST650476609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:01.510009050 CEST660965047109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:03.239809036 CEST660965047109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:03.242502928 CEST650476609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:03.242542028 CEST650476609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:03.247298956 CEST660965047109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:04.091315031 CEST650486609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:04.097318888 CEST660965048109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:04.097388983 CEST650486609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:04.097810984 CEST650486609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:04.102974892 CEST660965048109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:05.811194897 CEST660965048109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:05.814486980 CEST650486609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:05.814522028 CEST650486609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:05.819289923 CEST660965048109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:06.638058901 CEST650496609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:06.642879963 CEST660965049109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:06.646505117 CEST650496609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:06.646770000 CEST650496609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:06.651582003 CEST660965049109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:08.389890909 CEST660965049109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:08.390518904 CEST650496609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:08.390558004 CEST650496609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:08.395529032 CEST660965049109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:09.425457954 CEST650506609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:09.430320978 CEST660965050109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:09.430392981 CEST650506609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:09.430867910 CEST650506609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:09.436559916 CEST660965050109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:11.175895929 CEST660965050109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:11.175992966 CEST650506609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:11.176048994 CEST650506609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:11.180958986 CEST660965050109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:11.958420992 CEST650516609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:11.964579105 CEST660965051109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:11.964699030 CEST650516609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:11.964955091 CEST650516609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:11.972697020 CEST660965051109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:13.690924883 CEST660965051109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:13.694509983 CEST650516609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:13.694557905 CEST650516609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:13.699340105 CEST660965051109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:14.435141087 CEST650526609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:14.440108061 CEST660965052109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:14.442543030 CEST650526609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:14.442903996 CEST650526609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:14.447807074 CEST660965052109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:16.154985905 CEST660965052109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:16.158489943 CEST650526609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:16.158534050 CEST650526609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:16.163367987 CEST660965052109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:16.872488022 CEST650536609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:16.879842043 CEST660965053109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:16.882538080 CEST650536609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:16.882919073 CEST650536609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:16.887773037 CEST660965053109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:18.626055002 CEST660965053109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:18.628652096 CEST650536609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:18.628779888 CEST650536609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:18.633627892 CEST660965053109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:19.325684071 CEST650546609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:19.330661058 CEST660965054109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:19.334634066 CEST650546609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:19.335200071 CEST650546609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:19.340374947 CEST660965054109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:21.060601950 CEST660965054109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:21.060795069 CEST650546609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:21.060878038 CEST650546609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:21.065633059 CEST660965054109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:21.732074976 CEST650556609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:21.737056971 CEST660965055109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:21.741549015 CEST650556609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:21.741976023 CEST650556609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:21.747457027 CEST660965055109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:23.469769955 CEST660965055109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:23.469865084 CEST650556609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:23.469947100 CEST650556609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:23.475616932 CEST660965055109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:24.122828960 CEST650566609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:24.128036022 CEST660965056109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:24.128129005 CEST650566609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:24.128640890 CEST650566609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:24.133578062 CEST660965056109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:25.924052000 CEST660965056109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:25.924655914 CEST650566609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:25.924710035 CEST650566609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:25.929518938 CEST660965056109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:26.560359955 CEST650576609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:26.565877914 CEST660965057109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:26.565984011 CEST650576609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:26.566287041 CEST650576609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:26.571151018 CEST660965057109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:28.345799923 CEST660965057109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:28.348747015 CEST650576609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:28.348787069 CEST650576609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:28.353569031 CEST660965057109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:28.966130972 CEST650586609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:28.971045971 CEST660965058109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:28.972598076 CEST650586609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:28.972971916 CEST650586609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:28.977797985 CEST660965058109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:30.690839052 CEST660965058109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:30.694586039 CEST650586609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:30.694696903 CEST650586609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:30.702534914 CEST660965058109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:31.278774023 CEST650596609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:31.283778906 CEST660965059109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:31.283965111 CEST650596609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:31.284168959 CEST650596609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:31.289033890 CEST660965059109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:32.997792006 CEST660965059109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:32.997917891 CEST650596609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:32.997958899 CEST650596609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:33.002702951 CEST660965059109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:33.575721979 CEST650606609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:33.580727100 CEST660965060109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:33.581589937 CEST650606609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:33.582062960 CEST650606609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:33.586841106 CEST660965060109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:35.312249899 CEST660965060109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:35.314650059 CEST650606609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:35.318505049 CEST650606609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:35.323625088 CEST660965060109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:35.872852087 CEST650616609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:35.877855062 CEST660965061109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:35.882600069 CEST650616609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:35.883110046 CEST650616609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:35.887959957 CEST660965061109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:37.620215893 CEST660965061109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:37.622570038 CEST650616609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:37.626492977 CEST650616609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:37.631380081 CEST660965061109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:38.153814077 CEST650626609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:38.158761024 CEST660965062109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:38.158900976 CEST650626609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:38.159215927 CEST650626609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:38.164089918 CEST660965062109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:39.893358946 CEST660965062109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:39.894623041 CEST650626609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:39.894694090 CEST650626609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:39.899494886 CEST660965062109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:40.403724909 CEST650636609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:40.408781052 CEST660965063109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:40.408885956 CEST650636609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:40.409173965 CEST650636609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:40.413986921 CEST660965063109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:42.124576092 CEST660965063109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:42.126554966 CEST650636609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:42.126554966 CEST650636609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:42.131455898 CEST660965063109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:42.622610092 CEST650646609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:42.627587080 CEST660965064109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:42.627708912 CEST650646609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:42.627924919 CEST650646609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:42.632693052 CEST660965064109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:44.377795935 CEST660965064109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:44.377912998 CEST650646609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:44.377954960 CEST650646609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:44.382697105 CEST660965064109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:44.856832981 CEST650656609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:44.861800909 CEST660965065109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:44.861896992 CEST650656609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:44.862195015 CEST650656609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:44.866938114 CEST660965065109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:46.593306065 CEST660965065109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:46.593399048 CEST650656609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:46.593487978 CEST650656609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:46.598259926 CEST660965065109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:47.060252905 CEST650666609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:47.066390038 CEST660965066109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:47.066469908 CEST650666609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:47.066776037 CEST650666609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:47.073390961 CEST660965066109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:48.795809031 CEST660965066109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:48.795996904 CEST650666609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:48.796065092 CEST650666609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:48.801095963 CEST660965066109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:49.247586966 CEST650676609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:49.252765894 CEST660965067109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:49.254612923 CEST650676609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:49.254965067 CEST650676609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:49.259766102 CEST660965067109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:51.003554106 CEST660965067109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:51.006597996 CEST650676609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:51.006639957 CEST650676609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:51.011554956 CEST660965067109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:51.450690985 CEST650686609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:51.455718040 CEST660965068109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:51.455791950 CEST650686609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:51.456195116 CEST650686609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:51.461040974 CEST660965068109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:53.204375029 CEST660965068109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:53.204632998 CEST650686609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:53.204710960 CEST650686609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:53.209599018 CEST660965068109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:53.622788906 CEST650696609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:53.627774954 CEST660965069109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:53.628263950 CEST650696609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:53.628263950 CEST650696609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:53.634555101 CEST660965069109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:55.377948999 CEST660965069109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:55.378063917 CEST650696609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:55.378226995 CEST650696609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:55.383011103 CEST660965069109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:55.795299053 CEST650706609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:55.800230026 CEST660965070109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:55.800412893 CEST650706609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:55.801295042 CEST650706609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:55.806118011 CEST660965070109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:57.532953978 CEST660965070109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:57.533102036 CEST650706609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:57.533138037 CEST650706609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:57.537982941 CEST660965070109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:57.935496092 CEST650716609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:57.940934896 CEST660965071109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:57.942611933 CEST650716609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:57.943012953 CEST650716609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:57.948683023 CEST660965071109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:59.688719988 CEST660965071109.248.151.250192.168.2.4
                  Jul 1, 2024 15:26:59.690587044 CEST650716609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:59.690634966 CEST650716609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:26:59.697504997 CEST660965071109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:00.075767040 CEST650726609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:00.085335970 CEST660965072109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:00.086607933 CEST650726609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:00.087100029 CEST650726609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:00.098231077 CEST660965072109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:01.812622070 CEST660965072109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:01.813921928 CEST650726609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:01.823482037 CEST650726609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:01.829220057 CEST660965072109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:02.200932980 CEST650736609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:02.207762003 CEST660965073109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:02.207940102 CEST650736609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:02.211847067 CEST650736609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:02.216711998 CEST660965073109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:03.941592932 CEST660965073109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:03.944720984 CEST650736609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:03.944756985 CEST650736609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:03.952331066 CEST660965073109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:04.311532974 CEST650746609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:04.316478968 CEST660965074109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:04.316553116 CEST650746609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:04.316898108 CEST650746609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:04.321713924 CEST660965074109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:06.063342094 CEST660965074109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:06.064496994 CEST650746609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:06.065092087 CEST650746609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:06.069912910 CEST660965074109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:06.451396942 CEST650756609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:06.457950115 CEST660965075109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:06.458055019 CEST650756609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:06.458334923 CEST650756609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:06.463290930 CEST660965075109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:08.173537016 CEST660965075109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:08.173629999 CEST650756609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:08.173666000 CEST650756609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:08.179069996 CEST660965075109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:08.513010025 CEST650766609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:08.517947912 CEST660965076109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:08.518026114 CEST650766609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:08.518309116 CEST650766609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:08.523058891 CEST660965076109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:10.234217882 CEST660965076109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:10.234313011 CEST650766609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:10.238215923 CEST650766609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:10.243195057 CEST660965076109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:10.751331091 CEST650776609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:10.756244898 CEST660965077109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:10.758620977 CEST650776609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:10.758908987 CEST650776609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:10.763680935 CEST660965077109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:12.563772917 CEST660965077109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:12.564821005 CEST650776609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:12.564862967 CEST650776609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:12.569849014 CEST660965077109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:12.872528076 CEST650786609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:12.877492905 CEST660965078109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:12.877779961 CEST650786609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:12.878110886 CEST650786609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:12.882936954 CEST660965078109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:14.614765882 CEST660965078109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:14.616993904 CEST650786609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:14.617047071 CEST650786609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:14.621867895 CEST660965078109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:14.919476032 CEST650796609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:14.924391985 CEST660965079109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:14.924515009 CEST650796609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:14.924902916 CEST650796609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:14.929675102 CEST660965079109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:16.654355049 CEST660965079109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:16.654427052 CEST650796609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:16.654467106 CEST650796609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:16.659260035 CEST660965079109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:16.950639009 CEST650806609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:16.955625057 CEST660965080109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:16.955699921 CEST650806609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:16.956017017 CEST650806609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:16.960886955 CEST660965080109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:21.098012924 CEST660965080109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:21.098273039 CEST650806609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:21.098334074 CEST650806609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:21.103260994 CEST660965080109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:21.388212919 CEST650816609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:21.393166065 CEST660965081109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:21.393306017 CEST650816609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:21.393882990 CEST650816609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:21.398691893 CEST660965081109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:23.110290051 CEST660965081109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:23.110363007 CEST650816609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:23.110405922 CEST650816609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:23.115206957 CEST660965081109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:23.388329983 CEST650826609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:23.393505096 CEST660965082109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:23.394644022 CEST650826609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:23.394998074 CEST650826609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:23.400088072 CEST660965082109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:25.128186941 CEST660965082109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:25.128283024 CEST650826609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:25.128351927 CEST650826609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:25.133517027 CEST660965082109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:25.388398886 CEST650836609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:25.393475056 CEST660965083109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:25.394664049 CEST650836609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:25.394990921 CEST650836609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:25.399816990 CEST660965083109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:27.145133972 CEST660965083109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:27.145271063 CEST650836609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:27.145313978 CEST650836609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:27.152165890 CEST660965083109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:27.404052973 CEST650846609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:27.409032106 CEST660965084109.248.151.250192.168.2.4
                  Jul 1, 2024 15:27:27.410726070 CEST650846609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:27.411379099 CEST650846609192.168.2.4109.248.151.250
                  Jul 1, 2024 15:27:27.416218042 CEST660965084109.248.151.250192.168.2.4

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 1, 2024 15:23:49.788348913 CEST53629901.1.1.1192.168.2.4
                  Jul 1, 2024 15:24:07.357490063 CEST5939753192.168.2.41.1.1.1
                  Jul 1, 2024 15:24:07.500859976 CEST53593971.1.1.1192.168.2.4
                  Jul 1, 2024 15:25:09.450211048 CEST6049353192.168.2.41.1.1.1
                  Jul 1, 2024 15:25:09.601409912 CEST53604931.1.1.1192.168.2.4
                  Jul 1, 2024 15:26:09.185008049 CEST5869653192.168.2.41.1.1.1
                  Jul 1, 2024 15:26:09.424355030 CEST53586961.1.1.1192.168.2.4
                  Jul 1, 2024 15:27:10.606683016 CEST5309353192.168.2.41.1.1.1
                  Jul 1, 2024 15:27:10.748399973 CEST53530931.1.1.1192.168.2.4

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jul 1, 2024 15:24:07.357490063 CEST192.168.2.41.1.1.10x7a0dStandard query (0)busbuctomorrrw.ddns.netA (IP address)IN (0x0001)false
                  Jul 1, 2024 15:25:09.450211048 CEST192.168.2.41.1.1.10x4d12Standard query (0)busbuctomorrrw.ddns.netA (IP address)IN (0x0001)false
                  Jul 1, 2024 15:26:09.185008049 CEST192.168.2.41.1.1.10x8f0eStandard query (0)busbuctomorrrw.ddns.netA (IP address)IN (0x0001)false
                  Jul 1, 2024 15:27:10.606683016 CEST192.168.2.41.1.1.10x947aStandard query (0)busbuctomorrrw.ddns.netA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jul 1, 2024 15:24:07.500859976 CEST1.1.1.1192.168.2.40x7a0dNo error (0)busbuctomorrrw.ddns.net109.248.151.250A (IP address)IN (0x0001)false
                  Jul 1, 2024 15:25:09.601409912 CEST1.1.1.1192.168.2.40x4d12No error (0)busbuctomorrrw.ddns.net109.248.151.250A (IP address)IN (0x0001)false
                  Jul 1, 2024 15:26:09.424355030 CEST1.1.1.1192.168.2.40x8f0eNo error (0)busbuctomorrrw.ddns.net109.248.151.250A (IP address)IN (0x0001)false
                  Jul 1, 2024 15:27:10.748399973 CEST1.1.1.1192.168.2.40x947aNo error (0)busbuctomorrrw.ddns.net109.248.151.250A (IP address)IN (0x0001)false

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:09:23:29
                  Start date:01/07/2024
                  Path:C:\Users\user\Desktop\Certificate_of_registration.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\Certificate_of_registration.exe"
                  Imagebase:0xab0000
                  File size:551'424 bytes
                  MD5 hash:74306FF01DB05A602A39C5DA423B8D00
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:1
                  Start time:09:23:34
                  Start date:01/07/2024
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                  Imagebase:0xe20000
                  File size:2'625'616 bytes
                  MD5 hash:0A7608DB01CAE07792CEA95E792AA866
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.1883825441.0000000000859000.00000002.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.1883825441.0000000000859000.00000002.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000002.1883825441.0000000000859000.00000002.00000400.00020000.00000000.sdmp, Author: unknown
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:2
                  Start time:09:23:34
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
                  Imagebase:0x240000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:4
                  Start time:09:23:34
                  Start date:01/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:6
                  Start time:09:23:34
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
                  Imagebase:0x240000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:7
                  Start time:09:23:34
                  Start date:01/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:8
                  Start time:09:23:34
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\schtasks.exe
                  Wow64 process (32bit):true
                  Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
                  Imagebase:0xca0000
                  File size:187'904 bytes
                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:9
                  Start time:09:23:34
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 516
                  Imagebase:0x4a0000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:10
                  Start time:09:23:34
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"cmd.exe" /C copy "C:\Users\user\Desktop\Certificate_of_registration.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
                  Imagebase:0x240000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:11
                  Start time:09:23:34
                  Start date:01/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:12
                  Start time:09:23:36
                  Start date:01/07/2024
                  Path:C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
                  Imagebase:0xb20000
                  File size:551'424 bytes
                  MD5 hash:74306FF01DB05A602A39C5DA423B8D00
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Antivirus matches:
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 45%, ReversingLabs
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:13
                  Start time:09:23:41
                  Start date:01/07/2024
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                  Imagebase:0xe20000
                  File size:2'625'616 bytes
                  MD5 hash:0A7608DB01CAE07792CEA95E792AA866
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.1892847188.000000000061B000.00000002.00000400.00020000.00000000.sdmp, Author: unknown
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:14
                  Start time:09:23:41
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
                  Imagebase:0x240000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:16
                  Start time:09:23:41
                  Start date:01/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:17
                  Start time:09:23:41
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7764 -s 528
                  Imagebase:0x4a0000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:18
                  Start time:09:23:41
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
                  Imagebase:0x240000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:19
                  Start time:09:23:41
                  Start date:01/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:20
                  Start time:09:23:41
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\schtasks.exe
                  Wow64 process (32bit):true
                  Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
                  Imagebase:0xbe0000
                  File size:187'904 bytes
                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:21
                  Start time:09:23:42
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
                  Imagebase:0x240000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:22
                  Start time:09:23:42
                  Start date:01/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:26
                  Start time:09:24:01
                  Start date:01/07/2024
                  Path:C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
                  Imagebase:0xfb0000
                  File size:551'424 bytes
                  MD5 hash:74306FF01DB05A602A39C5DA423B8D00
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:27
                  Start time:09:24:06
                  Start date:01/07/2024
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                  Imagebase:0xe20000
                  File size:2'625'616 bytes
                  MD5 hash:0A7608DB01CAE07792CEA95E792AA866
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001B.00000002.4154025246.0000000000627000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001B.00000002.4154025246.000000000063B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  Has exited:false

                  General

                  Target ID:28
                  Start time:09:24:06
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
                  Imagebase:0x240000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:29
                  Start time:09:24:06
                  Start date:01/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:30
                  Start time:09:24:06
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
                  Imagebase:0x240000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:31
                  Start time:09:24:07
                  Start date:01/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:32
                  Start time:09:24:07
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\schtasks.exe
                  Wow64 process (32bit):true
                  Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
                  Imagebase:0xbe0000
                  File size:187'904 bytes
                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:33
                  Start time:09:24:07
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
                  Imagebase:0x240000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:34
                  Start time:09:24:07
                  Start date:01/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:36
                  Start time:09:25:00
                  Start date:01/07/2024
                  Path:C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
                  Imagebase:0x5b0000
                  File size:551'424 bytes
                  MD5 hash:74306FF01DB05A602A39C5DA423B8D00
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:37
                  Start time:09:25:05
                  Start date:01/07/2024
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                  Imagebase:0xe20000
                  File size:2'625'616 bytes
                  MD5 hash:0A7608DB01CAE07792CEA95E792AA866
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000025.00000002.2647024450.000000000046B000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000025.00000002.2648148319.00000000051D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  Has exited:true

                  General

                  Target ID:38
                  Start time:09:25:05
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
                  Imagebase:0x240000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:39
                  Start time:09:25:05
                  Start date:01/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:40
                  Start time:09:25:06
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
                  Imagebase:0x240000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:41
                  Start time:09:25:06
                  Start date:01/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:42
                  Start time:09:25:06
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\schtasks.exe
                  Wow64 process (32bit):true
                  Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
                  Imagebase:0xbe0000
                  File size:187'904 bytes
                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:43
                  Start time:09:25:06
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
                  Imagebase:0x240000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:44
                  Start time:09:25:06
                  Start date:01/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:45
                  Start time:09:26:00
                  Start date:01/07/2024
                  Path:C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
                  Imagebase:0x610000
                  File size:551'424 bytes
                  MD5 hash:74306FF01DB05A602A39C5DA423B8D00
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:46
                  Start time:09:26:05
                  Start date:01/07/2024
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                  Imagebase:0xe20000
                  File size:2'625'616 bytes
                  MD5 hash:0A7608DB01CAE07792CEA95E792AA866
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000002E.00000002.3247652736.0000000005337000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  Has exited:true

                  General

                  Target ID:47
                  Start time:09:26:05
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
                  Imagebase:0x240000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:48
                  Start time:09:26:05
                  Start date:01/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:49
                  Start time:09:26:06
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
                  Imagebase:0x240000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:50
                  Start time:09:26:06
                  Start date:01/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:51
                  Start time:09:26:06
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\schtasks.exe
                  Wow64 process (32bit):true
                  Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
                  Imagebase:0xbe0000
                  File size:187'904 bytes
                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:52
                  Start time:09:26:06
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
                  Imagebase:0x240000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:53
                  Start time:09:26:06
                  Start date:01/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:54
                  Start time:09:27:00
                  Start date:01/07/2024
                  Path:C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
                  Imagebase:0xcf0000
                  File size:551'424 bytes
                  MD5 hash:74306FF01DB05A602A39C5DA423B8D00
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:55
                  Start time:09:27:05
                  Start date:01/07/2024
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                  Imagebase:0xe20000
                  File size:2'625'616 bytes
                  MD5 hash:0A7608DB01CAE07792CEA95E792AA866
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000037.00000002.3847813442.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  Has exited:true

                  General

                  Target ID:56
                  Start time:09:27:05
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
                  Imagebase:0x240000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:57
                  Start time:09:27:05
                  Start date:01/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:58
                  Start time:09:27:06
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
                  Imagebase:0x240000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:59
                  Start time:09:27:06
                  Start date:01/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:60
                  Start time:09:27:06
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\schtasks.exe
                  Wow64 process (32bit):true
                  Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
                  Imagebase:0xbe0000
                  File size:187'904 bytes
                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:61
                  Start time:09:27:06
                  Start date:01/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
                  Imagebase:0x240000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:62
                  Start time:09:27:06
                  Start date:01/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:36.9%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:84
                    Total number of Limit Nodes:8
                    execution_graph 2668 2c30848 2669 2c30863 2668->2669 2673 2c30b16 2669->2673 2680 2c308c3 2669->2680 2670 2c30870 2675 2c308da 2673->2675 2674 2c30b2d 2674->2670 2675->2674 2687 2c33291 2675->2687 2693 2c333ab 2675->2693 2699 2c333d7 2675->2699 2676 2c30b80 2676->2670 2681 2c30b2d 2680->2681 2683 2c308da 2680->2683 2681->2670 2682 2c30b80 2682->2670 2683->2681 2684 2c33291 12 API calls 2683->2684 2685 2c333d7 12 API calls 2683->2685 2686 2c333ab 12 API calls 2683->2686 2684->2682 2685->2682 2686->2682 2689 2c3329c 2687->2689 2688 2c3336f 2688->2676 2689->2688 2704 2c336b1 2689->2704 2708 2c336c0 2689->2708 2690 2c33431 2690->2676 2694 2c333b0 2693->2694 2695 2c333c6 2694->2695 2697 2c336b1 12 API calls 2694->2697 2698 2c336c0 12 API calls 2694->2698 2696 2c33431 2696->2676 2697->2696 2698->2696 2700 2c333f8 2699->2700 2702 2c336b1 12 API calls 2700->2702 2703 2c336c0 12 API calls 2700->2703 2701 2c33431 2701->2676 2702->2701 2703->2701 2706 2c336d3 2704->2706 2705 2c337ab 2705->2690 2706->2705 2712 2c34b7e 2706->2712 2709 2c336d3 2708->2709 2710 2c337ab 2709->2710 2711 2c34b7e 12 API calls 2709->2711 2710->2690 2711->2709 2713 2c34ba5 2712->2713 2745 2c34f58 2713->2745 2749 2c34f4c 2713->2749 2714 2c34c72 2716 2c34eb0 2714->2716 2725 2c35330 Wow64SetThreadContext 2714->2725 2726 2c35329 Wow64SetThreadContext 2714->2726 2715 2c34cd0 2715->2716 2727 2c353f0 ReadProcessMemory 2715->2727 2728 2c353e9 ReadProcessMemory 2715->2728 2716->2706 2717 2c34d06 2731 2c354b0 VirtualAllocEx 2717->2731 2732 2c354a9 VirtualAllocEx 2717->2732 2718 2c34d45 2719 2c34d72 2718->2719 2737 2c354b0 VirtualAllocEx 2718->2737 2738 2c354a9 VirtualAllocEx 2718->2738 2719->2716 2739 2c35550 WriteProcessMemory 2719->2739 2740 2c35558 WriteProcessMemory 2719->2740 2720 2c34d99 2721 2c34e30 2720->2721 2735 2c35550 WriteProcessMemory 2720->2735 2736 2c35558 WriteProcessMemory 2720->2736 2733 2c35550 WriteProcessMemory 2721->2733 2734 2c35558 WriteProcessMemory 2721->2734 2722 2c34e59 2722->2716 2741 2c35330 Wow64SetThreadContext 2722->2741 2742 2c35329 Wow64SetThreadContext 2722->2742 2723 2c34e9d 2743 2c35630 ResumeThread 2723->2743 2744 2c35629 ResumeThread 2723->2744 2724 2c34eae 2724->2706 2725->2715 2726->2715 2727->2717 2728->2717 2731->2718 2732->2718 2733->2722 2734->2722 2735->2720 2736->2720 2737->2719 2738->2719 2739->2720 2740->2720 2741->2723 2742->2723 2743->2724 2744->2724 2746 2c34fe5 CreateProcessAsUserA 2745->2746 2748 2c35200 2746->2748 2748->2748 2750 2c34f58 CreateProcessAsUserA 2749->2750 2752 2c35200 2750->2752 2752->2752 2753 2c30838 2754 2c30863 2753->2754 2756 2c308c3 12 API calls 2754->2756 2757 2c30b16 12 API calls 2754->2757 2755 2c30870 2756->2755 2757->2755 2758 2c30b58 2759 2c30b76 2758->2759 2761 2c33291 12 API calls 2759->2761 2762 2c333d7 12 API calls 2759->2762 2763 2c333ab 12 API calls 2759->2763 2760 2c30b80 2761->2760 2762->2760 2763->2760

                    Executed Functions

                    Function 02C34F58 Relevance: 1.8, APIs: 1, Instructions: 262processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 110 2c34f58-2c34ff1 112 2c34ff3-2c35018 110->112 113 2c35045-2c35067 110->113 112->113 118 2c3501a-2c3501c 112->118 116 2c35069-2c35091 113->116 117 2c350be-2c350ee 113->117 116->117 125 2c35093-2c35095 116->125 127 2c35142-2c351fe CreateProcessAsUserA 117->127 128 2c350f0-2c35115 117->128 119 2c3503f-2c35042 118->119 120 2c3501e-2c35028 118->120 119->113 122 2c3502a 120->122 123 2c3502c-2c3503b 120->123 122->123 123->123 126 2c3503d 123->126 129 2c35097-2c350a1 125->129 130 2c350b8-2c350bb 125->130 126->119 142 2c35200-2c35206 127->142 143 2c35207-2c3527b 127->143 128->127 135 2c35117-2c35119 128->135 131 2c350a3 129->131 132 2c350a5-2c350b4 129->132 130->117 131->132 132->132 136 2c350b6 132->136 137 2c3511b-2c35125 135->137 138 2c3513c-2c3513f 135->138 136->130 140 2c35127 137->140 141 2c35129-2c35138 137->141 138->127 140->141 141->141 144 2c3513a 141->144 142->143 152 2c3528b-2c3528f 143->152 153 2c3527d-2c35281 143->153 144->138 155 2c35291-2c35295 152->155 156 2c3529f-2c352a3 152->156 153->152 154 2c35283-2c35286 call 2c301cc 153->154 154->152 155->156 160 2c35297-2c3529a call 2c301cc 155->160 157 2c352b3-2c352b7 156->157 158 2c352a5-2c352a9 156->158 162 2c352c9-2c352d0 157->162 163 2c352b9-2c352bf 157->163 158->157 161 2c352ab-2c352ae call 2c301cc 158->161 160->156 161->157 166 2c352d2-2c352e1 162->166 167 2c352e7 162->167 163->162 166->167 169 2c352e8 167->169 169->169
                    APIs
                    • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02C351EB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1739778406.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2c30000_Certificate_of_registration.jbxd
                    Similarity
                    • API ID: CreateProcessUser
                    • String ID:
                    • API String ID: 2217836671-0
                    • Opcode ID: df331a136a75045d15d844c9e6fa71e95de8903d29b3c10ee193c2c8da99f318
                    • Instruction ID: 6b547843449d86266db0372b28b66ed88805c014603071771b60209b9e66a455
                    • Opcode Fuzzy Hash: df331a136a75045d15d844c9e6fa71e95de8903d29b3c10ee193c2c8da99f318
                    • Instruction Fuzzy Hash: DEA15871E002199FDB11CFA9C9417EDBBF6FF88304F0485A9E818A7290DB759A85CF91
                    Function 02C34F4C Relevance: 1.8, APIs: 1, Instructions: 268processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 49 2c34f4c-2c34ff1 52 2c34ff3-2c35018 49->52 53 2c35045-2c35067 49->53 52->53 58 2c3501a-2c3501c 52->58 56 2c35069-2c35091 53->56 57 2c350be-2c350ee 53->57 56->57 65 2c35093-2c35095 56->65 67 2c35142-2c351fe CreateProcessAsUserA 57->67 68 2c350f0-2c35115 57->68 59 2c3503f-2c35042 58->59 60 2c3501e-2c35028 58->60 59->53 62 2c3502a 60->62 63 2c3502c-2c3503b 60->63 62->63 63->63 66 2c3503d 63->66 69 2c35097-2c350a1 65->69 70 2c350b8-2c350bb 65->70 66->59 82 2c35200-2c35206 67->82 83 2c35207-2c3527b 67->83 68->67 75 2c35117-2c35119 68->75 71 2c350a3 69->71 72 2c350a5-2c350b4 69->72 70->57 71->72 72->72 76 2c350b6 72->76 77 2c3511b-2c35125 75->77 78 2c3513c-2c3513f 75->78 76->70 80 2c35127 77->80 81 2c35129-2c35138 77->81 78->67 80->81 81->81 84 2c3513a 81->84 82->83 92 2c3528b-2c3528f 83->92 93 2c3527d-2c35281 83->93 84->78 95 2c35291-2c35295 92->95 96 2c3529f-2c352a3 92->96 93->92 94 2c35283-2c35286 call 2c301cc 93->94 94->92 95->96 100 2c35297-2c3529a call 2c301cc 95->100 97 2c352b3-2c352b7 96->97 98 2c352a5-2c352a9 96->98 102 2c352c9-2c352d0 97->102 103 2c352b9-2c352bf 97->103 98->97 101 2c352ab-2c352ae call 2c301cc 98->101 100->96 101->97 106 2c352d2-2c352e1 102->106 107 2c352e7 102->107 103->102 106->107 109 2c352e8 107->109 109->109
                    APIs
                    • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02C351EB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1739778406.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2c30000_Certificate_of_registration.jbxd
                    Similarity
                    • API ID: CreateProcessUser
                    • String ID:
                    • API String ID: 2217836671-0
                    • Opcode ID: f9b9bf9d56e513abce430b58452707df2514efbd80cbf13f131a9e3ddf6ffff9
                    • Instruction ID: 3eee00a254de669113b8ab0471774d32849ea054639d5ff4d8316de53986a2e9
                    • Opcode Fuzzy Hash: f9b9bf9d56e513abce430b58452707df2514efbd80cbf13f131a9e3ddf6ffff9
                    • Instruction Fuzzy Hash: 74B15971E002199FDB11CFA9C9407EDBBB6FF88304F4485A9E818E7290DB759A85CF91
                    Function 02C35550 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 268 2c35550-2c355a9 270 2c355ab-2c355b7 268->270 271 2c355b9-2c355f2 WriteProcessMemory 268->271 270->271 272 2c355f4-2c355fa 271->272 273 2c355fb-2c3561c 271->273 272->273
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02C355E5
                    Memory Dump Source
                    • Source File: 00000000.00000002.1739778406.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2c30000_Certificate_of_registration.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: d13761ca08daaec37de35cbe252e38ea602b46a2a428079205eee17800b04d96
                    • Instruction ID: 3d3fcd5d05192db39aee8edfa3ee1eb80e993eaf161c3f9081a10904e17a3351
                    • Opcode Fuzzy Hash: d13761ca08daaec37de35cbe252e38ea602b46a2a428079205eee17800b04d96
                    • Instruction Fuzzy Hash: 552126B1900249DFCB10CFAAC885BDEBBF5FB48310F108429E458A7250D374A544CFA4
                    Function 02C35558 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 275 2c35558-2c355a9 277 2c355ab-2c355b7 275->277 278 2c355b9-2c355f2 WriteProcessMemory 275->278 277->278 279 2c355f4-2c355fa 278->279 280 2c355fb-2c3561c 278->280 279->280
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02C355E5
                    Memory Dump Source
                    • Source File: 00000000.00000002.1739778406.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2c30000_Certificate_of_registration.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 4f65c6c3d756e8911cc9f84fc695114d99273cef8100c8600363f4c4ad69350c
                    • Instruction ID: 0801ea9f62a0693ac72b1e9b6ba0e7c6296b1a9802cec5833ac926fa85ac8d2d
                    • Opcode Fuzzy Hash: 4f65c6c3d756e8911cc9f84fc695114d99273cef8100c8600363f4c4ad69350c
                    • Instruction Fuzzy Hash: 8D21E4B1900259DFCB10CF9AC985BDEBBF5FB48314F50842AE958A7250D374A944CFA5
                    Function 02C35329 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 282 2c35329-2c3537c 284 2c35388-2c353b4 Wow64SetThreadContext 282->284 285 2c3537e-2c35386 282->285 286 2c353b6-2c353bc 284->286 287 2c353bd-2c353de 284->287 285->284 286->287
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02C353A7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1739778406.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2c30000_Certificate_of_registration.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: 78f02d9b227eaafd2650df3ffaa2cf05273b792a0476e70ce260ffcb821e1400
                    • Instruction ID: 7f1f74ea53c2a0e4c66190c4c0dd543b820dabbf6de2b78ae8ad9010f2e850ad
                    • Opcode Fuzzy Hash: 78f02d9b227eaafd2650df3ffaa2cf05273b792a0476e70ce260ffcb821e1400
                    • Instruction Fuzzy Hash: 0D2115B1D002199FCB50CF9AC5857EEFBB4AB49224F50852AD418A3240D378A9498FA1
                    Function 02C35330 Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 289 2c35330-2c3537c 291 2c35388-2c353b4 Wow64SetThreadContext 289->291 292 2c3537e-2c35386 289->292 293 2c353b6-2c353bc 291->293 294 2c353bd-2c353de 291->294 292->291 293->294
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02C353A7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1739778406.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2c30000_Certificate_of_registration.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: 463d4890de7637d66517a7dfa6edf89dba9dc0e344691b39e29b9a0a8fc7b282
                    • Instruction ID: 58b2f97870612fc6dab9f308dac36b6a9e8def87503a2a021650a4ade286ce54
                    • Opcode Fuzzy Hash: 463d4890de7637d66517a7dfa6edf89dba9dc0e344691b39e29b9a0a8fc7b282
                    • Instruction Fuzzy Hash: 942103B1D0021A9FCB00CF9AC985BEEFBF4BB48324F50852AD418B3240D378A9448FA5
                    Function 02C353E9 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 296 2c353e9-2c35473 ReadProcessMemory 298 2c35475-2c3547b 296->298 299 2c3547c-2c3549d 296->299 298->299
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02C35466
                    Memory Dump Source
                    • Source File: 00000000.00000002.1739778406.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2c30000_Certificate_of_registration.jbxd
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: e43ce3c9a3724d90e80870739a870a74b17fd342fb791bb23ae158928a6e6173
                    • Instruction ID: 6661a25cd7af8e6b9c6e06ce31f870b00be0c827493027060c8d9ad9a6e11ffb
                    • Opcode Fuzzy Hash: e43ce3c9a3724d90e80870739a870a74b17fd342fb791bb23ae158928a6e6173
                    • Instruction Fuzzy Hash: C421F4B5900249DFCB10CF9AC584BDEBFF4EB48324F148429E558A7251D339A544CFA5
                    Function 02C353F0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 301 2c353f0-2c35473 ReadProcessMemory 303 2c35475-2c3547b 301->303 304 2c3547c-2c3549d 301->304 303->304
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02C35466
                    Memory Dump Source
                    • Source File: 00000000.00000002.1739778406.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2c30000_Certificate_of_registration.jbxd
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: dad60e068a1f208b17c72c78a9f87dcb3d3d410c51b47561b21652fee0db4812
                    • Instruction ID: 8121544472aadd110b0027abe049aa20edfaa172c2c5550207d92c9db12a5aff
                    • Opcode Fuzzy Hash: dad60e068a1f208b17c72c78a9f87dcb3d3d410c51b47561b21652fee0db4812
                    • Instruction Fuzzy Hash: BA21E4B5900249DFCB10DF9AC984BDEFBF4FB48324F148429E958A7251D378A644CFA5
                    Function 02C354A9 Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 306 2c354a9-2c35528 VirtualAllocEx 309 2c35531-2c35545 306->309 310 2c3552a-2c35530 306->310 310->309
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02C3551B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1739778406.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2c30000_Certificate_of_registration.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: e412f0a1038c9528b093935aeb053ea2e7dca213ac5d0f42bfd78b554923d5e7
                    • Instruction ID: 21e7dd723018eebbc170ce92c8b3bb6df51dfe7d706314f379bfdd6aadb43161
                    • Opcode Fuzzy Hash: e412f0a1038c9528b093935aeb053ea2e7dca213ac5d0f42bfd78b554923d5e7
                    • Instruction Fuzzy Hash: F81132B6800249DFCB10CF9AC884BDEBFF5EF49324F208459E568A7210C335A944CFA5
                    Function 02C354B0 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 312 2c354b0-2c35528 VirtualAllocEx 314 2c35531-2c35545 312->314 315 2c3552a-2c35530 312->315 315->314
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02C3551B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1739778406.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2c30000_Certificate_of_registration.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 275f6e9d607d9d60981c9d2d34bbc6aa5f8451aa9f02a944472c2b506044e2ef
                    • Instruction ID: 719f5373b4fa046f48e5c2008e4e2ee5d90115c99acd98bf705aa2f9083e18eb
                    • Opcode Fuzzy Hash: 275f6e9d607d9d60981c9d2d34bbc6aa5f8451aa9f02a944472c2b506044e2ef
                    • Instruction Fuzzy Hash: AB1122B6900249DFCB10CF9AC984BDEBFF4FB48324F208419E528A7210C335AA44CFA5
                    Function 02C35629 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 317 2c35629-2c3569c ResumeThread 320 2c356a5-2c356b9 317->320 321 2c3569e-2c356a4 317->321 321->320
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1739778406.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2c30000_Certificate_of_registration.jbxd
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 61e0f9577b2db51203653c152f28b77cfe3787b20aedf33b621d03e798c5c439
                    • Instruction ID: 30940bcb1ec15fe86dbd394485b4cd81858f63a20df290c44b8005abc8242a67
                    • Opcode Fuzzy Hash: 61e0f9577b2db51203653c152f28b77cfe3787b20aedf33b621d03e798c5c439
                    • Instruction Fuzzy Hash: A811FEB5800249CFCB10DF9AD588BDEBFF4AB49324F20845AD558A7250C379A948CFA5
                    Function 02C35630 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 323 2c35630-2c3569c ResumeThread 325 2c356a5-2c356b9 323->325 326 2c3569e-2c356a4 323->326 326->325
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1739778406.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2c30000_Certificate_of_registration.jbxd
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 7edef6bd5dd5e73ed9856a3eba254c132dfabf071e8e30f38d7a13b32ed96920
                    • Instruction ID: 4d59056933daf8d251caeef7640e1d8bef309f129152e8b4ef1474c04a8f3cd2
                    • Opcode Fuzzy Hash: 7edef6bd5dd5e73ed9856a3eba254c132dfabf071e8e30f38d7a13b32ed96920
                    • Instruction Fuzzy Hash: DB1123B5800249CFCB10DF9AC548BDEFBF4EB48324F20845AD558A7350C374A944CFA5
                    Function 02CF0050 Relevance: .0, Instructions: 3COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1739883183.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2cf0000_Certificate_of_registration.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 64f9ec631ad7d64107d9b97160e934ed3cb33ca57a387d4ad0591bded38a64ee
                    • Instruction ID: fe60230a7dd6e5fdaaf2004d29869ef31e93af79cc1926d798640575a1c7d6a2
                    • Opcode Fuzzy Hash: 64f9ec631ad7d64107d9b97160e934ed3cb33ca57a387d4ad0591bded38a64ee
                    • Instruction Fuzzy Hash:

                    Execution Graph

                    Execution Coverage:32.5%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:75
                    Total number of Limit Nodes:7
                    execution_graph 2704 192562a 2705 192562e 2704->2705 2707 1925661 2705->2707 2708 1925671 ResumeThread 2707->2708 2709 192569e 2708->2709 2619 1920848 2620 1920863 2619->2620 2624 19208c3 2620->2624 2628 1920b16 2620->2628 2621 1920870 2625 19208da 2624->2625 2626 192090f 2624->2626 2625->2626 2632 19233d7 2625->2632 2626->2621 2629 19208da 2628->2629 2630 192090f 2629->2630 2631 19233d7 11 API calls 2629->2631 2630->2621 2631->2630 2633 19233f8 2632->2633 2638 1923870 2633->2638 2643 19236b1 2633->2643 2647 19236c0 2633->2647 2634 1923431 2634->2626 2639 1923874 2638->2639 2641 19237fd 2638->2641 2640 1923813 2640->2634 2641->2640 2651 1924b7e 2641->2651 2644 19236c0 2643->2644 2645 19237ab 2644->2645 2646 1924b7e 11 API calls 2644->2646 2645->2634 2646->2644 2648 19236d3 2647->2648 2649 19237ab 2648->2649 2650 1924b7e 11 API calls 2648->2650 2649->2634 2650->2648 2652 1924bed 2651->2652 2683 1924f58 2652->2683 2687 1924f4c 2652->2687 2653 1924c72 2655 1924eb0 2653->2655 2679 1925330 Wow64SetThreadContext 2653->2679 2680 192532a Wow64SetThreadContext 2653->2680 2654 1924cd0 2654->2655 2681 19253f0 ReadProcessMemory 2654->2681 2682 19253ea ReadProcessMemory 2654->2682 2655->2641 2656 1924d06 2666 19254b0 VirtualAllocEx 2656->2666 2667 19254aa VirtualAllocEx 2656->2667 2657 1924d45 2658 1924d72 2657->2658 2672 19254b0 VirtualAllocEx 2657->2672 2673 19254aa VirtualAllocEx 2657->2673 2658->2655 2674 1925550 WriteProcessMemory 2658->2674 2675 1925558 WriteProcessMemory 2658->2675 2659 1924d99 2660 1924e30 2659->2660 2670 1925550 WriteProcessMemory 2659->2670 2671 1925558 WriteProcessMemory 2659->2671 2668 1925550 WriteProcessMemory 2660->2668 2669 1925558 WriteProcessMemory 2660->2669 2661 1924e59 2661->2655 2676 1925330 Wow64SetThreadContext 2661->2676 2677 192532a Wow64SetThreadContext 2661->2677 2662 1924e9d 2678 1925661 ResumeThread 2662->2678 2663 1924eae 2663->2641 2666->2657 2667->2657 2668->2661 2669->2661 2670->2659 2671->2659 2672->2658 2673->2658 2674->2659 2675->2659 2676->2662 2677->2662 2678->2663 2679->2654 2680->2654 2681->2656 2682->2656 2684 1924fe5 CreateProcessAsUserA 2683->2684 2686 1925200 2684->2686 2686->2686 2688 1924fe5 CreateProcessAsUserA 2687->2688 2690 1925200 2688->2690 2690->2690 2699 1920838 2700 1920863 2699->2700 2702 19208c3 11 API calls 2700->2702 2703 1920b16 11 API calls 2700->2703 2701 1920870 2702->2701 2703->2701 2691 1920b59 2692 1920b70 2691->2692 2693 1920b80 2692->2693 2694 19233d7 11 API calls 2692->2694 2694->2693

                    Executed Functions

                    Function 01924F4C Relevance: 1.8, APIs: 1, Instructions: 266processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 49 1924f4c-1924ff1 51 1924ff3-1925018 49->51 52 1925045-1925067 49->52 51->52 57 192501a-192501c 51->57 55 1925069-1925091 52->55 56 19250be-19250ee 52->56 55->56 64 1925093-1925095 55->64 66 1925142-19251fe CreateProcessAsUserA 56->66 67 19250f0-1925115 56->67 58 192501e-1925028 57->58 59 192503f-1925042 57->59 61 192502a 58->61 62 192502c-192503b 58->62 59->52 61->62 62->62 65 192503d 62->65 68 1925097-19250a1 64->68 69 19250b8-19250bb 64->69 65->59 81 1925200-1925206 66->81 82 1925207-192527b 66->82 67->66 74 1925117-1925119 67->74 71 19250a3 68->71 72 19250a5-19250b4 68->72 69->56 71->72 72->72 75 19250b6 72->75 76 192511b-1925125 74->76 77 192513c-192513f 74->77 75->69 79 1925127 76->79 80 1925129-1925138 76->80 77->66 79->80 80->80 83 192513a 80->83 81->82 91 192528b-192528f 82->91 92 192527d-1925281 82->92 83->77 93 1925291-1925295 91->93 94 192529f-19252a3 91->94 92->91 95 1925283-1925286 call 19201cc 92->95 93->94 96 1925297-192529a call 19201cc 93->96 97 19252b3-19252b7 94->97 98 19252a5-19252a9 94->98 95->91 96->94 102 19252c9-19252d0 97->102 103 19252b9-19252bf 97->103 98->97 101 19252ab-19252ae call 19201cc 98->101 101->97 105 19252d2-19252e1 102->105 106 19252e7 102->106 103->102 105->106 107 19252e8 106->107 107->107
                    APIs
                    • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 019251EB
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1815702962.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_1920000_Phtos.jbxd
                    Similarity
                    • API ID: CreateProcessUser
                    • String ID:
                    • API String ID: 2217836671-0
                    • Opcode ID: c20f510f3b3f95907746fcb8d2652ead9118d1615a46cf39523c8a75da0fd7ca
                    • Instruction ID: a551b20b3da414f14e263000bc6c67b8b163f31f8801f395f5e490dd51025428
                    • Opcode Fuzzy Hash: c20f510f3b3f95907746fcb8d2652ead9118d1615a46cf39523c8a75da0fd7ca
                    • Instruction Fuzzy Hash: 00A15870E002299FEB15CFA8C8407EDBBB6FF49304F1581A9E81CA7295DB749985CF91
                    Function 01924F58 Relevance: 1.8, APIs: 1, Instructions: 262processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 109 1924f58-1924ff1 111 1924ff3-1925018 109->111 112 1925045-1925067 109->112 111->112 117 192501a-192501c 111->117 115 1925069-1925091 112->115 116 19250be-19250ee 112->116 115->116 124 1925093-1925095 115->124 126 1925142-19251fe CreateProcessAsUserA 116->126 127 19250f0-1925115 116->127 118 192501e-1925028 117->118 119 192503f-1925042 117->119 121 192502a 118->121 122 192502c-192503b 118->122 119->112 121->122 122->122 125 192503d 122->125 128 1925097-19250a1 124->128 129 19250b8-19250bb 124->129 125->119 141 1925200-1925206 126->141 142 1925207-192527b 126->142 127->126 134 1925117-1925119 127->134 131 19250a3 128->131 132 19250a5-19250b4 128->132 129->116 131->132 132->132 135 19250b6 132->135 136 192511b-1925125 134->136 137 192513c-192513f 134->137 135->129 139 1925127 136->139 140 1925129-1925138 136->140 137->126 139->140 140->140 143 192513a 140->143 141->142 151 192528b-192528f 142->151 152 192527d-1925281 142->152 143->137 153 1925291-1925295 151->153 154 192529f-19252a3 151->154 152->151 155 1925283-1925286 call 19201cc 152->155 153->154 156 1925297-192529a call 19201cc 153->156 157 19252b3-19252b7 154->157 158 19252a5-19252a9 154->158 155->151 156->154 162 19252c9-19252d0 157->162 163 19252b9-19252bf 157->163 158->157 161 19252ab-19252ae call 19201cc 158->161 161->157 165 19252d2-19252e1 162->165 166 19252e7 162->166 163->162 165->166 167 19252e8 166->167 167->167
                    APIs
                    • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 019251EB
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1815702962.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_1920000_Phtos.jbxd
                    Similarity
                    • API ID: CreateProcessUser
                    • String ID:
                    • API String ID: 2217836671-0
                    • Opcode ID: 9e837ca79b06ad1188b0195c8074d0b87226bb548ce4152ecd084575772b65f4
                    • Instruction ID: cf9560ac4222a11b0716924344e50f581352965980665fd6023392797b925d7b
                    • Opcode Fuzzy Hash: 9e837ca79b06ad1188b0195c8074d0b87226bb548ce4152ecd084575772b65f4
                    • Instruction Fuzzy Hash: 9BA15970E002299FEB14CFA8C8407EDBBB6FF49304F158169E81CA7295DB749985CF91
                    Function 01925550 Relevance: 1.6, APIs: 1, Instructions: 67injectionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 269 1925550-19255a9 271 19255ab-19255b7 269->271 272 19255b9-19255f2 WriteProcessMemory 269->272 271->272 273 19255f4-19255fa 272->273 274 19255fb-192561c 272->274 273->274
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 019255E5
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1815702962.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_1920000_Phtos.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 04c773c759a2ef9c4699068c9e35d8afb81a19c9ca54bcdfa574097b1525a2fe
                    • Instruction ID: e362119f2550173cec3b727d96aa8bce5350d2ce1d4be90e5b4fca47fb540d9c
                    • Opcode Fuzzy Hash: 04c773c759a2ef9c4699068c9e35d8afb81a19c9ca54bcdfa574097b1525a2fe
                    • Instruction Fuzzy Hash: 3E21F3B1900359DFDB10CFAAD885BDEBBF5BB49310F10842AE959E7251D378A940CFA4
                    Function 01925558 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 276 1925558-19255a9 278 19255ab-19255b7 276->278 279 19255b9-19255f2 WriteProcessMemory 276->279 278->279 280 19255f4-19255fa 279->280 281 19255fb-192561c 279->281 280->281
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 019255E5
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1815702962.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_1920000_Phtos.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: f22aa5d4d6e80754c49eac13199697507eaba59443595de6a60b007793d06ebf
                    • Instruction ID: 76e156677d146454fa47ffab229edbdfa63141ad753a459e01a2b1a700407eb0
                    • Opcode Fuzzy Hash: f22aa5d4d6e80754c49eac13199697507eaba59443595de6a60b007793d06ebf
                    • Instruction Fuzzy Hash: 7B21D2B1900359DFDB10CF9AD885BDEBBF5FB48310F10842AE958A7250D378A944CFA4
                    Function 0192532A Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 283 192532a-192537c 285 1925388-19253b4 Wow64SetThreadContext 283->285 286 192537e-1925386 283->286 287 19253b6-19253bc 285->287 288 19253bd-19253de 285->288 286->285 287->288
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 019253A7
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1815702962.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_1920000_Phtos.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: 481ea20a33a60accdec927f5c352db391b1940ccb782ee877a706a7a030f3c9a
                    • Instruction ID: d02b34a30e392542407353256e5dd54f4b08aadb13169ae4c0ebe10ccdb43343
                    • Opcode Fuzzy Hash: 481ea20a33a60accdec927f5c352db391b1940ccb782ee877a706a7a030f3c9a
                    • Instruction Fuzzy Hash: 082124B1E1022A9FDB14CF9AC445BEEFBF4BB49320F14812AD458B3240D378A9448FA4
                    Function 019253EA Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 290 19253ea-1925473 ReadProcessMemory 292 1925475-192547b 290->292 293 192547c-192549d 290->293 292->293
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01925466
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1815702962.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_1920000_Phtos.jbxd
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: 61194799d73e55926cbb914cd0b37b4f5c6f1ad26774f92cc60b14b602493fb4
                    • Instruction ID: beda0053150f6c677d8eb5364f9e8fe5effec374931ca63d029e5b273560ece1
                    • Opcode Fuzzy Hash: 61194799d73e55926cbb914cd0b37b4f5c6f1ad26774f92cc60b14b602493fb4
                    • Instruction Fuzzy Hash: BE21E3B1900359DFDB10CF9AC884BDEFBF4AF49324F14802AE958A7251C378A544CFA5
                    Function 01925330 Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 295 1925330-192537c 297 1925388-19253b4 Wow64SetThreadContext 295->297 298 192537e-1925386 295->298 299 19253b6-19253bc 297->299 300 19253bd-19253de 297->300 298->297 299->300
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 019253A7
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1815702962.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_1920000_Phtos.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: d0961dba6832d7bbd4f66ca79ec245b8e1c542924c04686ae88164ba45eb5eee
                    • Instruction ID: 8896c5a5e920b59fa3c4be66a2c493306f24a4faa81ed6012b7abdf4b060598f
                    • Opcode Fuzzy Hash: d0961dba6832d7bbd4f66ca79ec245b8e1c542924c04686ae88164ba45eb5eee
                    • Instruction Fuzzy Hash: 3A2106B1D102199FDB14CF9AC445BDEFBF8BB49320F10812AD558B3240D378A9448FA5
                    Function 019253F0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 302 19253f0-1925473 ReadProcessMemory 304 1925475-192547b 302->304 305 192547c-192549d 302->305 304->305
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01925466
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1815702962.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_1920000_Phtos.jbxd
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: 6c017463e36f40df509a95153a22894fbb0fb3771306bcec6654624e0e96df21
                    • Instruction ID: 9971c92a84bd4552c26e7b1515047ffcf77d7b2609d60a5ff8abee80c9997a4f
                    • Opcode Fuzzy Hash: 6c017463e36f40df509a95153a22894fbb0fb3771306bcec6654624e0e96df21
                    • Instruction Fuzzy Hash: F921D3B5900259DFDB10DF9AC884BDEFBF8FB48320F148429E958A7251D378A644CFA5
                    Function 019254AA Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 307 19254aa-1925528 VirtualAllocEx 309 1925531-1925545 307->309 310 192552a-1925530 307->310 310->309
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0192551B
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1815702962.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_1920000_Phtos.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 22e0e0f9ceb5bc38c1a59cdb6b938471a9545f980298314c0f4428a5cce27152
                    • Instruction ID: 18efd2bb6f42a7ac366b6009cc134c4877992d01af4c8f9a01882ab8161e175c
                    • Opcode Fuzzy Hash: 22e0e0f9ceb5bc38c1a59cdb6b938471a9545f980298314c0f4428a5cce27152
                    • Instruction Fuzzy Hash: 481102B5900359DFDB20DF99D884BDEBFF4EB89320F208429E559A7250C375A940CFA4
                    Function 019254B0 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 312 19254b0-1925528 VirtualAllocEx 314 1925531-1925545 312->314 315 192552a-1925530 312->315 315->314
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0192551B
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1815702962.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_1920000_Phtos.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 52aa0280ae7a8b057bb040efbcf23b84533d8ff406ce4fb6ab3622b81c465bda
                    • Instruction ID: adaaedea8d4ca08d4b69c732998a0df4e9c957b84c67ac26eb3ae6b7c60e65e6
                    • Opcode Fuzzy Hash: 52aa0280ae7a8b057bb040efbcf23b84533d8ff406ce4fb6ab3622b81c465bda
                    • Instruction Fuzzy Hash: F011E3B5900259DFDB10DF9AD884BDEBFF8EB48320F208419E558A7250C375A544CFA5
                    Function 01925661 Relevance: 1.5, APIs: 1, Instructions: 29threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 317 1925661-192569c ResumeThread 319 19256a5-19256b9 317->319 320 192569e-19256a4 317->320 320->319
                    APIs
                    Memory Dump Source
                    • Source File: 0000000C.00000002.1815702962.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_12_2_1920000_Phtos.jbxd
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 94e159567590ac1d24362fff6017318af56d1b5125e629f7f50ecc4a18c2e366
                    • Instruction ID: 131047644bd958f2a9f160257cb98e96772dd0018eefafee436571dd4654112f
                    • Opcode Fuzzy Hash: 94e159567590ac1d24362fff6017318af56d1b5125e629f7f50ecc4a18c2e366
                    • Instruction Fuzzy Hash: D0F017B5900319CFDB20DF99E4487DEFBF4AF88328F20846AD559A7250C778A444CFA5

                    Execution Graph

                    Execution Coverage:33.8%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:63
                    Total number of Limit Nodes:5
                    execution_graph 2386 3170848 2387 3170863 2386->2387 2391 3170b16 2387->2391 2395 31708c3 2387->2395 2388 3170870 2393 31708da 2391->2393 2392 3170b2d 2392->2388 2393->2392 2399 31733d7 2393->2399 2396 31708da 2395->2396 2398 3170b2d 2395->2398 2397 31733d7 12 API calls 2396->2397 2396->2398 2397->2398 2398->2388 2400 31733f8 2399->2400 2404 31736b1 2400->2404 2408 31736c0 2400->2408 2401 3173431 2401->2392 2405 31736d3 2404->2405 2406 31737ab 2405->2406 2412 3174b7e 2405->2412 2406->2401 2409 31736d3 2408->2409 2410 31737ab 2409->2410 2411 3174b7e 12 API calls 2409->2411 2410->2401 2411->2409 2413 3174bed 2412->2413 2442 3174f4c 2413->2442 2446 3174f58 2413->2446 2414 3174c72 2415 3174eb0 2414->2415 2438 3175330 Wow64SetThreadContext 2414->2438 2439 317532b Wow64SetThreadContext 2414->2439 2415->2405 2416 3174cd0 2416->2415 2440 31753f0 ReadProcessMemory 2416->2440 2441 31753eb ReadProcessMemory 2416->2441 2417 3174d06 2426 31754b0 VirtualAllocEx 2417->2426 2427 31754ab VirtualAllocEx 2417->2427 2418 3174d45 2418->2415 2432 3175550 WriteProcessMemory 2418->2432 2433 3175558 WriteProcessMemory 2418->2433 2419 3174d99 2420 3174e30 2419->2420 2430 3175550 WriteProcessMemory 2419->2430 2431 3175558 WriteProcessMemory 2419->2431 2428 3175550 WriteProcessMemory 2420->2428 2429 3175558 WriteProcessMemory 2420->2429 2421 3174e59 2421->2415 2434 3175330 Wow64SetThreadContext 2421->2434 2435 317532b Wow64SetThreadContext 2421->2435 2422 3174e9d 2436 3175630 ResumeThread 2422->2436 2437 317562b ResumeThread 2422->2437 2423 3174eae 2423->2405 2426->2418 2427->2418 2428->2421 2429->2421 2430->2419 2431->2419 2432->2419 2433->2419 2434->2422 2435->2422 2436->2423 2437->2423 2438->2416 2439->2416 2440->2417 2441->2417 2443 3174fe5 CreateProcessAsUserA 2442->2443 2445 3175200 2443->2445 2447 3174fe5 CreateProcessAsUserA 2446->2447 2449 3175200 2447->2449 2450 3170b58 2451 3170b76 2450->2451 2452 31733d7 12 API calls 2451->2452 2453 3170b80 2451->2453 2452->2453 2458 3170838 2459 3170863 2458->2459 2461 3170b16 12 API calls 2459->2461 2462 31708c3 12 API calls 2459->2462 2460 3170870 2461->2460 2462->2460

                    Executed Functions

                    Function 03174F4C Relevance: 1.8, APIs: 1, Instructions: 264processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 48 3174f4c-3174ff1 50 3175045-3175067 48->50 51 3174ff3-3175018 48->51 54 31750be-31750ee 50->54 55 3175069-3175091 50->55 51->50 56 317501a-317501c 51->56 65 3175142-31751fe CreateProcessAsUserA 54->65 66 31750f0-3175115 54->66 55->54 63 3175093-3175095 55->63 57 317503f-3175042 56->57 58 317501e-3175028 56->58 57->50 60 317502c-317503b 58->60 61 317502a 58->61 60->60 64 317503d 60->64 61->60 67 3175097-31750a1 63->67 68 31750b8-31750bb 63->68 64->57 80 3175207-317527b 65->80 81 3175200-3175206 65->81 66->65 73 3175117-3175119 66->73 69 31750a5-31750b4 67->69 70 31750a3 67->70 68->54 69->69 74 31750b6 69->74 70->69 75 317513c-317513f 73->75 76 317511b-3175125 73->76 74->68 75->65 78 3175127 76->78 79 3175129-3175138 76->79 78->79 79->79 82 317513a 79->82 90 317527d-3175281 80->90 91 317528b-317528f 80->91 81->80 82->75 90->91 92 3175283-3175286 call 31701cc 90->92 93 3175291-3175295 91->93 94 317529f-31752a3 91->94 92->91 93->94 98 3175297-317529a call 31701cc 93->98 95 31752a5-31752a9 94->95 96 31752b3-31752b7 94->96 95->96 100 31752ab-31752ae call 31701cc 95->100 101 31752c9-31752d0 96->101 102 31752b9-31752bf 96->102 98->94 100->96 104 31752e7 101->104 105 31752d2-31752e1 101->105 102->101 107 31752e8 104->107 105->104 107->107
                    APIs
                    • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 031751EB
                    Memory Dump Source
                    • Source File: 0000001A.00000002.2063070271.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_26_2_3170000_Phtos.jbxd
                    Similarity
                    • API ID: CreateProcessUser
                    • String ID:
                    • API String ID: 2217836671-0
                    • Opcode ID: 44603e16fb49bf469385287c27c28a46ae2cf9f5a2e6f7512d42ae531a65e886
                    • Instruction ID: 047400ffd41ebca0960079a7f54ff5ef70c785aa6361441f18a7766adf1e4bc7
                    • Opcode Fuzzy Hash: 44603e16fb49bf469385287c27c28a46ae2cf9f5a2e6f7512d42ae531a65e886
                    • Instruction Fuzzy Hash: 19A13A71E012199FDB14DFA8C8417EDBBF6FF49304F0881A9E818A7290DB759985CF91
                    Function 03174F58 Relevance: 1.8, APIs: 1, Instructions: 262processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 108 3174f58-3174ff1 110 3175045-3175067 108->110 111 3174ff3-3175018 108->111 114 31750be-31750ee 110->114 115 3175069-3175091 110->115 111->110 116 317501a-317501c 111->116 125 3175142-31751fe CreateProcessAsUserA 114->125 126 31750f0-3175115 114->126 115->114 123 3175093-3175095 115->123 117 317503f-3175042 116->117 118 317501e-3175028 116->118 117->110 120 317502c-317503b 118->120 121 317502a 118->121 120->120 124 317503d 120->124 121->120 127 3175097-31750a1 123->127 128 31750b8-31750bb 123->128 124->117 140 3175207-317527b 125->140 141 3175200-3175206 125->141 126->125 133 3175117-3175119 126->133 129 31750a5-31750b4 127->129 130 31750a3 127->130 128->114 129->129 134 31750b6 129->134 130->129 135 317513c-317513f 133->135 136 317511b-3175125 133->136 134->128 135->125 138 3175127 136->138 139 3175129-3175138 136->139 138->139 139->139 142 317513a 139->142 150 317527d-3175281 140->150 151 317528b-317528f 140->151 141->140 142->135 150->151 152 3175283-3175286 call 31701cc 150->152 153 3175291-3175295 151->153 154 317529f-31752a3 151->154 152->151 153->154 158 3175297-317529a call 31701cc 153->158 155 31752a5-31752a9 154->155 156 31752b3-31752b7 154->156 155->156 160 31752ab-31752ae call 31701cc 155->160 161 31752c9-31752d0 156->161 162 31752b9-31752bf 156->162 158->154 160->156 164 31752e7 161->164 165 31752d2-31752e1 161->165 162->161 167 31752e8 164->167 165->164 167->167
                    APIs
                    • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 031751EB
                    Memory Dump Source
                    • Source File: 0000001A.00000002.2063070271.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_26_2_3170000_Phtos.jbxd
                    Similarity
                    • API ID: CreateProcessUser
                    • String ID:
                    • API String ID: 2217836671-0
                    • Opcode ID: 0669e8c289dae0355363a5132a056f8386144c49bd7754563aec3609fabd460d
                    • Instruction ID: a06ce0dc4c50e815ed3a2287b6f6257bb31249d06f5359b67d3da0359beb741e
                    • Opcode Fuzzy Hash: 0669e8c289dae0355363a5132a056f8386144c49bd7754563aec3609fabd460d
                    • Instruction Fuzzy Hash: 80A13971E002199FDB14DFA8C8417EDBBF6FF4A304F0881A9E818A7290DB759985CF91
                    Function 03175550 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 266 3175550-31755a9 268 31755ab-31755b7 266->268 269 31755b9-31755f2 WriteProcessMemory 266->269 268->269 270 31755f4-31755fa 269->270 271 31755fb-317561c 269->271 270->271
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 031755E5
                    Memory Dump Source
                    • Source File: 0000001A.00000002.2063070271.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_26_2_3170000_Phtos.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: b2129d572005f82c2c3d395934b6b53140167cc949a631e56f96a11a2ba7aaa5
                    • Instruction ID: 618dc4ee371a479cac3fd0cd63702abf085ca580bfecb2ae97c43948b3cb09d9
                    • Opcode Fuzzy Hash: b2129d572005f82c2c3d395934b6b53140167cc949a631e56f96a11a2ba7aaa5
                    • Instruction Fuzzy Hash: B52103B5900259DFCB00CFAAC985BDEBBF5BF49310F14842AE558A7251D378A944CFA4
                    Function 03175558 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 273 3175558-31755a9 275 31755ab-31755b7 273->275 276 31755b9-31755f2 WriteProcessMemory 273->276 275->276 277 31755f4-31755fa 276->277 278 31755fb-317561c 276->278 277->278
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 031755E5
                    Memory Dump Source
                    • Source File: 0000001A.00000002.2063070271.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_26_2_3170000_Phtos.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 5b95baadacb25fa67d4e399218ff264824648f634daa5b6c2927d9a1f2795f6b
                    • Instruction ID: 462a0b4bfba07dddfbc783ac8f44fbebb58a7a7073ad68591d07ed3c1bf796c3
                    • Opcode Fuzzy Hash: 5b95baadacb25fa67d4e399218ff264824648f634daa5b6c2927d9a1f2795f6b
                    • Instruction Fuzzy Hash: FB21E2B1900259DFCB10CF9AD885BDEFBF5FB49320F14842AE958A7250D378A944CFA4
                    Function 0317532B Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 280 317532b-317537c 283 317537e-3175386 280->283 284 3175388-31753b4 Wow64SetThreadContext 280->284 283->284 285 31753b6-31753bc 284->285 286 31753bd-31753de 284->286 285->286
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 031753A7
                    Memory Dump Source
                    • Source File: 0000001A.00000002.2063070271.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_26_2_3170000_Phtos.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: 396bb824e895cd01b108f8ec64aaa7a0055838b67c67c43abed69daff49a6f1e
                    • Instruction ID: b0fb69e6f218a52803976789b4655fcd7ebbc4cd5192c52fef2477c8a060a71f
                    • Opcode Fuzzy Hash: 396bb824e895cd01b108f8ec64aaa7a0055838b67c67c43abed69daff49a6f1e
                    • Instruction Fuzzy Hash: 8621F4B1D002199FCB04CF9AC985BAEFBF4BB49320F54812AE558B3250D378A944CFA5
                    Function 03175330 Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 288 3175330-317537c 290 317537e-3175386 288->290 291 3175388-31753b4 Wow64SetThreadContext 288->291 290->291 292 31753b6-31753bc 291->292 293 31753bd-31753de 291->293 292->293
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 031753A7
                    Memory Dump Source
                    • Source File: 0000001A.00000002.2063070271.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_26_2_3170000_Phtos.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: d5bf643322a21536566860288316c91b2cb2649a7cab264a1debd5f511b333aa
                    • Instruction ID: 047f53d00a244c749944a5b3813ed20ee64f8cb3d91235d4a897dd8c7b5e2435
                    • Opcode Fuzzy Hash: d5bf643322a21536566860288316c91b2cb2649a7cab264a1debd5f511b333aa
                    • Instruction Fuzzy Hash: 982117B1D002199FCB00CF9AC985BEEFBF4BB49320F14812AD458B3250D378A944CFA5
                    Function 031753EB Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 295 31753eb-3175473 ReadProcessMemory 298 3175475-317547b 295->298 299 317547c-317549d 295->299 298->299
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 03175466
                    Memory Dump Source
                    • Source File: 0000001A.00000002.2063070271.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_26_2_3170000_Phtos.jbxd
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: 5bf64c40fb9e1242d8b4db02818f2e8bbe409652a3102bed6ea07e4b41c59182
                    • Instruction ID: 65e780ce01ec5d1b549e279c7e5f2b8b69ae046af770e9753bd19821fd03bdec
                    • Opcode Fuzzy Hash: 5bf64c40fb9e1242d8b4db02818f2e8bbe409652a3102bed6ea07e4b41c59182
                    • Instruction Fuzzy Hash: 3E2103B6900249DFCB10DF9AC884BDEFBF4FB49320F148429E958A7250D378A944CFA5
                    Function 031753F0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 301 31753f0-3175473 ReadProcessMemory 303 3175475-317547b 301->303 304 317547c-317549d 301->304 303->304
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 03175466
                    Memory Dump Source
                    • Source File: 0000001A.00000002.2063070271.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_26_2_3170000_Phtos.jbxd
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: c066da5dc11e0c1cd671fabe48562d63fb7bf250ff9ed401b00401ee52b92794
                    • Instruction ID: 88b164d33ea2f502fd41ec975bc643b2c5dd74ca96298f039587b99df09e0950
                    • Opcode Fuzzy Hash: c066da5dc11e0c1cd671fabe48562d63fb7bf250ff9ed401b00401ee52b92794
                    • Instruction Fuzzy Hash: EF2103B1900249DFCB10CF9AC884BDEFBF4FB49320F148429E958A7250D378A944CFA5
                    Function 031754AB Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 306 31754ab-3175528 VirtualAllocEx 309 3175531-3175545 306->309 310 317552a-3175530 306->310 310->309
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0317551B
                    Memory Dump Source
                    • Source File: 0000001A.00000002.2063070271.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_26_2_3170000_Phtos.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 2be2cf3da1a860c11d725055313f79cc7a09f923985ce68b14bbeabb5b307c8d
                    • Instruction ID: 7823459c5b5c475502b4e3b0a637f3b95ef5b91211d2c8d9e41021b3eea2c2d6
                    • Opcode Fuzzy Hash: 2be2cf3da1a860c11d725055313f79cc7a09f923985ce68b14bbeabb5b307c8d
                    • Instruction Fuzzy Hash: 7F1113B5900249DFCB10DF9AD884BDEBFF5EB49324F248419E558A7250C335A944CFA4
                    Function 031754B0 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 312 31754b0-3175528 VirtualAllocEx 314 3175531-3175545 312->314 315 317552a-3175530 312->315 315->314
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0317551B
                    Memory Dump Source
                    • Source File: 0000001A.00000002.2063070271.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_26_2_3170000_Phtos.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 858686640be0ed53519ec887360126c856f622988013b3335c8b96ef2e19f405
                    • Instruction ID: 4a50e56d75fb1124df5a9f2e6c5f7b28494cc5cb93e906d3996328bca30ffbf5
                    • Opcode Fuzzy Hash: 858686640be0ed53519ec887360126c856f622988013b3335c8b96ef2e19f405
                    • Instruction Fuzzy Hash: E81110B5900248DFCB10CF9AD884BDEBFF9EB49320F248419E568A7250C335A940CFA4
                    Function 0317562B Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 317 317562b-317569c ResumeThread 320 31756a5-31756b9 317->320 321 317569e-31756a4 317->321 321->320
                    APIs
                    Memory Dump Source
                    • Source File: 0000001A.00000002.2063070271.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_26_2_3170000_Phtos.jbxd
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 88d4f582ff4447ef2be01da198bfde2ef254fe238ec0eb64035bb0249abe926a
                    • Instruction ID: ec20625205df6e8c2e3d210216102bd290fe09b2b084e39b9d4e9ce0e41db1f6
                    • Opcode Fuzzy Hash: 88d4f582ff4447ef2be01da198bfde2ef254fe238ec0eb64035bb0249abe926a
                    • Instruction Fuzzy Hash: EE1112B5800248CFCB20DF9AD485BDEFFF8EB49324F24841AE558A7250C375A944CFA9
                    Function 03175630 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 323 3175630-317569c ResumeThread 325 31756a5-31756b9 323->325 326 317569e-31756a4 323->326 326->325
                    APIs
                    Memory Dump Source
                    • Source File: 0000001A.00000002.2063070271.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_26_2_3170000_Phtos.jbxd
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 9fe0d1940980313bfb5e837b74bed362a3ea1d58f307a49e8b9dde732613dd27
                    • Instruction ID: 12a6da383433c34b2c46a8e3639c127c742162bfbe1bfc515aebe77012bd509d
                    • Opcode Fuzzy Hash: 9fe0d1940980313bfb5e837b74bed362a3ea1d58f307a49e8b9dde732613dd27
                    • Instruction Fuzzy Hash: 151123B1800248CFCB20DF9AD484BDEFFF8EB49324F24841AD558A7250C375A944CFA5

                    Execution Graph

                    Execution Coverage:38.4%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:94
                    Total number of Limit Nodes:6
                    execution_graph 2842 1005630 2843 1005653 2842->2843 2844 1005661 ResumeThread 2843->2844 2801 1000707 2802 100070e 2801->2802 2803 10007de 2802->2803 2805 10008c3 11 API calls 2802->2805 2806 1000b16 11 API calls 2802->2806 2804 1000870 2805->2804 2806->2804 2720 1000848 2721 1000863 2720->2721 2725 10008c3 2721->2725 2732 1000b16 2721->2732 2722 1000870 2726 10008da 2725->2726 2728 100090f 2725->2728 2726->2728 2739 1003291 2726->2739 2745 10033ab 2726->2745 2751 10033d7 2726->2751 2727 1000b80 2727->2722 2728->2722 2733 10008da 2732->2733 2735 100090f 2733->2735 2736 1003291 11 API calls 2733->2736 2737 10033d7 11 API calls 2733->2737 2738 10033ab 11 API calls 2733->2738 2734 1000b80 2734->2722 2735->2722 2736->2734 2737->2734 2738->2734 2741 100329c 2739->2741 2740 100336f 2740->2727 2741->2740 2756 10036c0 2741->2756 2760 10036b1 2741->2760 2742 1003431 2742->2727 2746 10033b0 2745->2746 2747 10033c6 2746->2747 2749 10036c0 11 API calls 2746->2749 2750 10036b1 11 API calls 2746->2750 2748 1003431 2748->2727 2749->2748 2750->2748 2752 10033f8 2751->2752 2754 10036c0 11 API calls 2752->2754 2755 10036b1 11 API calls 2752->2755 2753 1003431 2753->2727 2754->2753 2755->2753 2757 10036d3 2756->2757 2758 10037ab 2757->2758 2764 1004b7e 2757->2764 2758->2742 2761 10036c0 2760->2761 2762 10037ab 2761->2762 2763 1004b7e 11 API calls 2761->2763 2762->2742 2763->2761 2765 1004ba5 2764->2765 2793 1004f58 2765->2793 2797 1004f4c 2765->2797 2766 1004c72 2769 1004eb0 2766->2769 2791 1005330 Wow64SetThreadContext 2766->2791 2792 100532a Wow64SetThreadContext 2766->2792 2767 1004cd0 2767->2769 2776 10053f0 ReadProcessMemory 2767->2776 2777 10053ea ReadProcessMemory 2767->2777 2768 1004d06 2780 10054b0 VirtualAllocEx 2768->2780 2781 10054aa VirtualAllocEx 2768->2781 2769->2757 2770 1004d45 2770->2769 2786 1005550 WriteProcessMemory 2770->2786 2787 1005558 WriteProcessMemory 2770->2787 2771 1004d99 2772 1004e30 2771->2772 2784 1005550 WriteProcessMemory 2771->2784 2785 1005558 WriteProcessMemory 2771->2785 2782 1005550 WriteProcessMemory 2772->2782 2783 1005558 WriteProcessMemory 2772->2783 2773 1004e59 2773->2769 2788 1005330 Wow64SetThreadContext 2773->2788 2789 100532a Wow64SetThreadContext 2773->2789 2774 1004e9d 2790 1005661 ResumeThread 2774->2790 2775 1004eae 2775->2757 2776->2768 2777->2768 2780->2770 2781->2770 2782->2773 2783->2773 2784->2771 2785->2771 2786->2771 2787->2771 2788->2774 2789->2774 2790->2775 2791->2767 2792->2767 2795 1004fe5 CreateProcessAsUserA 2793->2795 2796 1005200 2795->2796 2799 1004fe5 CreateProcessAsUserA 2797->2799 2800 1005200 2799->2800 2813 1000b58 2814 1000b70 2813->2814 2816 1003291 11 API calls 2814->2816 2817 10033d7 11 API calls 2814->2817 2818 10033ab 11 API calls 2814->2818 2815 1000b80 2816->2815 2817->2815 2818->2815 2836 100562a 2837 100562e 2836->2837 2839 1005661 2837->2839 2840 1005671 ResumeThread 2839->2840 2841 100569e 2840->2841 2831 10007ef 2832 10007f6 2831->2832 2834 10008c3 11 API calls 2832->2834 2835 1000b16 11 API calls 2832->2835 2833 1000870 2834->2833 2835->2833

                    Executed Functions

                    Function 01004F4C Relevance: 1.8, APIs: 1, Instructions: 266processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 151 1004f4c-1004ff1 153 1004ff3-1005018 151->153 154 1005045-1005067 151->154 153->154 157 100501a-100501c 153->157 158 1005069-1005091 154->158 159 10050be-10050ee 154->159 160 100501e-1005028 157->160 161 100503f-1005042 157->161 158->159 166 1005093-1005095 158->166 168 10050f0-1005115 159->168 169 1005142-10051fe CreateProcessAsUserA 159->169 162 100502a 160->162 163 100502c-100503b 160->163 161->154 162->163 163->163 167 100503d 163->167 170 1005097-10050a1 166->170 171 10050b8-10050bb 166->171 167->161 168->169 177 1005117-1005119 168->177 181 1005200-1005206 169->181 182 1005207-100527b 169->182 172 10050a3 170->172 173 10050a5-10050b4 170->173 171->159 172->173 173->173 176 10050b6 173->176 176->171 179 100511b-1005125 177->179 180 100513c-100513f 177->180 183 1005127 179->183 184 1005129-1005138 179->184 180->169 181->182 193 100528b-100528f 182->193 194 100527d-1005281 182->194 183->184 184->184 185 100513a 184->185 185->180 196 1005291-1005295 193->196 197 100529f-10052a3 193->197 194->193 195 1005283-1005286 call 10001cc 194->195 195->193 196->197 199 1005297-100529a call 10001cc 196->199 200 10052b3-10052b7 197->200 201 10052a5-10052a9 197->201 199->197 202 10052c9-10052d0 200->202 203 10052b9-10052bf 200->203 201->200 205 10052ab-10052ae call 10001cc 201->205 207 10052d2-10052e1 202->207 208 10052e7 202->208 203->202 205->200 207->208 210 10052e8 208->210 210->210
                    APIs
                    • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 010051EB
                    Memory Dump Source
                    • Source File: 00000024.00000002.2651831297.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_36_2_1000000_Phtos.jbxd
                    Similarity
                    • API ID: CreateProcessUser
                    • String ID:
                    • API String ID: 2217836671-0
                    • Opcode ID: 0f5aca5d703ad04c145f88a8f1a88cab964bf06d21bc5b49f413d4b648850d10
                    • Instruction ID: 1d8c87bbc660712c41441f3bb3af23b9e4759c8e2cbddcd0f4bfe4a5806cbd98
                    • Opcode Fuzzy Hash: 0f5aca5d703ad04c145f88a8f1a88cab964bf06d21bc5b49f413d4b648850d10
                    • Instruction Fuzzy Hash: 61A14771E002199FEB51CFA8CC41BEDBBF6EF49304F0481A9E858A7291DB749985CF91
                    Function 01004F58 Relevance: 1.8, APIs: 1, Instructions: 262processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 211 1004f58-1004ff1 213 1004ff3-1005018 211->213 214 1005045-1005067 211->214 213->214 217 100501a-100501c 213->217 218 1005069-1005091 214->218 219 10050be-10050ee 214->219 220 100501e-1005028 217->220 221 100503f-1005042 217->221 218->219 226 1005093-1005095 218->226 228 10050f0-1005115 219->228 229 1005142-10051fe CreateProcessAsUserA 219->229 222 100502a 220->222 223 100502c-100503b 220->223 221->214 222->223 223->223 227 100503d 223->227 230 1005097-10050a1 226->230 231 10050b8-10050bb 226->231 227->221 228->229 237 1005117-1005119 228->237 241 1005200-1005206 229->241 242 1005207-100527b 229->242 232 10050a3 230->232 233 10050a5-10050b4 230->233 231->219 232->233 233->233 236 10050b6 233->236 236->231 239 100511b-1005125 237->239 240 100513c-100513f 237->240 243 1005127 239->243 244 1005129-1005138 239->244 240->229 241->242 253 100528b-100528f 242->253 254 100527d-1005281 242->254 243->244 244->244 245 100513a 244->245 245->240 256 1005291-1005295 253->256 257 100529f-10052a3 253->257 254->253 255 1005283-1005286 call 10001cc 254->255 255->253 256->257 259 1005297-100529a call 10001cc 256->259 260 10052b3-10052b7 257->260 261 10052a5-10052a9 257->261 259->257 262 10052c9-10052d0 260->262 263 10052b9-10052bf 260->263 261->260 265 10052ab-10052ae call 10001cc 261->265 267 10052d2-10052e1 262->267 268 10052e7 262->268 263->262 265->260 267->268 270 10052e8 268->270 270->270
                    APIs
                    • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 010051EB
                    Memory Dump Source
                    • Source File: 00000024.00000002.2651831297.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_36_2_1000000_Phtos.jbxd
                    Similarity
                    • API ID: CreateProcessUser
                    • String ID:
                    • API String ID: 2217836671-0
                    • Opcode ID: 567611a2cf09e3331296290dc28d91cb83e6a6cb2559f0dc61873c52122b91ac
                    • Instruction ID: 4a1364ee1489eaa0a254e52e788420e91d436ffb431bcd15b329df118cabf2c0
                    • Opcode Fuzzy Hash: 567611a2cf09e3331296290dc28d91cb83e6a6cb2559f0dc61873c52122b91ac
                    • Instruction Fuzzy Hash: A0A14471E002199FEB51CFA8CC41BEDBBF6EF49304F0481A9E858A7291DB749985CF91
                    Function 01005550 Relevance: 1.6, APIs: 1, Instructions: 67injectionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 271 1005550-10055a9 273 10055b9-10055f2 WriteProcessMemory 271->273 274 10055ab-10055b7 271->274 275 10055f4-10055fa 273->275 276 10055fb-100561c 273->276 274->273 275->276
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 010055E5
                    Memory Dump Source
                    • Source File: 00000024.00000002.2651831297.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_36_2_1000000_Phtos.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: addfad17576492d0479efbdd25a17d1b47a60fb9d4084eac5233a15cf7419d76
                    • Instruction ID: f085f804fe3f066456a9e017c0ee226f954e5d05721367bd5349b70ce6f781fe
                    • Opcode Fuzzy Hash: addfad17576492d0479efbdd25a17d1b47a60fb9d4084eac5233a15cf7419d76
                    • Instruction Fuzzy Hash: DF21F3B1900259DFDB10CFAAC885BDEBBF5FB48310F10842AE959E7251D379A944CFA4
                    Function 01005558 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 278 1005558-10055a9 280 10055b9-10055f2 WriteProcessMemory 278->280 281 10055ab-10055b7 278->281 282 10055f4-10055fa 280->282 283 10055fb-100561c 280->283 281->280 282->283
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 010055E5
                    Memory Dump Source
                    • Source File: 00000024.00000002.2651831297.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_36_2_1000000_Phtos.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 22a82e5e5db536d455d6687d7f9f22267590449cf631144dfd9c9f3cb1504c13
                    • Instruction ID: 24a5696fa93cb09feaa28d2f5597755a9c8c7d5b6c9ac3aed358479bf2efd2cb
                    • Opcode Fuzzy Hash: 22a82e5e5db536d455d6687d7f9f22267590449cf631144dfd9c9f3cb1504c13
                    • Instruction Fuzzy Hash: 2121E2B1900259DFDB14CF9AC885BDEBBF5FB48320F10842AE958E7250D379A944CFA4
                    Function 0100532A Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 285 100532a-100537c 288 1005388-10053b4 Wow64SetThreadContext 285->288 289 100537e-1005386 285->289 290 10053b6-10053bc 288->290 291 10053bd-10053de 288->291 289->288 290->291
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 010053A7
                    Memory Dump Source
                    • Source File: 00000024.00000002.2651831297.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_36_2_1000000_Phtos.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: 30225825c7745bcd55d08247c82efd0481712f5081dd7ca2de47aee11f68ac23
                    • Instruction ID: c4e056d4f1a944a8ddd4989c3d503002ca74a4507b4a9968361fdd44b89c49d4
                    • Opcode Fuzzy Hash: 30225825c7745bcd55d08247c82efd0481712f5081dd7ca2de47aee11f68ac23
                    • Instruction Fuzzy Hash: 712138B1D002599FDB00CF9AC885BEEFBF4BB49310F14816AE558B7240D378A944CFA5
                    Function 010053EA Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 293 10053ea-1005473 ReadProcessMemory 296 1005475-100547b 293->296 297 100547c-100549d 293->297 296->297
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01005466
                    Memory Dump Source
                    • Source File: 00000024.00000002.2651831297.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_36_2_1000000_Phtos.jbxd
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: 49a72a2dd11251f1d472fe6b3eb74bb3a544c8d34809a6a0b301b8228aeab40f
                    • Instruction ID: cf92b9259f7b379463d0802181b9915f2774d2df5939d6726fe9da86a6e98fd7
                    • Opcode Fuzzy Hash: 49a72a2dd11251f1d472fe6b3eb74bb3a544c8d34809a6a0b301b8228aeab40f
                    • Instruction Fuzzy Hash: 5F2102B1900249DFDB10CF9AC884BDEFFF4AB49320F148069E958A7251D378A944CFA1
                    Function 01005330 Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 299 1005330-100537c 301 1005388-10053b4 Wow64SetThreadContext 299->301 302 100537e-1005386 299->302 303 10053b6-10053bc 301->303 304 10053bd-10053de 301->304 302->301 303->304
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 010053A7
                    Memory Dump Source
                    • Source File: 00000024.00000002.2651831297.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_36_2_1000000_Phtos.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: 05a867ca89ccaac00e4034aebd1bc9be180cd6e85fb24bcd7e5151c3a4a58098
                    • Instruction ID: 4b266f21e52c76bef0600eba4c1451696ca0b8d74b2c574221f545335be6c6a9
                    • Opcode Fuzzy Hash: 05a867ca89ccaac00e4034aebd1bc9be180cd6e85fb24bcd7e5151c3a4a58098
                    • Instruction Fuzzy Hash: 7C2117B1D102199FDB04CF9AC845BEEFBF4BB48320F10816AD558B3240D778A944CFA5
                    Function 010053F0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 306 10053f0-1005473 ReadProcessMemory 308 1005475-100547b 306->308 309 100547c-100549d 306->309 308->309
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01005466
                    Memory Dump Source
                    • Source File: 00000024.00000002.2651831297.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_36_2_1000000_Phtos.jbxd
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: 6c019845c15ec2f2bc34f0bd7137cc333612b8253df500388d336f98a9c40c03
                    • Instruction ID: 59705f4a9ea8b76ad5b4b08317ec69df6e3f8683284ae87540389f41cd2947b7
                    • Opcode Fuzzy Hash: 6c019845c15ec2f2bc34f0bd7137cc333612b8253df500388d336f98a9c40c03
                    • Instruction Fuzzy Hash: BB2103B1900249DFDB10DF9AC884BDEFBF4FB48320F108429E958A7250D379A944CFA5
                    Function 010054AA Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 311 10054aa-1005528 VirtualAllocEx 314 1005531-1005545 311->314 315 100552a-1005530 311->315 315->314
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0100551B
                    Memory Dump Source
                    • Source File: 00000024.00000002.2651831297.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_36_2_1000000_Phtos.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 26fbcdf3a4b5c43484ad38a4c947dee27fe5368c41eb8a7d442c0519ebe5f203
                    • Instruction ID: 3ce7fc9ed80ac47c71c56cb8cc23c3bff65b323e7604f3fe7449b4fbf72096b4
                    • Opcode Fuzzy Hash: 26fbcdf3a4b5c43484ad38a4c947dee27fe5368c41eb8a7d442c0519ebe5f203
                    • Instruction Fuzzy Hash: 7C1104B5900289DFDB10DF9AD884BDEFFF4EB49320F108469E558A7250C375A540CFA4
                    Function 010054B0 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 317 10054b0-1005528 VirtualAllocEx 319 1005531-1005545 317->319 320 100552a-1005530 317->320 320->319
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0100551B
                    Memory Dump Source
                    • Source File: 00000024.00000002.2651831297.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_36_2_1000000_Phtos.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 41f6ac57d769084d6ac8b782934899216ca4bcbf6daa44accceb98a1398e7c2a
                    • Instruction ID: 69aff9f49cc1197397c53d6581e3a51348757521bf149c0ba2a05c7bfcbd82a8
                    • Opcode Fuzzy Hash: 41f6ac57d769084d6ac8b782934899216ca4bcbf6daa44accceb98a1398e7c2a
                    • Instruction Fuzzy Hash: 2D11E3B5900649DFDB10DF9AD884BDEBFF4EB48320F208459E558A7250C375A544CFA5
                    Function 01005661 Relevance: 1.5, APIs: 1, Instructions: 29threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 322 1005661-100569c ResumeThread 324 10056a5-10056b9 322->324 325 100569e-10056a4 322->325 325->324
                    APIs
                    Memory Dump Source
                    • Source File: 00000024.00000002.2651831297.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_36_2_1000000_Phtos.jbxd
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 4864f8e3950f4ddcef45ef155b7cc790ca63379d369e9c41bad887abf2f53da1
                    • Instruction ID: c448c60930cd62927f59472e893e43dff2e97bebc17d6319e95d8d96a3bc7037
                    • Opcode Fuzzy Hash: 4864f8e3950f4ddcef45ef155b7cc790ca63379d369e9c41bad887abf2f53da1
                    • Instruction Fuzzy Hash: C4F017B5900209CFDB10DF99E8487DEFBF4AF89328F20846AD599A7250C778A444CFA5
                    Function 01030000 Relevance: .0, Instructions: 40COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000024.00000002.2651896034.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_36_2_1030000_Phtos.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bdf704ad1d71bcfec5fa2017aaac71249ff4d1482b1f14ec4c4df184b8a33428
                    • Instruction ID: fc41f5cd15c7831e569ac89d95710b044cb2d76e297489e102f4efead9480802
                    • Opcode Fuzzy Hash: bdf704ad1d71bcfec5fa2017aaac71249ff4d1482b1f14ec4c4df184b8a33428
                    • Instruction Fuzzy Hash: 6101486191F7C09FCB038BB599252843F74AE0726931A45CBD1D1CF1B7D6294D49DB22

                    Execution Graph

                    Execution Coverage:0.9%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:4.2%
                    Total number of Nodes:264
                    Total number of Limit Nodes:11
                    execution_graph 33813 446137 33814 446175 33813->33814 33818 446145 ___crtLCMapStringA 33813->33818 33821 4405dd 20 API calls _free 33814->33821 33816 446160 RtlAllocateHeap 33817 446173 33816->33817 33816->33818 33818->33814 33818->33816 33820 442f80 7 API calls 2 library calls 33818->33820 33820->33818 33821->33817 33822 434887 33823 434893 ___FrameUnwindToState 33822->33823 33848 434596 33823->33848 33825 43489a 33827 4348c3 33825->33827 33876 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 33825->33876 33836 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 33827->33836 33877 444251 5 API calls TranslatorGuardHandler 33827->33877 33829 4348dc 33831 4348e2 ___FrameUnwindToState 33829->33831 33878 4441f5 5 API calls TranslatorGuardHandler 33829->33878 33832 434962 33859 434b14 33832->33859 33836->33832 33879 4433e7 38 API calls 4 library calls 33836->33879 33839 43497d 33871 4432f6 GetModuleHandleW 33839->33871 33842 43498e 33844 434997 33842->33844 33880 4433c2 28 API calls _abort 33842->33880 33881 43470d 13 API calls 2 library calls 33844->33881 33849 43459f 33848->33849 33882 434c52 IsProcessorFeaturePresent 33849->33882 33851 4345ab 33883 438f31 10 API calls 4 library calls 33851->33883 33853 4345b0 33858 4345b4 33853->33858 33884 4440bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 33853->33884 33855 4345bd 33856 4345cb 33855->33856 33885 438f5a 8 API calls 3 library calls 33855->33885 33856->33825 33858->33825 33886 436e90 33859->33886 33862 434968 33863 4441a2 33862->33863 33888 44f059 33863->33888 33865 434971 33868 40d069 33865->33868 33866 4441ab 33866->33865 33892 446815 38 API calls 33866->33892 33869 401fab 33868->33869 33870 40d073 CreateMutexA GetLastError 33869->33870 33870->33839 33872 434984 33871->33872 33872->33842 33873 44341f 33872->33873 33894 44319c 33873->33894 33875 443430 33875->33842 33876->33825 33877->33829 33878->33836 33879->33832 33880->33844 33881->33831 33882->33851 33883->33853 33884->33855 33885->33858 33887 434b27 GetStartupInfoW 33886->33887 33887->33862 33889 44f06b 33888->33889 33890 44f062 33888->33890 33889->33866 33893 44ef58 51 API calls 4 library calls 33890->33893 33892->33866 33893->33889 33895 4431a8 _abort 33894->33895 33896 4431c0 33895->33896 33897 4432f6 _abort GetModuleHandleW 33895->33897 33913 445888 RtlEnterCriticalSection 33896->33913 33899 4431b4 33897->33899 33899->33896 33925 44333a GetModuleHandleExW 33899->33925 33900 443266 33914 4432a6 33900->33914 33903 44323d 33906 443255 33903->33906 33934 4441f5 5 API calls TranslatorGuardHandler 33903->33934 33905 4432af 33905->33875 33935 4441f5 5 API calls TranslatorGuardHandler 33906->33935 33911 4431c8 33911->33900 33911->33903 33933 443f50 20 API calls _abort 33911->33933 33913->33911 33936 4458d0 RtlLeaveCriticalSection 33914->33936 33916 44327f 33916->33905 33917 4432b5 33916->33917 33937 448cc9 33917->33937 33920 4432e3 33922 44333a _abort 8 API calls 33920->33922 33921 4432c3 GetPEB 33921->33920 33923 4432d3 GetCurrentProcess TerminateProcess 33921->33923 33924 4432eb ExitProcess 33922->33924 33923->33920 33926 443364 GetProcAddress 33925->33926 33927 443387 33925->33927 33932 443379 33926->33932 33928 443396 33927->33928 33929 44338d FreeLibrary 33927->33929 33930 434fcb TranslatorGuardHandler 5 API calls 33928->33930 33929->33928 33931 4433a0 33930->33931 33931->33896 33932->33927 33933->33903 33934->33906 33935->33900 33936->33916 33938 448cee 33937->33938 33942 448ce4 33937->33942 33943 4484ca 33938->33943 33941 4432bf 33941->33920 33941->33921 33950 434fcb 33942->33950 33944 4484fa 33943->33944 33948 4484f6 33943->33948 33944->33942 33945 44851a 33945->33944 33947 448526 GetProcAddress 33945->33947 33949 448536 __crt_fast_encode_pointer 33947->33949 33948->33944 33948->33945 33957 448566 33948->33957 33949->33944 33951 434fd6 IsProcessorFeaturePresent 33950->33951 33952 434fd4 33950->33952 33954 435018 33951->33954 33952->33941 33964 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 33954->33964 33956 4350fb 33956->33941 33958 448587 LoadLibraryExW 33957->33958 33963 44857c 33957->33963 33959 4485a4 GetLastError 33958->33959 33960 4485bc 33958->33960 33959->33960 33961 4485af LoadLibraryExW 33959->33961 33962 4485d3 FreeLibrary 33960->33962 33960->33963 33961->33960 33962->33963 33963->33948 33964->33956 33965 40e9c5 34089 41cb50 LoadLibraryA 33965->34089 33969 40e9fd 34096 4020f6 9 API calls 33969->34096 33971 40ea0c 34097 4020f6 9 API calls 33971->34097 33973 40ea1b 34098 41be1b 9 API calls 33973->34098 33975 40ea24 33976 40ea49 33975->33976 33979 40ea93 33975->33979 34099 40fbb3 9 API calls 33976->34099 33978 40ea5b 34100 410f37 9 API calls 33978->34100 34103 40531e 9 API calls 33979->34103 33982 40ead1 34104 401fe2 9 API calls 33982->34104 33983 40ea79 34101 40fb64 9 API calls 33983->34101 33985 40ea82 34102 40f3b0 9 API calls 33985->34102 33988 40ea8b 33989 40eae9 34105 401fc0 9 API calls 33989->34105 33991 40eb0f 33996 40ebae 33991->33996 34106 406c1e 9 API calls 33991->34106 33993 40eb70 34107 401fe2 9 API calls 33993->34107 33995 40ec02 33997 40d069 2 API calls 33995->33997 33996->33995 34109 413549 RegOpenKeyExA RegQueryValueExA RegCloseKey 33996->34109 33999 40ec08 33997->33999 33998 40eb7c 34108 413549 RegOpenKeyExA RegQueryValueExA RegCloseKey 33998->34108 33999->33988 34111 41b2c3 15 API calls 33999->34111 34003 40eba4 34003->33996 34005 40f34f 34003->34005 34004 40ec23 34015 40ec76 34004->34015 34112 407716 RegOpenKeyExA RegQueryValueExA RegCloseKey 34004->34112 34143 4139a9 11 API calls 34005->34143 34006 40ebe6 34006->33995 34110 4139a9 11 API calls 34006->34110 34010 40f365 34144 412475 45 API calls 34010->34144 34011 40ec3e 34022 40ec4c 34011->34022 34113 407738 11 API calls 34011->34113 34014 40ec90 34117 41bc5e 9 API calls 34014->34117 34015->34014 34116 407755 CreateProcessA 34015->34116 34016 40ec47 34114 407260 CloseHandle ExitProcess CreateMutexA CoGetObject 34016->34114 34020 40f37f 34146 413a23 RegOpenKeyExW RegDeleteValueW 34020->34146 34022->34015 34115 407260 CloseHandle ExitProcess CreateMutexA CoGetObject 34022->34115 34023 40eca4 34118 401f13 9 API calls 34023->34118 34027 40f392 34147 40dd42 6 API calls 34027->34147 34029 40f3aa 34148 414f2a 75 API calls 34029->34148 34032 40ef06 34125 4136f8 RegOpenKeyExA RegQueryValueExA RegCloseKey 34032->34125 34034 40ecaf 34040 40ed72 34034->34040 34119 40da34 13 API calls 34034->34119 34036 40eee8 34036->33988 34126 402093 9 API calls 34036->34126 34037 40ed66 34120 401f13 9 API calls 34037->34120 34040->34032 34043 40ed8a 34040->34043 34041 40ef88 34127 41376f RegCreateKeyA RegSetValueExA RegCloseKey 34041->34127 34042 40ee0a 34122 413947 12 API calls 34042->34122 34043->34042 34121 40cdf9 23 API calls 34043->34121 34047 40ef9e 34050 40efc8 34047->34050 34128 41cd9b 8 API calls 34047->34128 34048 40eea3 34048->34036 34123 41bc5e 9 API calls 34048->34123 34129 402093 9 API calls 34050->34129 34053 40eee3 34124 40f474 65 API calls 34053->34124 34054 40eff9 34130 402093 9 API calls 34054->34130 34057 40f008 34131 41b4ef 10 API calls 34057->34131 34059 40f00d 34060 40f0a1 StrToIntA 34059->34060 34132 409de4 67 API calls 34060->34132 34062 40f21a 34136 41b60d 32 API calls 34062->34136 34064 40f223 34137 401f13 9 API calls 34064->34137 34065 40f0b3 34070 40f1b2 34065->34070 34133 40d9e8 13 API calls 34065->34133 34068 40f1a6 34134 401f13 9 API calls 34068->34134 34070->34062 34135 40c162 7 API calls 34070->34135 34072 40f22e 34073 40f2c0 34072->34073 34138 402093 9 API calls 34072->34138 34140 4134ff RegOpenKeyExA RegQueryValueExA RegCloseKey 34073->34140 34075 40f29c 34139 4052fd 9 API calls 34075->34139 34079 40f2e4 34079->34027 34141 41bc5e 9 API calls 34079->34141 34084 40f2fd 34142 41361b 12 API calls 34084->34142 34086 40f313 34087 40f34d 34086->34087 34088 40f334 Sleep 34086->34088 34145 41bc5e 9 API calls 34087->34145 34088->34086 34090 41cb70 LoadLibraryA 34089->34090 34092 41ccd1 LoadLibraryA 34090->34092 34094 40e9e1 GetModuleFileNameW 34092->34094 34095 40f3c3 13 API calls 34094->34095 34095->33969 34096->33971 34097->33973 34098->33975 34099->33978 34100->33983 34101->33985 34102->33988 34103->33982 34104->33989 34105->33991 34106->33993 34107->33998 34108->34003 34109->34006 34110->33995 34111->34004 34112->34011 34113->34016 34114->34022 34115->34015 34116->34014 34117->34023 34118->34034 34119->34037 34120->34040 34121->34042 34122->34048 34123->34053 34124->34036 34125->34036 34126->34041 34127->34047 34128->34050 34129->34054 34130->34057 34131->34059 34132->34065 34133->34068 34134->34070 34135->34062 34136->34064 34137->34072 34138->34075 34140->34079 34141->34084 34142->34086 34143->34010 34145->34020 34146->34027 34147->34029 34149 41ad17 25 API calls 34148->34149 34150 404e26 34151 404e3a 34150->34151 34152 404e40 SetEvent FindCloseChangeNotification 34151->34152 34153 404e57 closesocket 34151->34153 34157 404e7a 34152->34157 34154 404e64 34153->34154 34155 404e73 34154->34155 34154->34157 34158 4050e4 14 API calls 34155->34158 34158->34157 34159 4020b7 34160 4020bf 34159->34160 34163 40250a 34160->34163 34162 4020d9 34164 40251a 34163->34164 34165 402520 34164->34165 34166 402535 34164->34166 34174 402569 9 API calls 34165->34174 34170 4028e8 34166->34170 34169 402533 34169->34162 34172 4028f1 34170->34172 34171 402915 34171->34169 34172->34171 34175 402cae 34172->34175 34174->34169 34176 402cb8 34175->34176 34179 402e54 9 API calls 34176->34179 34178 402d24 34178->34171 34179->34178 34180 40165e 34181 401666 34180->34181 34182 401669 34180->34182 34183 401696 34182->34183 34185 4344ea 34182->34185 34188 4344ef 34185->34188 34186 43451b 34186->34183 34188->34186 34191 442f80 7 API calls 2 library calls 34188->34191 34192 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 34188->34192 34193 43526e InitializeCriticalSectionAndSpinCount RaiseException Concurrency::cancel_current_task std::invalid_argument::invalid_argument __CxxThrowException@8 34188->34193 34191->34188 34193->34188

                    Executed Functions

                    Function 004432B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetCurrentProcess.KERNEL32(00000003,?,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,?,00446136,00000003), ref: 004432D6
                    • TerminateProcess.KERNEL32(00000000,?,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,?,00446136,00000003), ref: 004432DD
                    • ExitProcess.KERNEL32 ref: 004432EF
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: Process$CurrentExitTerminate
                    • String ID:
                    • API String ID: 1703294689-0
                    • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                    • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                    • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                    • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                    Function 0041CB50 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 176libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 41cb50-41cb7d LoadLibraryA 2 41cb8f-41cba6 0->2 3 41cb7f-41cb8a 0->3 8 41cbb8-41cd1b LoadLibraryA * 2 2->8 9 41cba8-41cbb3 2->9 3->2 47 41cd1e-41cd57 8->47 9->8
                    APIs
                    • LoadLibraryA.KERNELBASE(0046CC0C,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                    • LoadLibraryA.KERNELBASE(Iphlpapi,0046CD5C,?,?,?,?,0040E9E1), ref: 0041CCCC
                    • LoadLibraryA.KERNELBASE(Rstrtmgr,0046CDC8,?,?,?,?,0040E9E1), ref: 0041CD19
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID: GetProcessImageFileNameW$Iphlpapi$Rstrtmgr$SetProcessDpiAwareness$ntdll
                    • API String ID: 1029625771-2948753092
                    • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                    • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                    • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                    • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                    Function 00404E26 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 54 404e26-404e3e 56 404e40-404e52 SetEvent FindCloseChangeNotification 54->56 57 404e57-404e62 closesocket 54->57 58 404ed8-404ee1 56->58 59 404e64 57->59 60 404e68-404e71 call 4046f3 57->60 59->60 63 404e73-404e75 call 4050e4 60->63 64 404e7a-404e8a 60->64 63->64 66 404e8c-404eca 64->66 67 404ece-404ed3 64->67 66->67 67->58
                    APIs
                    • SetEvent.KERNEL32(00000000), ref: 00404E43
                    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00404E4C
                    • closesocket.WS2_32(FFFFFFFF), ref: 00404E5A
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: ChangeCloseEventFindNotificationclosesocket
                    • String ID: PkGNG
                    • API String ID: 3546678731-263838557
                    • Opcode ID: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                    • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                    • Opcode Fuzzy Hash: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                    • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                    Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 77 448566-44857a 78 448587-4485a2 LoadLibraryExW 77->78 79 44857c-448585 77->79 81 4485a4-4485ad GetLastError 78->81 82 4485cb-4485d1 78->82 80 4485de-4485e0 79->80 83 4485bc 81->83 84 4485af-4485ba LoadLibraryExW 81->84 85 4485d3-4485d4 FreeLibrary 82->85 86 4485da 82->86 88 4485be-4485c0 83->88 84->88 85->86 87 4485dc-4485dd 86->87 87->80 88->82 89 4485c2-4485c9 88->89 89->87
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,0042F9A6,00000000,00000000,?,0044850D,0042F9A6,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                    • GetLastError.KERNEL32(?,0044850D,0042F9A6,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,0042F9A6,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: LibraryLoad$ErrorLast
                    • String ID:
                    • API String ID: 3177248105-0
                    • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                    • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                    • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                    • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                    Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 90 40d069-40d095 call 401fab CreateMutexA GetLastError
                    APIs
                    • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,0046739C,00000000,0000000E,00000000,004660BC,00000003), ref: 0040D078
                    • GetLastError.KERNEL32 ref: 0040D083
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: CreateErrorLastMutex
                    • String ID: SG
                    • API String ID: 1925916568-3189917014
                    • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                    • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                    • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                    • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                    Function 004484CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 115 4484ca-4484f4 116 4484f6-4484f8 115->116 117 44855f 115->117 118 4484fe-448504 116->118 119 4484fa-4484fc 116->119 120 448561-448565 117->120 121 448506-448508 call 448566 118->121 122 448520 118->122 119->120 127 44850d-448510 121->127 123 448522-448524 122->123 125 448526-448534 GetProcAddress 123->125 126 44854f-44855d 123->126 128 448536-44853f call 43436e 125->128 129 448549 125->129 126->117 130 448541-448547 127->130 131 448512-448518 127->131 128->119 129->126 130->123 131->121 132 44851a 131->132 132->122
                    APIs
                    • GetProcAddress.KERNEL32(00000000,?), ref: 0044852A
                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00448537
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: AddressProc__crt_fast_encode_pointer
                    • String ID:
                    • API String ID: 2279764990-0
                    • Opcode ID: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                    • Instruction ID: 198cd69cd453a5762926ca534f03dc7b1e1ac857a4a5158ec5eb6717dc05f104
                    • Opcode Fuzzy Hash: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                    • Instruction Fuzzy Hash: C3113A37A00131AFEB21DE1CDC4195F7391EB80724716452AFC08AB354DF34EC4186D8
                    Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 135 446137-446143 136 446175-446180 call 4405dd 135->136 137 446145-446147 135->137 144 446182-446184 136->144 139 446160-446171 RtlAllocateHeap 137->139 140 446149-44614a 137->140 141 446173 139->141 142 44614c-446153 call 445545 139->142 140->139 141->144 142->136 147 446155-44615e call 442f80 142->147 147->136 147->139
                    APIs
                    • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00446169
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: AllocateHeap
                    • String ID:
                    • API String ID: 1279760036-0
                    • Opcode ID: 8fc3aa401b741254ec27ec74adf1fa69e98454956fce93acadc2b765381fd7af
                    • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                    • Opcode Fuzzy Hash: 8fc3aa401b741254ec27ec74adf1fa69e98454956fce93acadc2b765381fd7af
                    • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF

                    Non-executed Functions

                    Function 0041D58F Relevance: 18.1, APIs: 12, Instructions: 74windownativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtdllDefWindowProc_A.NTDLL(?,00000401,?,?), ref: 0041D5DA
                    • GetCursorPos.USER32(?), ref: 0041D5E9
                    • SetForegroundWindow.USER32(?), ref: 0041D5F2
                    • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                    • Shell_NotifyIcon.SHELL32(00000002,00474B48), ref: 0041D65D
                    • ExitProcess.KERNEL32 ref: 0041D665
                    • CreatePopupMenu.USER32 ref: 0041D66B
                    • AppendMenuA.USER32(00000000,00000000,00000000,0046CF4C), ref: 0041D680
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
                    • String ID:
                    • API String ID: 1665278180-0
                    • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                    • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                    • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                    • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                    Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID: 0$1$2$3$4$5$6$7$VG
                    • API String ID: 0-1861860590
                    • Opcode ID: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
                    • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                    • Opcode Fuzzy Hash: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
                    • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                    Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                    • GetLastError.KERNEL32 ref: 0041A7BB
                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: EnumServicesStatus$ErrorLastManagerOpen
                    • String ID:
                    • API String ID: 3587775597-0
                    • Opcode ID: 9d10e0a9acc2f6ec0d907a4e089f841b29f034486109e7720f110d736464ea26
                    • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                    • Opcode Fuzzy Hash: 9d10e0a9acc2f6ec0d907a4e089f841b29f034486109e7720f110d736464ea26
                    • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                    Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                    • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                    • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: File$View$CreateMappingSizeUnmap
                    • String ID:
                    • API String ID: 2708475042-0
                    • Opcode ID: 7fb3fcc721162e6d88033640e612ba0c020533673be5ade89773fa7836c9dd4a
                    • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                    • Opcode Fuzzy Hash: 7fb3fcc721162e6d88033640e612ba0c020533673be5ade89773fa7836c9dd4a
                    • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                    Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 0041C2EC
                    • FindNextFileW.KERNEL32(00000000,?), ref: 0041C31C
                    • SetFileAttributesW.KERNEL32(?,00000080), ref: 0041C38E
                    • DeleteFileW.KERNEL32(?), ref: 0041C39B
                      • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?), ref: 0041C371
                    • GetLastError.KERNEL32 ref: 0041C3BC
                    • FindClose.KERNEL32(00000000), ref: 0041C3D2
                    • RemoveDirectoryW.KERNEL32(00000000), ref: 0041C3D9
                    • FindClose.KERNEL32(00000000), ref: 0041C3E2
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                    • String ID:
                    • API String ID: 2341273852-0
                    • Opcode ID: 21adb2039a1719527788488ec41489cbb4979cd8e5b8b9d3f14ea882ba6d989c
                    • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                    • Opcode Fuzzy Hash: 21adb2039a1719527788488ec41489cbb4979cd8e5b8b9d3f14ea882ba6d989c
                    • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                    Function 00419AF5 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 245fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: File$CreateFindFirst
                    • String ID: (eF$8SG$PXG$PXG$NG$PG
                    • API String ID: 41799849-875132146
                    • Opcode ID: bbe42075c7ae05260fcfbdefb5d4915f8db24fce95c41e285dba89f894bfd920
                    • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                    • Opcode Fuzzy Hash: bbe42075c7ae05260fcfbdefb5d4915f8db24fce95c41e285dba89f894bfd920
                    • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                    Function 0040BB30 Relevance: 12.1, APIs: 8, Instructions: 146fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileA.KERNEL32(00000000,?,00000000), ref: 0040BBAF
                    • FindClose.KERNEL32(00000000), ref: 0040BBC9
                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                    • FindClose.KERNEL32(00000000), ref: 0040BD12
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Find$CloseFile$FirstNext
                    • String ID:
                    • API String ID: 1164774033-0
                    • Opcode ID: ad8d22506501732b5b65755a05660b52f98a89d7e06d24c0c2034ee962278d7b
                    • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                    • Opcode Fuzzy Hash: ad8d22506501732b5b65755a05660b52f98a89d7e06d24c0c2034ee962278d7b
                    • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                    Function 0040A3E0 Relevance: 9.1, APIs: 6, Instructions: 112keyboardthreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32 ref: 0040A416
                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                    • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                    • GetKeyState.USER32(00000010), ref: 0040A433
                    • GetKeyboardState.USER32(?), ref: 0040A43E
                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                    • String ID:
                    • API String ID: 3566172867-0
                    • Opcode ID: 065e10241862117f4d3097b2bc8bfd582faf86ce64b5eaf30273afdca8cd5938
                    • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                    • Opcode Fuzzy Hash: 065e10241862117f4d3097b2bc8bfd582faf86ce64b5eaf30273afdca8cd5938
                    • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                    Function 0040A2B8 Relevance: 9.1, APIs: 6, Instructions: 63windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                    • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                    • GetLastError.KERNEL32 ref: 0040A2ED
                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                    • TranslateMessage.USER32(?), ref: 0040A34A
                    • DispatchMessageA.USER32(?), ref: 0040A355
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                    • String ID:
                    • API String ID: 3219506041-0
                    • Opcode ID: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
                    • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                    • Opcode Fuzzy Hash: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
                    • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                    Function 00409665 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 222fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(00000000,?), ref: 004096E2
                    • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                    • FindClose.KERNEL32(?), ref: 00409722
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Find$File$CloseFirstNext
                    • String ID: ~E
                    • API String ID: 3541575487-1083419430
                    • Opcode ID: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
                    • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                    • Opcode Fuzzy Hash: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
                    • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                    Function 0040783C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                    • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000), ref: 00404B36
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: FileFind$FirstNextsend
                    • String ID: (eF$XPG$XPG
                    • API String ID: 4113138495-1496965907
                    • Opcode ID: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
                    • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                    • Opcode Fuzzy Hash: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
                    • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                    Function 0045243C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                    Download Yara Rule
                    APIs
                    • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 004524D5
                    • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 004524FE
                    • GetACP.KERNEL32 ref: 00452513
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: InfoLocale
                    • String ID: ACP$OCP
                    • API String ID: 2299586839-711371036
                    • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                    • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                    • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                    • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                    Function 00452610 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00448215: GetLastError.KERNEL32(?,?,00445591,0046EA10,0000000C,00434B93), ref: 00448219
                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000), ref: 0044828D
                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                      • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000), ref: 00448281
                    • GetUserDefaultLCID.KERNEL32 ref: 0045271C
                    • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                    • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                    • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                    • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 004527ED
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                    • String ID:
                    • API String ID: 745075371-0
                    • Opcode ID: ba6601005dfde54dd2b6dfd2db05dea9f7f6200d662a61fcce058dd4d9fd93f2
                    • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                    • Opcode Fuzzy Hash: ba6601005dfde54dd2b6dfd2db05dea9f7f6200d662a61fcce058dd4d9fd93f2
                    • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                    Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,0046725C,00000000), ref: 0041BFC8
                      • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,0046725C,00000000), ref: 0041BFCF
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                    • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                    • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                      • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                      • Part of subcall function 0041BFE5: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C005
                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                    • String ID:
                    • API String ID: 2180151492-0
                    • Opcode ID: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
                    • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                    • Opcode Fuzzy Hash: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
                    • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                    Function 0040C34D Relevance: 7.6, APIs: 5, Instructions: 112fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(00000000,?,00466C64,00000000), ref: 0040C39B
                    • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                    • FindClose.KERNEL32(00000000), ref: 0040C47D
                    • FindClose.KERNEL32(00000000), ref: 0040C4A8
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Find$CloseFile$FirstNext
                    • String ID:
                    • API String ID: 1164774033-0
                    • Opcode ID: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
                    • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                    • Opcode Fuzzy Hash: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
                    • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                    Function 00417952 Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                    • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                    • LookupPrivilegeValueA.ADVAPI32(00000000,0046C7C8,?), ref: 00417978
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                    • GetLastError.KERNEL32 ref: 0041799D
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                    • String ID:
                    • API String ID: 3534403312-0
                    • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                    • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                    • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                    • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                    Function 0040880C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Find$File$CloseFirstNext
                    • String ID: hdF
                    • API String ID: 3541575487-665520524
                    • Opcode ID: a0b6958a8bb8b8fb09571c2d792c3ee0ee4de1f18a3cac3d6801187e3ca6d093
                    • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                    • Opcode Fuzzy Hash: a0b6958a8bb8b8fb09571c2d792c3ee0ee4de1f18a3cac3d6801187e3ca6d093
                    • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                    Function 004167B9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96libraryloadershutdownCOMMON
                    Download Yara Rule
                    APIs
                    • ExitWindowsEx.USER32(00000000), ref: 00416856
                    • LoadLibraryA.KERNEL32(0046C770,0046C760,00000000,00000000,00000000), ref: 0041686B
                    • GetProcAddress.KERNEL32(00000000), ref: 00416872
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: AddressExitLibraryLoadProcWindows
                    • String ID: !D@
                    • API String ID: 1366546845-604454484
                    • Opcode ID: 22ec741e385515f97c7d8dce97b9b08685a6e0ed8fd3d1230601bb8488c1c6ab
                    • Instruction ID: cb7c3ec627994e43045097c2872887c9dcca09c5cc921210c7e8fdc656ecbf72
                    • Opcode Fuzzy Hash: 22ec741e385515f97c7d8dce97b9b08685a6e0ed8fd3d1230601bb8488c1c6ab
                    • Instruction Fuzzy Hash: 7221617060430256CB14FBB68856AAE63599F41788F41483FB442A72D2EF3CD845CBAE
                    Function 00451CD8 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00448215: GetLastError.KERNEL32(?,?,00445591,0046EA10,0000000C,00434B93), ref: 00448219
                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000), ref: 0044828D
                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                    • IsValidCodePage.KERNEL32(00000000), ref: 00451DBA
                    • _wcschr.LIBVCRUNTIME ref: 00451E4A
                    • _wcschr.LIBVCRUNTIME ref: 00451E58
                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00451EFB
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                    • String ID:
                    • API String ID: 4212172061-0
                    • Opcode ID: ad90f6663c314a6b939202384c4652260cf4878dc2a200c9b59e25e38cd2e95f
                    • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                    • Opcode Fuzzy Hash: ad90f6663c314a6b939202384c4652260cf4878dc2a200c9b59e25e38cd2e95f
                    • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                    Function 004493AD Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 004493BD
                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                    • GetTimeZoneInformation.KERNEL32 ref: 004493CF
                    • WideCharToMultiByte.KERNEL32(00000000,?,00472764,000000FF,?,0000003F,?,?), ref: 00449447
                    • WideCharToMultiByte.KERNEL32(00000000,?,004727B8,000000FF,?,0000003F,?,?,?,00472764,000000FF,?,0000003F,?,?), ref: 00449474
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                    • String ID:
                    • API String ID: 806657224-0
                    • Opcode ID: 633092c3bba77b0065560d4fdbd9d9f897920caf7f9bf618c5d01735725c6ecb
                    • Instruction ID: 1863d2ad967fb4723a60e4ea427cb143a9fbff6035582c54e6546b9b7662ab80
                    • Opcode Fuzzy Hash: 633092c3bba77b0065560d4fdbd9d9f897920caf7f9bf618c5d01735725c6ecb
                    • Instruction Fuzzy Hash: E1312570908201EFDB18DF69DE8086EBBB8FF0572071442AFE054973A1D3748D42DB18
                    Function 004349F9 Relevance: 6.1, APIs: 4, Instructions: 75COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00434A06
                    • IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 00434ACE
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,00000017,?), ref: 00434AED
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,00000017,?), ref: 00434AF7
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                    • String ID:
                    • API String ID: 254469556-0
                    • Opcode ID: 0e1107ffdac07f254de2a954d27627300576989961883c90237f8fa34ed81cb5
                    • Instruction ID: 470433e66515116a8597266b763ad8b9243cf2e5887c49d66a43556d64181365
                    • Opcode Fuzzy Hash: 0e1107ffdac07f254de2a954d27627300576989961883c90237f8fa34ed81cb5
                    • Instruction Fuzzy Hash: 4131E7B5D0622CDBDB20DFA5D9896CDBBF8EF08305F1041AAE40DA7250E7359A84CF55
                    Function 004349F8 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                    Download Yara Rule
                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00434A06
                    • IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 00434ACE
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,00000017,?), ref: 00434AED
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,00000017,?), ref: 00434AF7
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                    • String ID:
                    • API String ID: 254469556-0
                    • Opcode ID: 78012309876250b632172d441885b653354c2f6c29bbd3515a4cb181777269c8
                    • Instruction ID: dbecd6ab12857ee42dd2938ee1627812622444c2f2d592bc01def61f50a1a3ea
                    • Opcode Fuzzy Hash: 78012309876250b632172d441885b653354c2f6c29bbd3515a4cb181777269c8
                    • Instruction Fuzzy Hash: 9831E7B5D02228DBDB20DFA5D9896CDBBF8EF08305F1041AAE40DA7250EB359A84CF54
                    Function 0041AA4A Relevance: 6.0, APIs: 4, Instructions: 39serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                    • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                    • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Service$Open$CloseHandleManagerStart
                    • String ID:
                    • API String ID: 2553746010-0
                    • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                    • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                    • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                    • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                    Function 0041B4A8 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                    Download Yara Rule
                    APIs
                    • FindResourceA.KERNEL32(0046CA14,0000000A,00000000), ref: 0041B4B9
                    • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                    • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                    • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Resource$FindLoadLockSizeof
                    • String ID:
                    • API String ID: 3473537107-0
                    • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                    • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                    • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                    • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                    Function 0040F7A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88sleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00413549: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00000000,00000000), ref: 00413569
                      • Part of subcall function 00413549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                      • Part of subcall function 00413549: RegCloseKey.ADVAPI32(00000000), ref: 00413592
                    • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                    • ExitProcess.KERNEL32 ref: 0040F8CA
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: CloseExitOpenProcessQuerySleepValue
                    • String ID: pth_unenc
                    • API String ID: 2281282204-4028850238
                    • Opcode ID: 239e53c764d611775cc28217bb96d4133c4679258c828bc8db514802d76be294
                    • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                    • Opcode Fuzzy Hash: 239e53c764d611775cc28217bb96d4133c4679258c828bc8db514802d76be294
                    • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                    Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0043BC1A
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0043BC24
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0043BC31
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                    • String ID:
                    • API String ID: 3906539128-0
                    • Opcode ID: 16e35f5aa55978aff17ffb0259f025e7bf83257d926291116d1770b290bb3daa
                    • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                    • Opcode Fuzzy Hash: 16e35f5aa55978aff17ffb0259f025e7bf83257d926291116d1770b290bb3daa
                    • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                    Function 0041B380 Relevance: 4.6, APIs: 3, Instructions: 69networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                    • InternetOpenUrlW.WININET(00000000,0046C70C,00000000,00000000,80000000,00000000), ref: 0041B3BD
                    • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Internet$Open$FileRead
                    • String ID:
                    • API String ID: 72386350-0
                    • Opcode ID: 08bb3f5f20664a74cea474f29ee6dece839590504c66a34b3a008d4f348c9ad7
                    • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                    • Opcode Fuzzy Hash: 08bb3f5f20664a74cea474f29ee6dece839590504c66a34b3a008d4f348c9ad7
                    • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                    Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,004334BF,00000034), ref: 00433849
                    • CryptGenRandom.ADVAPI32(?,00000034,?,?,00000000,00000000,00000001,F0000000,?,?,004334BF,00000034), ref: 0043385F
                    • CryptReleaseContext.ADVAPI32(?,00000000,?,00000034,?,?,00000000,00000000,00000001,F0000000,?,?,004334BF,00000034), ref: 00433871
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: Crypt$Context$AcquireRandomRelease
                    • String ID:
                    • API String ID: 1815803762-0
                    • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                    • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                    • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                    • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                    Function 0041BB09 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                    Download Yara Rule
                    APIs
                    • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00415FFF), ref: 0041BB14
                    • NtSuspendProcess.NTDLL(00000000), ref: 0041BB21
                    • CloseHandle.KERNEL32(00000000,?,?,00415FFF), ref: 0041BB2A
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Process$CloseHandleOpenSuspend
                    • String ID:
                    • API String ID: 1999457699-0
                    • Opcode ID: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
                    • Instruction ID: bc08a5c74f7a636e8823ed9fed2a710289fdff4cb0149baf3e3f1c1580a6a9c0
                    • Opcode Fuzzy Hash: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
                    • Instruction Fuzzy Hash: 96D05E36204231E3C32017AA7C0CE97AD68EFC5AA2705412AF804C26649B20CC01C6E8
                    Function 0041BB35 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                    Download Yara Rule
                    APIs
                    • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00416024), ref: 0041BB40
                    • NtResumeProcess.NTDLL(00000000), ref: 0041BB4D
                    • CloseHandle.KERNEL32(00000000,?,?,00416024), ref: 0041BB56
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Process$CloseHandleOpenResume
                    • String ID:
                    • API String ID: 3614150671-0
                    • Opcode ID: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
                    • Instruction ID: 907c56f48a3137ad3e5a70bb4b43f8813844e3fa30c0a1486a2e097c633c30d6
                    • Opcode Fuzzy Hash: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
                    • Instruction Fuzzy Hash: B8D05E36104121E3C220176A7C0CD97AE69EBC5AA2705412AF904C32619B20CC01C6F4
                    Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                    Download Yara Rule
                    APIs
                    • OpenClipboard.USER32(00000000), ref: 0040B711
                    • GetClipboardData.USER32(0000000D), ref: 0040B71D
                    • CloseClipboard.USER32 ref: 0040B725
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Clipboard$CloseDataOpen
                    • String ID:
                    • API String ID: 2058664381-0
                    • Opcode ID: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                    • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                    • Opcode Fuzzy Hash: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                    • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                    Function 00434C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                    Download Yara Rule
                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434C6B
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: FeaturePresentProcessor
                    • String ID:
                    • API String ID: 2325560087-3916222277
                    • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                    • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                    • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                    • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                    Function 0041C9E2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                    Download Yara Rule
                    APIs
                    • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                      • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                      • Part of subcall function 0041376F: RegSetValueExA.ADVAPI32(0046611C,0046CBB8,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,0046CBB8,0046611C,?,00000001,00474EE0,00000000), ref: 004137A6
                      • Part of subcall function 0041376F: RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,0046CBB8,0046611C,?,00000001,00474EE0,00000000,?,0040875D), ref: 004137B1
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: CloseCreateInfoParametersSystemValue
                    • String ID: Control Panel\Desktop
                    • API String ID: 4127273184-27424756
                    • Opcode ID: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
                    • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                    • Opcode Fuzzy Hash: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
                    • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                    Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                    Download Yara Rule
                    APIs
                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: InfoLocale
                    • String ID: GetLocaleInfoEx
                    • API String ID: 2299586839-2904428671
                    • Opcode ID: e15bac7abd98109514fda33a1287615b3a200a603ff2814acda52f37ae266aa9
                    • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                    • Opcode Fuzzy Hash: e15bac7abd98109514fda33a1287615b3a200a603ff2814acda52f37ae266aa9
                    • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                    Function 00448957 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00448996
                    Strings
                    • GetSystemTimePreciseAsFileTime, xrefs: 00448972
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: Time$FileSystem
                    • String ID: GetSystemTimePreciseAsFileTime
                    • API String ID: 2086374402-595813830
                    • Opcode ID: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
                    • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
                    • Opcode Fuzzy Hash: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
                    • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
                    Function 004461F0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 59dafb57e5b7b13d3bd24c2dac195c6547dac3f36cdd53fec792f45fd62dfc08
                    • Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
                    • Opcode Fuzzy Hash: 59dafb57e5b7b13d3bd24c2dac195c6547dac3f36cdd53fec792f45fd62dfc08
                    • Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85
                    Function 00406A63 Relevance: 3.1, APIs: 2, Instructions: 53libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(004660F8,004660E4), ref: 00406A82
                    • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID:
                    • API String ID: 2574300362-0
                    • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                    • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                    • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                    • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                    Function 0041B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                    Download Yara Rule
                    APIs
                    • GetComputerNameExW.KERNEL32(00000001,?,?,004750E4), ref: 0041B62A
                    • GetUserNameW.ADVAPI32(?,?), ref: 0041B642
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Name$ComputerUser
                    • String ID:
                    • API String ID: 4229901323-0
                    • Opcode ID: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                    • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                    • Opcode Fuzzy Hash: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                    • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                    Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004120E7
                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004120EE
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Heap$FreeProcess
                    • String ID:
                    • API String ID: 3859560861-0
                    • Opcode ID: 20d349fb13ed799c85590e664a19d5c0d06c1cc14e1fe84507442f97709eba8f
                    • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                    • Opcode Fuzzy Hash: 20d349fb13ed799c85590e664a19d5c0d06c1cc14e1fe84507442f97709eba8f
                    • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                    Function 0045332B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00453326,?,?,00000008,?,?,004561DD,00000000), ref: 00453558
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ExceptionRaise
                    • String ID:
                    • API String ID: 3997070919-0
                    • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                    • Instruction ID: ef9cfcefdd20db456822e604066c987cb5d00f1002a97bdaec88d2537339d9b1
                    • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                    • Instruction Fuzzy Hash: 40B16C311106089FD715CF28C48AB657BE0FF053A6F258659EC9ACF3A2C739DA96CB44
                    Function 00433946 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID: 0
                    • API String ID: 0-4108050209
                    • Opcode ID: 1f1efbfc6b98b7ff63776831a751ef1758ce1d1abb45475947e68a2c5420a09b
                    • Instruction ID: aa2317f629b7fe23c078ec1ce6c5eb8ae6c7f7e5ba67e2b2e47e92e01b9ebfde
                    • Opcode Fuzzy Hash: 1f1efbfc6b98b7ff63776831a751ef1758ce1d1abb45475947e68a2c5420a09b
                    • Instruction Fuzzy Hash: A4126F32B083008BD714EF6AD851A1FB3E2BFCC758F15892EF585A7391DA34E9058B46
                    Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00448215: GetLastError.KERNEL32(?,?,00445591,0046EA10,0000000C,00434B93), ref: 00448219
                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000), ref: 0044828D
                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                      • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000), ref: 00448281
                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ErrorLast$_free$InfoLocale_abort
                    • String ID:
                    • API String ID: 1663032902-0
                    • Opcode ID: 82046f81f843ed542309631bed4d32cc0e06144c400eb1b38e0d76ba969e548c
                    • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                    • Opcode Fuzzy Hash: 82046f81f843ed542309631bed4d32cc0e06144c400eb1b38e0d76ba969e548c
                    • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                    Function 00451F9B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00448215: GetLastError.KERNEL32(?,?,00445591,0046EA10,0000000C,00434B93), ref: 00448219
                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000), ref: 0044828D
                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                    • EnumSystemLocalesW.KERNEL32(004520C3,00000001), ref: 0045200D
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                    • String ID:
                    • API String ID: 1084509184-0
                    • Opcode ID: 8e6329116506cf68f998d8994e8ea2ee72944bd80f74a0cb926fa8b40428e457
                    • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                    • Opcode Fuzzy Hash: 8e6329116506cf68f998d8994e8ea2ee72944bd80f74a0cb926fa8b40428e457
                    • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                    Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00448215: GetLastError.KERNEL32(?,?,00445591,0046EA10,0000000C,00434B93), ref: 00448219
                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000), ref: 0044828D
                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ErrorLast$InfoLocale_abort_free
                    • String ID:
                    • API String ID: 2692324296-0
                    • Opcode ID: dfb24227cd3a3ca9002e5bae8e537d25664facc67080f29ad7503873228e8abc
                    • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                    • Opcode Fuzzy Hash: dfb24227cd3a3ca9002e5bae8e537d25664facc67080f29ad7503873228e8abc
                    • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                    Function 00452036 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00448215: GetLastError.KERNEL32(?,?,00445591,0046EA10,0000000C,00434B93), ref: 00448219
                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000), ref: 0044828D
                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                    • EnumSystemLocalesW.KERNEL32(00452313,00000001), ref: 00452082
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                    • String ID:
                    • API String ID: 1084509184-0
                    • Opcode ID: 0d2b90e0febf8b1bd1e204177ec6dc03ae0f0961579aff8210c0f450ddd85fa4
                    • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                    • Opcode Fuzzy Hash: 0d2b90e0febf8b1bd1e204177ec6dc03ae0f0961579aff8210c0f450ddd85fa4
                    • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                    Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00445888: RtlEnterCriticalSection.NTDLL(?), ref: 00445897
                    • EnumSystemLocalesW.KERNEL32(Function_000193BE,00000001,0046EAD0,0000000C), ref: 0044843C
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: CriticalEnterEnumLocalesSectionSystem
                    • String ID:
                    • API String ID: 1272433827-0
                    • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                    • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                    • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                    • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                    Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00448215: GetLastError.KERNEL32(?,?,00445591,0046EA10,0000000C,00434B93), ref: 00448219
                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000), ref: 0044828D
                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                    • EnumSystemLocalesW.KERNEL32(00451EA7,00000001), ref: 00451F87
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                    • String ID:
                    • API String ID: 1084509184-0
                    • Opcode ID: 702f6391652698ef86b8fd53836cdde124b19587e575ffcb23005c57486c5c07
                    • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                    • Opcode Fuzzy Hash: 702f6391652698ef86b8fd53836cdde124b19587e575ffcb23005c57486c5c07
                    • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                    Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                    Download Yara Rule
                    APIs
                    • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,004674AC), ref: 0040F8E5
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: InfoLocale
                    • String ID:
                    • API String ID: 2299586839-0
                    • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                    • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                    • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                    • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                    Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(Function_00005B53,0043487A), ref: 00434B4C
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                    • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                    • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                    • Instruction Fuzzy Hash:
                    Function 0043E0CC Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID: 0
                    • API String ID: 0-4108050209
                    • Opcode ID: d0ee7b214a71d2ffc998cf6d553ae11cb55276461d01a7623ff75e595a9df9ce
                    • Instruction ID: cdd912994a32e16cda9accbda93f1ea0618352901e275441ec4d65c4c105c2b3
                    • Opcode Fuzzy Hash: d0ee7b214a71d2ffc998cf6d553ae11cb55276461d01a7623ff75e595a9df9ce
                    • Instruction Fuzzy Hash: 9C514771603648A7DF3489AB88567BF63899B0E344F18394BD882C73C3C62DED02975E
                    Function 0043DE9D Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID: 0
                    • API String ID: 0-4108050209
                    • Opcode ID: 8d0f64db998f072635cf1eb458ceab3fd2b8b3f2bf3093cc42065a95c29079be
                    • Instruction ID: b97fed3bff06dc01e1c808345b9e1576e5435f58d5e0cb17a963d6e43aa39459
                    • Opcode Fuzzy Hash: 8d0f64db998f072635cf1eb458ceab3fd2b8b3f2bf3093cc42065a95c29079be
                    • Instruction Fuzzy Hash: C8516A21E01A4496DB38892964D67BF67A99B1E304F18390FE443CB7C2C64DED06C35E
                    Function 004378FE Relevance: .3, Instructions: 331COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                    • Instruction ID: b4bbf9256ac03f5d23606f900b1ff113549fac5ad7a5b3908127750d008d8003
                    • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                    • Instruction Fuzzy Hash: FDC1B0B230D1930ADB3D4A3D953453FBBA15AA63B171A275ED8F2CB2C1FE18C524D624
                    Function 004374E6 Relevance: .3, Instructions: 323COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                    • Instruction ID: c0cc860fb011aaa8bec1e183ca1ba44e4399d72b3d9d4532b0ef978257cdf629
                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                    • Instruction Fuzzy Hash: 08C1A0B230D1930ADB3D463D853853FBBA15AA67B171A276ED8F2CB2C1FE18C524D614
                    Function 0041DB62 Relevance: .3, Instructions: 277COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 972eab3d2f3bece56b021901d8f7c1de49959c1b4feb8573474580e6f4ceadf9
                    • Instruction ID: 79373b44a76dcf5e8091c0b891bec819a00bcae964dee749e010b71610d2b526
                    • Opcode Fuzzy Hash: 972eab3d2f3bece56b021901d8f7c1de49959c1b4feb8573474580e6f4ceadf9
                    • Instruction Fuzzy Hash: F7B1A5795142998ACF05EF28C4913F63BA1EF6A300F4851B9EC9DCF757D2398506EB24
                    Function 0043E2FB Relevance: .2, Instructions: 237COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 17f9b13ef41a81a75539411d6747ebce689fc18fca089c22b854931ff2428480
                    • Instruction ID: 9176630f27626b4b14444871c43cfb7a364794bde640040d1d9abeeee83df0d0
                    • Opcode Fuzzy Hash: 17f9b13ef41a81a75539411d6747ebce689fc18fca089c22b854931ff2428480
                    • Instruction Fuzzy Hash: E1614531602709E6EF349A2B48917BF2395AB1D304F58341BED42DB3C1D55DED428A1E
                    Function 0043E558 Relevance: .2, Instructions: 237COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3c321bfdfc4cbc32f24f3942b8da306757ee08ba47046632cf040ff160c03b8f
                    • Instruction ID: c8a25274eb6ace22fd939f207aba0bb726f52b15d0dfb3f1b2e2615f3a586ecc
                    • Opcode Fuzzy Hash: 3c321bfdfc4cbc32f24f3942b8da306757ee08ba47046632cf040ff160c03b8f
                    • Instruction Fuzzy Hash: B2619C71602609A6DA34496B8893BBF6394EB6D308F94341BE443DB3C1E61DEC43875E
                    Function 00412475 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 190synchronizationsleepfileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                    • ExitProcess.KERNEL32(00000000), ref: 004124A0
                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                    • CloseHandle.KERNEL32(00000000), ref: 0041253B
                    • GetCurrentProcessId.KERNEL32 ref: 00412541
                    • PathFileExistsW.SHLWAPI(?), ref: 00412572
                    • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                    • GetTempFileNameW.KERNEL32(?,0046C57C,00000000,?), ref: 004125EF
                    • lstrcatW.KERNEL32(?,0046C588), ref: 00412601
                      • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041C510,00000000,00000000,?), ref: 0041C430
                    • Sleep.KERNEL32(000001F4), ref: 00412682
                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                    • CloseHandle.KERNEL32(00000000), ref: 004126A9
                    • GetCurrentProcessId.KERNEL32 ref: 004126AF
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExistsExitMutexNameSleeplstrcat
                    • String ID: 8SG$WDH
                    • API String ID: 1507772987-3432548788
                    • Opcode ID: 1441b04c17bd6764dd120cb90c0391c33c4fc154a1614c0ab8545004139ec3ed
                    • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                    • Opcode Fuzzy Hash: 1441b04c17bd6764dd120cb90c0391c33c4fc154a1614c0ab8545004139ec3ed
                    • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                    Function 00418E76 Relevance: 30.3, APIs: 20, Instructions: 328windowmemoryCOMMON
                    Download Yara Rule
                    APIs
                    • CreateDCA.GDI32(0046C878,00000000,00000000,00000000), ref: 00418E90
                    • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                      • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                    • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                    • DeleteObject.GDI32(00000000), ref: 00418F30
                    • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                    • GetCursorInfo.USER32(?), ref: 00418FA7
                    • GetIconInfo.USER32(?,?), ref: 00418FBD
                    • DeleteObject.GDI32(?), ref: 00418FEC
                    • DeleteObject.GDI32(?), ref: 00418FF9
                    • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,00473198,00000000,00000000,00660046), ref: 0041903C
                    • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                    • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                    • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                    • DeleteObject.GDI32(00000000), ref: 00419182
                    • GlobalFree.KERNEL32(?), ref: 0041918D
                    • DeleteObject.GDI32(00000000), ref: 00419241
                    • GlobalFree.KERNEL32(?), ref: 00419248
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Object$Delete$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                    • String ID:
                    • API String ID: 2309981249-0
                    • Opcode ID: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
                    • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                    • Opcode Fuzzy Hash: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
                    • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                    Function 004180EF Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 289threadinjectionprocessCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                    • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                    • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                    • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                    • ResumeThread.KERNEL32(?), ref: 00418435
                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                    • GetCurrentProcess.KERNEL32(?), ref: 00418457
                    • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                    • GetLastError.KERNEL32 ref: 0041847A
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Process$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                    • String ID: ntdll
                    • API String ID: 3275803005-3337577438
                    • Opcode ID: cafefe7058adb2e2ada4bbee28bfd2d23a8ca11c6b6fded82f766020f315d601
                    • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                    • Opcode Fuzzy Hash: cafefe7058adb2e2ada4bbee28bfd2d23a8ca11c6b6fded82f766020f315d601
                    • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                    Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: _free$EnvironmentVariable$_wcschr
                    • String ID:
                    • API String ID: 3899193279-0
                    • Opcode ID: f237ddb30e5f33d89af711b1be266866aede5e6f8c8d7e35f6ef0564ae857f1f
                    • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                    • Opcode Fuzzy Hash: f237ddb30e5f33d89af711b1be266866aede5e6f8c8d7e35f6ef0564ae857f1f
                    • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                    Function 0040D420 Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 282registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                      • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041C510,00000000,00000000,?), ref: 0041C430
                    • ShellExecuteW.SHELL32(00000000,00466108,00000000,00466468,00466468,00000000), ref: 0040D7C4
                    • ExitProcess.KERNEL32 ref: 0040D7D0
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: FileProcess$CreateDeleteExecuteExitModuleNameObjectShellSingleTerminateWait
                    • String ID: 4qF0qF$4qF0qF$8SG$On Error Resume Next$dMG$fso.DeleteFolder "$hdF$hpF$while fso.FileExists("$nF
                    • API String ID: 1359289687-3372692189
                    • Opcode ID: 2f3ce923dbbe2e0d0213cd8ef230dd9626b59f7069d249d2c5d1764d91111602
                    • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                    • Opcode Fuzzy Hash: 2f3ce923dbbe2e0d0213cd8ef230dd9626b59f7069d249d2c5d1764d91111602
                    • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                    Function 0041C01B Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 139stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenW.KERNEL32(?), ref: 0041C036
                    • lstrlenW.KERNEL32(?), ref: 0041C067
                    • FindFirstVolumeW.KERNEL32(?,00000104), ref: 0041C0A2
                    • GetLastError.KERNEL32 ref: 0041C0B5
                    • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                    • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                    • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                    • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                    • GetLastError.KERNEL32 ref: 0041C173
                    • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                    • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                    • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                    • GetLastError.KERNEL32 ref: 0041C1D0
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuerylstrcatlstrcmplstrcpy
                    • String ID: ?
                    • API String ID: 1756451316-1684325040
                    • Opcode ID: 3c2e35f6cd7f2bbfd4d0a3a78bf5b1af4ec44a4975259b794b6988487beac2b4
                    • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                    • Opcode Fuzzy Hash: 3c2e35f6cd7f2bbfd4d0a3a78bf5b1af4ec44a4975259b794b6988487beac2b4
                    • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                    Function 0040569A Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 278sleepfileprocessCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                    • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                    • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000), ref: 00404B36
                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                    • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                    • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: FileProcessSleep$CreateNamedPeekPipeReadTerminateWritesend
                    • String ID: 0lG$0lG$0lG$0lG$0lG$kG
                    • API String ID: 729113801-4252883706
                    • Opcode ID: 905c8df1a7ae56e3c1c9d0a50e072924a5dd5471fd344cc5b0d437a12c4a113e
                    • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                    • Opcode Fuzzy Hash: 905c8df1a7ae56e3c1c9d0a50e072924a5dd5471fd344cc5b0d437a12c4a113e
                    • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                    Function 0040A726 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 163sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32(00001388), ref: 0040A740
                      • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                      • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                      • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                      • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                    • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                    • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0040A927
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                    • String ID: 8SG$8SG$hdF$pQG$pQG$PG$PG
                    • API String ID: 3795512280-4009011672
                    • Opcode ID: af5d014d5c346995506013b1ae64ad15129aff532d6d4e7458d722d7faec377d
                    • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                    • Opcode Fuzzy Hash: af5d014d5c346995506013b1ae64ad15129aff532d6d4e7458d722d7faec377d
                    • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                    Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: _free$Info
                    • String ID:
                    • API String ID: 2509303402-0
                    • Opcode ID: e15e11657a1ee55f0e047c053d4bd41fe5a319fc5a1a16791f28e12062c456a9
                    • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                    • Opcode Fuzzy Hash: e15e11657a1ee55f0e047c053d4bd41fe5a319fc5a1a16791f28e12062c456a9
                    • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                    Function 0040D096 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 260registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D1A5
                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                    • ShellExecuteW.SHELL32(00000000,00466108,00000000,00466468,00466468,00000000), ref: 0040D412
                    • ExitProcess.KERNEL32 ref: 0040D419
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Process$CurrentDeleteExecuteExitFileModuleNameObjectShellSingleTerminateWait
                    • String ID: 8SG$On Error Resume Next$dMG$fso.DeleteFolder "$hdF$pth_unenc$while fso.FileExists("$nF
                    • API String ID: 508158800-2076880549
                    • Opcode ID: e41ae33bc9da5f5434ecc749514a50c1127adcaa4601a5eb3aa3d296298cc8c2
                    • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                    • Opcode Fuzzy Hash: e41ae33bc9da5f5434ecc749514a50c1127adcaa4601a5eb3aa3d296298cc8c2
                    • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                    Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___free_lconv_mon.LIBCMT ref: 0045130A
                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                    • _free.LIBCMT ref: 004512FF
                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                    • _free.LIBCMT ref: 00451321
                    • _free.LIBCMT ref: 00451336
                    • _free.LIBCMT ref: 00451341
                    • _free.LIBCMT ref: 00451363
                    • _free.LIBCMT ref: 00451376
                    • _free.LIBCMT ref: 00451384
                    • _free.LIBCMT ref: 0045138F
                    • _free.LIBCMT ref: 004513C7
                    • _free.LIBCMT ref: 004513CE
                    • _free.LIBCMT ref: 004513EB
                    • _free.LIBCMT ref: 00451403
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                    • String ID:
                    • API String ID: 161543041-0
                    • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                    • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                    • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                    • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                    Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: _free
                    • String ID: \&G$\&G$`&G
                    • API String ID: 269201875-253610517
                    • Opcode ID: 3d3472b72281963140e8887de038e5b99b85b4a8b881428f5fb0b5852324da1c
                    • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                    • Opcode Fuzzy Hash: 3d3472b72281963140e8887de038e5b99b85b4a8b881428f5fb0b5852324da1c
                    • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                    Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000,?), ref: 0043A892
                    • GetLastError.KERNEL32 ref: 0043A89F
                    • __dosmaperr.LIBCMT ref: 0043A8A6
                    • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,?), ref: 0043A8D2
                    • GetLastError.KERNEL32 ref: 0043A8DC
                    • __dosmaperr.LIBCMT ref: 0043A8E3
                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,?,00000000,00000000), ref: 0043A926
                    • GetLastError.KERNEL32 ref: 0043A930
                    • __dosmaperr.LIBCMT ref: 0043A937
                    • _free.LIBCMT ref: 0043A943
                    • _free.LIBCMT ref: 0043A94A
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                    • String ID:
                    • API String ID: 2441525078-0
                    • Opcode ID: 67250cf6c5abfc03add06ce7b17bb8145c171f50c87646d9733cc43d423071ea
                    • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                    • Opcode Fuzzy Hash: 67250cf6c5abfc03add06ce7b17bb8145c171f50c87646d9733cc43d423071ea
                    • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                    Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00448135
                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                    • _free.LIBCMT ref: 00448141
                    • _free.LIBCMT ref: 0044814C
                    • _free.LIBCMT ref: 00448157
                    • _free.LIBCMT ref: 00448162
                    • _free.LIBCMT ref: 0044816D
                    • _free.LIBCMT ref: 00448178
                    • _free.LIBCMT ref: 00448183
                    • _free.LIBCMT ref: 0044818E
                    • _free.LIBCMT ref: 0044819C
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                    • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                    • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                    • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                    Function 00412AB4 Relevance: 14.5, APIs: 4, Strings: 4, Instructions: 482fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                      • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                      • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000), ref: 00404B36
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: File$Delete$CloseHandle$CurrentModuleNameProcesssend
                    • String ID: 0TG$0TG$NG$NG
                    • API String ID: 1937857116-278358599
                    • Opcode ID: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
                    • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                    • Opcode Fuzzy Hash: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
                    • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                    Function 004120F7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 238threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcessId.KERNEL32 ref: 00412106
                      • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                      • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                      • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                    • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                    • CloseHandle.KERNEL32(00000000), ref: 00412155
                    • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                    • String ID: WDH
                    • API String ID: 3018269243-2057347716
                    • Opcode ID: d6daba7efe88dd7c886cc9b50d5ab07a0a3d3aefa5ec7567085e39cb97412374
                    • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                    • Opcode Fuzzy Hash: d6daba7efe88dd7c886cc9b50d5ab07a0a3d3aefa5ec7567085e39cb97412374
                    • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                    Function 0040F474 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 210processCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                    • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                    • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                    • String ID: hdF$hdF
                    • API String ID: 3756808967-2522469806
                    • Opcode ID: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
                    • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                    • Opcode Fuzzy Hash: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
                    • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                    Function 0040CDF9 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 203COMMON
                    Download Yara Rule
                    APIs
                    • CreateDirectoryW.KERNEL32(00000000,00000000,004750E4,?,?,?,?,?,?,?,?,?,0040EE0A,0046739C,00000000,0000000E), ref: 0040CE20
                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                    • CloseHandle.KERNEL32 ref: 0040D02D
                    • ShellExecuteW.SHELL32(00000000,00466108,00000000,00466468,00466468,00000001), ref: 0040D04B
                    • ExitProcess.KERNEL32 ref: 0040D062
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: CreateDirectory$CloseExecuteExitHandleProcessShell
                    • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe$hdF
                    • API String ID: 2323119506-1824008272
                    • Opcode ID: 796ba6405bd8a90df0372751ab310b3abe3628a0db2faaf63edc81667cb98c6a
                    • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                    • Opcode Fuzzy Hash: 796ba6405bd8a90df0372751ab310b3abe3628a0db2faaf63edc81667cb98c6a
                    • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                    Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Eventinet_ntoa
                    • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                    • API String ID: 3578746661-3604713145
                    • Opcode ID: b7e545620812273330383cc3efdd9bcfc3879d757bd19d7a259961bf1a4de7a6
                    • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                    • Opcode Fuzzy Hash: b7e545620812273330383cc3efdd9bcfc3879d757bd19d7a259961bf1a4de7a6
                    • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                    Function 00419FB4 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 176timeCOMMON
                    Download Yara Rule
                    APIs
                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                    • GetLocalTime.KERNEL32(?), ref: 0041A105
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: CreateDirectoryLocalTime
                    • String ID: S~E$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                    • API String ID: 467499730-4224798360
                    • Opcode ID: 0a3c78d02fe8e2a34889c0781f83a9f873681b02ef9484db30951b5d4f55da13
                    • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                    • Opcode Fuzzy Hash: 0a3c78d02fe8e2a34889c0781f83a9f873681b02ef9484db30951b5d4f55da13
                    • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                    Function 00414BB0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 158COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID: 65535$udp
                    • API String ID: 0-1267037602
                    • Opcode ID: 6c8278ac7c0b30d525e1341b3cb7a9c28b0af4a2ea85ee13cd859ad9bba2279b
                    • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                    • Opcode Fuzzy Hash: 6c8278ac7c0b30d525e1341b3cb7a9c28b0af4a2ea85ee13cd859ad9bba2279b
                    • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                    Function 00417CDF Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 108filesynchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                    • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                    • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                    • ShellExecuteEx.SHELL32(0000003C), ref: 00417DA8
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000), ref: 00404B36
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                    • String ID: 0VG$0VG$<$@
                    • API String ID: 1107811701-760889559
                    • Opcode ID: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
                    • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                    • Opcode Fuzzy Hash: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
                    • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                    Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                    Download Yara Rule
                    APIs
                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                    • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00000D0B,00000000), ref: 00401C8F
                    • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                    • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                    • waveInStart.WINMM ref: 00401CFE
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                    • String ID: dMG$|MG$PG
                    • API String ID: 1356121797-532278878
                    • Opcode ID: 993692589c413c6f5f0556b0fca4e76cf40985a39ae9ebd2fae1836bdcb2a895
                    • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                    • Opcode Fuzzy Hash: 993692589c413c6f5f0556b0fca4e76cf40985a39ae9ebd2fae1836bdcb2a895
                    • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                    Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 642c5a9918b3d0cd1b167d9fa86361ed0cd9f3911882c7c9dfa574a816d91fbe
                    • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                    • Opcode Fuzzy Hash: 642c5a9918b3d0cd1b167d9fa86361ed0cd9f3911882c7c9dfa574a816d91fbe
                    • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                    Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00448215: GetLastError.KERNEL32(?,?,00445591,0046EA10,0000000C,00434B93), ref: 00448219
                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000), ref: 0044828D
                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                    • _memcmp.LIBVCRUNTIME ref: 00445423
                    • _free.LIBCMT ref: 00445494
                    • _free.LIBCMT ref: 004454AD
                    • _free.LIBCMT ref: 004454DF
                    • _free.LIBCMT ref: 004454E8
                    • _free.LIBCMT ref: 004454F4
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: _free$ErrorLast$_abort_memcmp
                    • String ID: C
                    • API String ID: 1679612858-1037565863
                    • Opcode ID: 13f9155dacbfa49e10783f22f5a7d6aea25ad191c83dc761960264fb529a7eac
                    • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                    • Opcode Fuzzy Hash: 13f9155dacbfa49e10783f22f5a7d6aea25ad191c83dc761960264fb529a7eac
                    • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                    Function 00411CFE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                    • SetLastError.KERNEL32(000000C1,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                    • GetNativeSystemInfo.KERNEL32(?,?,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                    • SetLastError.KERNEL32(0000000E), ref: 00411DC9
                      • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,00411DE7,?,00000000,00003000,00000040,00000000), ref: 00411CB3
                    • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00411E10
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00411E17
                    • SetLastError.KERNEL32(0000045A), ref: 00411F2A
                      • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004120E7
                      • Part of subcall function 00412077: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004120EE
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: ErrorHeapLast$Process$AllocAllocateFreeInfoNativeSystemVirtual
                    • String ID: t^F
                    • API String ID: 2227336758-389975521
                    • Opcode ID: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                    • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                    • Opcode Fuzzy Hash: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                    • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                    Function 0041B047 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 180synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000), ref: 0041B18E
                    • SetEvent.KERNEL32 ref: 0041B219
                    • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                    • CloseHandle.KERNEL32 ref: 0041B23A
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Event$CloseCreateExistsFileHandleObjectPathSendSingleStringWait
                    • String ID: open "
                    • API String ID: 1811012380-3219617982
                    • Opcode ID: 9ee2812955ecef10968723877d6fcbcd3793f0fcc928faf59019219cd1465a0f
                    • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                    • Opcode Fuzzy Hash: 9ee2812955ecef10968723877d6fcbcd3793f0fcc928faf59019219cd1465a0f
                    • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                    Function 004054A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155windowmemoryCOMMON
                    Download Yara Rule
                    APIs
                    • SetEvent.KERNEL32(?,?), ref: 004054BF
                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                    • TranslateMessage.USER32(?), ref: 0040557E
                    • DispatchMessageA.USER32(?), ref: 00405589
                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                    • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000), ref: 00404B36
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                    • String ID: x`F
                    • API String ID: 2956720200-1608609784
                    • Opcode ID: 0cfa6036874a5bca0beebe56fa67ee0d4ba4c2ce27f22afbcff1deb0655a3de4
                    • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                    • Opcode Fuzzy Hash: 0cfa6036874a5bca0beebe56fa67ee0d4ba4c2ce27f22afbcff1deb0655a3de4
                    • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                    Function 00413D0D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                      • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                      • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000), ref: 00404B36
                    • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: CloseEnumInfoOpenQuerysend
                    • String ID: hdF$xUG$NG$NG$TG
                    • API String ID: 3114080316-2774981958
                    • Opcode ID: f2e89265f4d2f0cfb10cd8f2c72011435137814bee02f1038c413f2e8c362d66
                    • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                    • Opcode Fuzzy Hash: f2e89265f4d2f0cfb10cd8f2c72011435137814bee02f1038c413f2e8c362d66
                    • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                    Function 00417CDB Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 103filesynchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                    • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                    • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                    • ShellExecuteEx.SHELL32(0000003C), ref: 00417DA8
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000), ref: 00404B36
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                    • String ID: 0VG$<$@
                    • API String ID: 1107811701-2149486900
                    • Opcode ID: abe3e8999311e733596970b4e5a0c5691d695cd9646316c1f1f968f4bf66b12a
                    • Instruction ID: 31488e6e7a67f29c9016bc5eb6a44d48ba47f063b436166b8ac788d4cfaa43dc
                    • Opcode Fuzzy Hash: abe3e8999311e733596970b4e5a0c5691d695cd9646316c1f1f968f4bf66b12a
                    • Instruction Fuzzy Hash: 88318F319002099ACB14FBA2DC56AFE7775AF10318F4041BEF506760E1EF7C1A8ACB59
                    Function 00453D83 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                    Download Yara Rule
                    APIs
                    • GetCPInfo.KERNEL32(?,?), ref: 00453E2F
                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453EB2
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453F45
                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453F5C
                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00446169
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453FD8
                    • __freea.LIBCMT ref: 00454003
                    • __freea.LIBCMT ref: 0045400F
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                    • String ID:
                    • API String ID: 2829977744-0
                    • Opcode ID: 0bedbb1864db7e6f69ef8ceae5361322593aa1bc3611f4d93a35c0b61197f76c
                    • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                    • Opcode Fuzzy Hash: 0bedbb1864db7e6f69ef8ceae5361322593aa1bc3611f4d93a35c0b61197f76c
                    • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                    Function 0041490A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 225COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID: udp
                    • API String ID: 0-4243565622
                    • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                    • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                    • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                    • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                    Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetConsoleCP.KERNEL32(00000001,00440BEE,E0830C40,?,?,?,?,?,?,0044BB31,004358B0,00440BEE,00000001,00440BEE,00440BEE,004358B0), ref: 0044B3FE
                    • __fassign.LIBCMT ref: 0044B479
                    • __fassign.LIBCMT ref: 0044B494
                    • WideCharToMultiByte.KERNEL32(?,00000000,00440BEE,00000001,00000001,00000005,00000000,00000000), ref: 0044B4BA
                    • WriteFile.KERNEL32(?,00000001,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,004358B0), ref: 0044B4D9
                    • WriteFile.KERNEL32(?,004358B0,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,004358B0), ref: 0044B512
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                    • String ID:
                    • API String ID: 1324828854-0
                    • Opcode ID: 0bfd670419a30e70b2122a04c0ff37dc7c92f96e788d8b5757dd12d671b03cbd
                    • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                    • Opcode Fuzzy Hash: 0bfd670419a30e70b2122a04c0ff37dc7c92f96e788d8b5757dd12d671b03cbd
                    • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                    Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: _free
                    • String ID: D[E$D[E
                    • API String ID: 269201875-3695742444
                    • Opcode ID: d762e1b8eb06a7c9f22c0d088c02f3468ef958d98bdbc64e658c4a855d76ff34
                    • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                    • Opcode Fuzzy Hash: d762e1b8eb06a7c9f22c0d088c02f3468ef958d98bdbc64e658c4a855d76ff34
                    • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                    Function 0040186A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 142threadCOMMON
                    Download Yara Rule
                    APIs
                    • RtlExitUserThread.NTDLL(00000000), ref: 004018F6
                    • waveInUnprepareHeader.WINMM(00001E40,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: ExitHeaderThreadUnprepareUserwave
                    • String ID: PkG$XMG$NG$NG
                    • API String ID: 799343363-3151166067
                    • Opcode ID: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
                    • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                    • Opcode Fuzzy Hash: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
                    • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                    Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f4ebda9d50dcfdf5391c0f481c07c7088b2e175177eac7a83d8f3d5fdd8c12c3
                    • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                    • Opcode Fuzzy Hash: f4ebda9d50dcfdf5391c0f481c07c7088b2e175177eac7a83d8f3d5fdd8c12c3
                    • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                    Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                    • _free.LIBCMT ref: 00450F48
                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                    • _free.LIBCMT ref: 00450F53
                    • _free.LIBCMT ref: 00450F5E
                    • _free.LIBCMT ref: 00450FB2
                    • _free.LIBCMT ref: 00450FBD
                    • _free.LIBCMT ref: 00450FC8
                    • _free.LIBCMT ref: 00450FD3
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                    • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                    • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                    • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                    Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                    • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ErrorLastValue___vcrt_
                    • String ID:
                    • API String ID: 3852720340-0
                    • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                    • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                    • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                    • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                    Function 0041D45D Relevance: 10.5, APIs: 7, Instructions: 48windowstringCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                      • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                      • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                      • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                    • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                    • lstrcpyn.KERNEL32(00474B60,0046CF34,00000080), ref: 0041D4C7
                    • Shell_NotifyIcon.SHELL32(00000000,00474B48), ref: 0041D4DD
                    • TranslateMessage.USER32(?), ref: 0041D4E9
                    • DispatchMessageA.USER32(?), ref: 0041D4F3
                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                    • String ID:
                    • API String ID: 1970332568-0
                    • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                    • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                    • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                    • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                    Function 00407260 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID: SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe$hdF
                    • API String ID: 0-3126813234
                    • Opcode ID: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
                    • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                    • Opcode Fuzzy Hash: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
                    • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                    Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                    Download Yara Rule
                    APIs
                    • __allrem.LIBCMT ref: 0043AC69
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                    • __allrem.LIBCMT ref: 0043AC9C
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                    • __allrem.LIBCMT ref: 0043ACD1
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                    • String ID:
                    • API String ID: 1992179935-0
                    • Opcode ID: 7a6bcb19bf5d1a10c8716f355c890c5e97651115986e0db8b6c0d9992ddb5808
                    • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                    • Opcode Fuzzy Hash: 7a6bcb19bf5d1a10c8716f355c890c5e97651115986e0db8b6c0d9992ddb5808
                    • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                    Function 0044AC49 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043EB8A,0043EB8A,?,?,?,0044AE9A,00000001,00000001,73E85006), ref: 0044ACA3
                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0044AE9A,00000001,00000001,73E85006,?,?,?), ref: 0044AD29
                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                    • __freea.LIBCMT ref: 0044AE30
                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00446169
                    • __freea.LIBCMT ref: 0044AE39
                    • __freea.LIBCMT ref: 0044AE5E
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                    • String ID:
                    • API String ID: 1414292761-0
                    • Opcode ID: 4f12323674679657fb52166a280cc58288f9b1656089405aa2f0cdadfe4d5dd1
                    • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                    • Opcode Fuzzy Hash: 4f12323674679657fb52166a280cc58288f9b1656089405aa2f0cdadfe4d5dd1
                    • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                    Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: __cftoe
                    • String ID:
                    • API String ID: 4189289331-0
                    • Opcode ID: 3866434d00c99ca1dd9559f9df16414f3cf2de788e8725822ed27ae6a12507f4
                    • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                    • Opcode Fuzzy Hash: 3866434d00c99ca1dd9559f9df16414f3cf2de788e8725822ed27ae6a12507f4
                    • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                    Function 00407963 Relevance: 9.1, APIs: 6, Instructions: 102fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 004079C5
                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0), ref: 00407A0D
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000), ref: 00404B36
                    • CloseHandle.KERNEL32(00000000), ref: 00407A4D
                    • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                    • CloseHandle.KERNEL32(00000000,00000057,?,00000008), ref: 00407A95
                    • DeleteFileW.KERNEL32(00000000), ref: 00407AA5
                      • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000), ref: 00404BA5
                      • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000), ref: 00404BC3
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                    • String ID:
                    • API String ID: 1303771098-0
                    • Opcode ID: 7d32129a956611edc189ec6a74f49e0de68891d0620b60d8ee52bf22f0aa2c07
                    • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                    • Opcode Fuzzy Hash: 7d32129a956611edc189ec6a74f49e0de68891d0620b60d8ee52bf22f0aa2c07
                    • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                    Function 0041AB0D Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011), ref: 0041AB1C
                    • OpenServiceW.ADVAPI32(00000000,00000000,000F003F), ref: 0041AB33
                    • CloseServiceHandle.ADVAPI32(00000000), ref: 0041AB40
                    • ControlService.ADVAPI32(00000000,00000001,?), ref: 0041AB4F
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Service$Open$CloseControlHandleManager
                    • String ID:
                    • API String ID: 1243734080-0
                    • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                    • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                    • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                    • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                    Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,00445591,0046EA10,0000000C,00434B93), ref: 00448219
                    • _free.LIBCMT ref: 0044824C
                    • _free.LIBCMT ref: 00448274
                    • SetLastError.KERNEL32(00000000), ref: 00448281
                    • SetLastError.KERNEL32(00000000), ref: 0044828D
                    • _abort.LIBCMT ref: 00448293
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ErrorLast$_free$_abort
                    • String ID:
                    • API String ID: 3160817290-0
                    • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                    • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                    • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                    • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                    Function 00413A55 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                    • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Enum$InfoQueryValue
                    • String ID: xUG$TG
                    • API String ID: 3554306468-3109661684
                    • Opcode ID: bef0d11375177f03753471858f70ec21f565ba61579411e3ecc88fe91ccb8e45
                    • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                    • Opcode Fuzzy Hash: bef0d11375177f03753471858f70ec21f565ba61579411e3ecc88fe91ccb8e45
                    • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                    Function 0040D7FF Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 148COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                      • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
                      • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
                      • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                    • ShellExecuteW.SHELL32(00000000,00466108,00000000,00466468,00466468,00000000), ref: 0040D9B8
                    • ExitProcess.KERNEL32 ref: 0040D9C4
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                    • String ID: 8SG$hdF
                    • API String ID: 1913171305-2442339004
                    • Opcode ID: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
                    • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                    • Opcode Fuzzy Hash: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
                    • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                    Function 004048C8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144networkCOMMON
                    Download Yara Rule
                    APIs
                    • connect.WS2_32(FFFFFFFF,00000000,00000000), ref: 004048E0
                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                    • WSAGetLastError.WS2_32 ref: 00404A21
                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: CreateEvent$ErrorLastLocalTimeconnect
                    • String ID: PkGNG
                    • API String ID: 994465650-263838557
                    • Opcode ID: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
                    • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                    • Opcode Fuzzy Hash: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
                    • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                    Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                    • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404DD2
                    • CloseHandle.KERNEL32(00000000), ref: 00404DDB
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Create$CloseEventHandleObjectSingleThreadWait
                    • String ID: PkGNG
                    • API String ID: 3360349984-263838557
                    • Opcode ID: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
                    • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                    • Opcode Fuzzy Hash: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
                    • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                    Function 00414D86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                    • LoadLibraryA.KERNEL32(?), ref: 00414E17
                    • LoadLibraryA.KERNEL32(?), ref: 00414E76
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: LibraryLoad$AddressDirectoryProcSystem
                    • String ID: IA
                    • API String ID: 4217395396-3535198606
                    • Opcode ID: 697558a9680cf1283e855f76c890011613406c50ceda95f73a72929b5fe79c5f
                    • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                    • Opcode Fuzzy Hash: 697558a9680cf1283e855f76c890011613406c50ceda95f73a72929b5fe79c5f
                    • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                    Function 00401D0B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 89COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                    • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                    • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                    • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: wave$Header$BufferCreateFilePrepareUnprepare
                    • String ID: dMG$|MG
                    • API String ID: 3979376653-1683252805
                    • Opcode ID: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
                    • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                    • Opcode Fuzzy Hash: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
                    • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                    Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                    • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                    • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: File$CloseCreateHandleSizeSleep
                    • String ID: XQG
                    • API String ID: 1958988193-3606453820
                    • Opcode ID: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
                    • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                    • Opcode Fuzzy Hash: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
                    • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                    Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegisterClassExA.USER32(00000030), ref: 0041D55B
                    • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                    • GetLastError.KERNEL32 ref: 0041D580
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: ClassCreateErrorLastRegisterWindow
                    • String ID: 0$MsgWindowClass
                    • API String ID: 2877667751-2410386613
                    • Opcode ID: 5dab7ac12320d6d367f96cf7354c04e0138fa3a0fe5368e53bfadd8ad26652a3
                    • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                    • Opcode Fuzzy Hash: 5dab7ac12320d6d367f96cf7354c04e0138fa3a0fe5368e53bfadd8ad26652a3
                    • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                    Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,00000003,?,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044335A
                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                    • FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,00000003,?,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000), ref: 00443390
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: AddressFreeHandleLibraryModuleProc
                    • String ID: CorExitProcess$mscoree.dll
                    • API String ID: 4061214504-1276376045
                    • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                    • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                    • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                    • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                    Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6fefe076d82eebeaab6ce4915ba22ce93c32c18902363ffeee55431b43298b04
                    • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                    • Opcode Fuzzy Hash: 6fefe076d82eebeaab6ce4915ba22ce93c32c18902363ffeee55431b43298b04
                    • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                    Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: _free$AllocateHeap
                    • String ID:
                    • API String ID: 3033488037-0
                    • Opcode ID: d775a197f71d536e5d52874a7a30662ad33d8ad4d8240f212ad1ffb4432d1cba
                    • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                    • Opcode Fuzzy Hash: d775a197f71d536e5d52874a7a30662ad33d8ad4d8240f212ad1ffb4432d1cba
                    • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                    Function 0040ACD6 Relevance: 7.7, APIs: 5, Instructions: 156sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32(000001F4), ref: 0040AD43
                    • GetForegroundWindow.USER32 ref: 0040AD49
                    • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                    • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                    • Sleep.KERNEL32(000003E8), ref: 0040AE54
                      • Part of subcall function 0040A636: SetEvent.KERNEL32(00000000,?,00000000,0040B20A,00000000), ref: 0040A662
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Window$SleepText$EventForegroundLength
                    • String ID:
                    • API String ID: 828943121-0
                    • Opcode ID: c10d38f269757a906d0ca9fba1566ff1fbaabb7f14d30099c27d05f9eae8babe
                    • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                    • Opcode Fuzzy Hash: c10d38f269757a906d0ca9fba1566ff1fbaabb7f14d30099c27d05f9eae8babe
                    • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                    Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                    • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                    • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                    • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                    Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00446169
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                    • _free.LIBCMT ref: 0044F3BF
                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                    • String ID:
                    • API String ID: 336800556-0
                    • Opcode ID: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                    • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                    • Opcode Fuzzy Hash: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                    • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                    Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041C510,00000000,00000000,?), ref: 0041C430
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,0041C510,00000000,00000000,?,?,0040A8E7), ref: 0041C44D
                    • CloseHandle.KERNEL32(00000000,?,00000000,0041C510,00000000,00000000,?,?,0040A8E7), ref: 0041C459
                    • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,0041C510,00000000,00000000,?,?,0040A8E7), ref: 0041C46A
                    • CloseHandle.KERNEL32(00000000,?,00000000,0041C510,00000000,00000000,?,?,0040A8E7), ref: 0041C477
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: File$CloseHandle$CreatePointerWrite
                    • String ID:
                    • API String ID: 1852769593-0
                    • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                    • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                    • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                    • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                    Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,?,004405E2,004461B8,?,?,0042F8A7,?,00000008,0042F9A6,00000001,?,?,?), ref: 0044829E
                    • _free.LIBCMT ref: 004482D3
                    • _free.LIBCMT ref: 004482FA
                    • SetLastError.KERNEL32(00000000,?,?,?), ref: 00448307
                    • SetLastError.KERNEL32(00000000,?,?,?), ref: 00448310
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ErrorLast$_free
                    • String ID:
                    • API String ID: 3170660625-0
                    • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                    • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                    • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                    • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                    Function 0041C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                    • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                    • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                    • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C228
                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Process$CloseHandleOpen$FileImageName
                    • String ID:
                    • API String ID: 2951400881-0
                    • Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                    • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                    • Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                    • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                    Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 004509D4
                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                    • _free.LIBCMT ref: 004509E6
                    • _free.LIBCMT ref: 004509F8
                    • _free.LIBCMT ref: 00450A0A
                    • _free.LIBCMT ref: 00450A1C
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                    • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                    • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                    • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                    Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00444066
                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                    • _free.LIBCMT ref: 00444078
                    • _free.LIBCMT ref: 0044408B
                    • _free.LIBCMT ref: 0044409C
                    • _free.LIBCMT ref: 004440AD
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                    • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                    • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                    • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                    Function 00447571 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: __freea$_free
                    • String ID: a/p$am/pm
                    • API String ID: 3432400110-3206640213
                    • Opcode ID: 46d659ac7bdaf04646bfac5181018d3b2e5ac3305fddb004e57ba7c2d5c30b25
                    • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                    • Opcode Fuzzy Hash: 46d659ac7bdaf04646bfac5181018d3b2e5ac3305fddb004e57ba7c2d5c30b25
                    • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                    Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: CountEventTick
                    • String ID: !D@$NG
                    • API String ID: 180926312-2721294649
                    • Opcode ID: 068e9cc0715a92df8d739c6ab064f289f55cbcf881b4b95b9b6ab27274b13f38
                    • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                    • Opcode Fuzzy Hash: 068e9cc0715a92df8d739c6ab064f289f55cbcf881b4b95b9b6ab27274b13f38
                    • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                    Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                      • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,00000000,00000000), ref: 004048E0
                      • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000), ref: 00404B36
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: CreateFileKeyboardLayoutNameconnectsend
                    • String ID: XQG$NG$PG
                    • API String ID: 1634807452-3565412412
                    • Opcode ID: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
                    • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                    • Opcode Fuzzy Hash: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
                    • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                    Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                    Download Yara Rule
                    APIs
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID: `#D$`#D
                    • API String ID: 885266447-2450397995
                    • Opcode ID: 32b2969ad776a542742da61f745edda7a135a4d1e2de082e82c7570d145ea4de
                    • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                    • Opcode Fuzzy Hash: 32b2969ad776a542742da61f745edda7a135a4d1e2de082e82c7570d145ea4de
                    • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                    Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe,00000104), ref: 00443475
                    • _free.LIBCMT ref: 00443540
                    • _free.LIBCMT ref: 0044354A
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: _free$FileModuleName
                    • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                    • API String ID: 2506810119-50795131
                    • Opcode ID: be0d0bda5ad998c270e35ccfb9ece79b3f278109c2605a99f82978ac342f79e3
                    • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                    • Opcode Fuzzy Hash: be0d0bda5ad998c270e35ccfb9ece79b3f278109c2605a99f82978ac342f79e3
                    • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                    Function 00417495 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104sleepfileCOMMON
                    Download Yara Rule
                    APIs
                    • ShellExecuteW.SHELL32(00000000,00466108,0046C7B0,00000000,00000000,00000000), ref: 004174F5
                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                    • Sleep.KERNEL32(00000064), ref: 00417521
                    • DeleteFileW.KERNEL32(00000000), ref: 00417555
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: File$CreateDeleteExecuteShellSleep
                    • String ID: /t
                    • API String ID: 1462127192-3161277685
                    • Opcode ID: c397a39675c13a4b89e1612132d9c94fcc47af76ca7af7dfc0a31b42f60cb87e
                    • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                    • Opcode Fuzzy Hash: c397a39675c13a4b89e1612132d9c94fcc47af76ca7af7dfc0a31b42f60cb87e
                    • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                    Function 00410E61 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID: ,kG$0kG$@!G
                    • API String ID: 0-312998898
                    • Opcode ID: 35f2531d0e72d04f019c05be4a07030b9f52aeff2b706667cf8558754862adf0
                    • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                    • Opcode Fuzzy Hash: 35f2531d0e72d04f019c05be4a07030b9f52aeff2b706667cf8558754862adf0
                    • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                    Function 0041CAE1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                    Download Yara Rule
                    APIs
                    • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB09
                    • LocalFree.KERNEL32(?,?), ref: 0041CB2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: FormatFreeLocalMessage
                    • String ID: @J@$PkGNG
                    • API String ID: 1427518018-1416487119
                    • Opcode ID: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
                    • Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
                    • Opcode Fuzzy Hash: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
                    • Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659
                    Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                    • RegSetValueExA.ADVAPI32(0046611C,0046CBB8,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,0046CBB8,0046611C,?,00000001,00474EE0,00000000), ref: 004137A6
                    • RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,0046CBB8,0046611C,?,00000001,00474EE0,00000000,?,0040875D), ref: 004137B1
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: CloseCreateValue
                    • String ID: Control Panel\Desktop
                    • API String ID: 1818849710-27424756
                    • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                    • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                    • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                    • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                    Function 0041361B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,loF,004750E4), ref: 0041363D
                    • RegQueryValueExW.ADVAPI32(loF,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                    • RegCloseKey.ADVAPI32(?), ref: 00413665
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID: loF
                    • API String ID: 3677997916-3277224091
                    • Opcode ID: 1fc720c5af09767de5d5cc7bb63512f3198692daef6ba2e2d38df8188ddc2fef
                    • Instruction ID: f34a781dc69553a1478c4d1e38e8143fd29b0d6f10a6f19acb5bd71dd86b2662
                    • Opcode Fuzzy Hash: 1fc720c5af09767de5d5cc7bb63512f3198692daef6ba2e2d38df8188ddc2fef
                    • Instruction Fuzzy Hash: 00F04F75600218FBDF209B90DC05FDD77BCEB04B11F1040A2BA45B5291DB749F849BA8
                    Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateThread.KERNEL32(00000000,00000000,Function_0001C45D,00000000,00000000,00000000), ref: 00416C47
                    • ShowWindow.USER32(00000009), ref: 00416C61
                    • SetForegroundWindow.USER32 ref: 00416C6D
                      • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                      • Part of subcall function 0041CD9B: GetConsoleWindow.KERNEL32 ref: 0041CDAA
                      • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                      • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                    • String ID: !D@
                    • API String ID: 186401046-604454484
                    • Opcode ID: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
                    • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                    • Opcode Fuzzy Hash: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
                    • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                    Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: __alldvrm$_strrchr
                    • String ID:
                    • API String ID: 1036877536-0
                    • Opcode ID: fa5adc363d90c346da196b13896c6d81691097b48ecd6299cf525d8ecdee76a8
                    • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                    • Opcode Fuzzy Hash: fa5adc363d90c346da196b13896c6d81691097b48ecd6299cf525d8ecdee76a8
                    • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                    Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 283252bb3b7c434a6648d6859eb91d891d6763299a8d23278ea82933b3a2fc7d
                    • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                    • Opcode Fuzzy Hash: 283252bb3b7c434a6648d6859eb91d891d6763299a8d23278ea82933b3a2fc7d
                    • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                    Function 00411B5F Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                    Download Yara Rule
                    APIs
                    • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00411B8C
                    • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00411C58
                    • SetLastError.KERNEL32(0000007F), ref: 00411C7A
                    • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: ErrorHugeLastRead
                    • String ID:
                    • API String ID: 3239643929-0
                    • Opcode ID: f5c5a2eeb12426a171176a03d3fcb2771a8dbd257816eb74bb4a7dc8fda221b0
                    • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                    • Opcode Fuzzy Hash: f5c5a2eeb12426a171176a03d3fcb2771a8dbd257816eb74bb4a7dc8fda221b0
                    • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99
                    Function 0045112C Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,0045D518,00000000,00000000,8B56FF8B,004444CA,?,00000004,00000001,0045D518,0000007F,?,8B56FF8B,00000001), ref: 00451179
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451202
                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451214
                    • __freea.LIBCMT ref: 0045121D
                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00446169
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                    • String ID:
                    • API String ID: 2652629310-0
                    • Opcode ID: 7c5182d9132fa30338308974498d3ba5f168620f42cd9323d64ef68a161dd985
                    • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                    • Opcode Fuzzy Hash: 7c5182d9132fa30338308974498d3ba5f168620f42cd9323d64ef68a161dd985
                    • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                    Function 004194C4 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                    Download Yara Rule
                    APIs
                    • EnumDisplayMonitors.USER32(00000000,00000000,004195CF,00000000), ref: 004194F5
                    • EnumDisplayDevicesW.USER32(?), ref: 00419525
                    • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 0041959A
                    • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004195B7
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: DisplayEnum$Devices$Monitors
                    • String ID:
                    • API String ID: 1432082543-0
                    • Opcode ID: af7e2ff2ee1e02466714e9096c5e91207e07c443cdfc7f348ce893922ca5b7b9
                    • Instruction ID: 9f89b1fc864c89aa53311e19646eec67f909338e1adf78e73a6452d568b12732
                    • Opcode Fuzzy Hash: af7e2ff2ee1e02466714e9096c5e91207e07c443cdfc7f348ce893922ca5b7b9
                    • Instruction Fuzzy Hash: 6F218072108314ABD221DF26DC49EABBBECEBD1764F00053FF459D3190EB749A49C66A
                    Function 004126DB Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
                      • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
                      • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
                    • Sleep.KERNEL32(00000BB8), ref: 0041277A
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: CloseOpenQuerySleepValue
                    • String ID: 8SG$hdF$toF
                    • API String ID: 4119054056-2436869523
                    • Opcode ID: 45c2d341f62a096013af463588a97dbbd408217f0309ec97b2c060c4bd86d792
                    • Instruction ID: f3cf03c5a64ef847c6da3637c810c9cb64e8e240b2c65477c235684d5dc29c85
                    • Opcode Fuzzy Hash: 45c2d341f62a096013af463588a97dbbd408217f0309ec97b2c060c4bd86d792
                    • Instruction Fuzzy Hash: B52148A0B0030427DA00B7366D46EBF724E8B84318F40443FB916E72D3EEBC9C48426D
                    Function 0041AC78 Relevance: 6.1, APIs: 4, Instructions: 67serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002), ref: 0041AC88
                    • OpenServiceW.ADVAPI32(00000000,00000000,00000002), ref: 0041AC9C
                    • CloseServiceHandle.ADVAPI32(00000000), ref: 0041ACA9
                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041ACDE
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Service$Open$ChangeCloseConfigHandleManager
                    • String ID:
                    • API String ID: 110783151-0
                    • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                    • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                    • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                    • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                    Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                    • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                    • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                    • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                    Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                    • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                    • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                    • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                    Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                    • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4B2
                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4D7
                    • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E74), ref: 0041C4E5
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: File$CloseCreateHandleReadSize
                    • String ID:
                    • API String ID: 3919263394-0
                    • Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                    • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                    • Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                    • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                    Function 0041CD9B Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                    Download Yara Rule
                    APIs
                    • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                    • GetConsoleWindow.KERNEL32 ref: 0041CDAA
                    • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                    • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Console$Window$AllocOutputShow
                    • String ID:
                    • API String ID: 4067487056-0
                    • Opcode ID: 1d01a235a6dd69b2a05ecb435edc09ceb9a82588edb2e8a946931a6409443758
                    • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                    • Opcode Fuzzy Hash: 1d01a235a6dd69b2a05ecb435edc09ceb9a82588edb2e8a946931a6409443758
                    • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                    Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                      • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                    • _UnwindNestedFrames.LIBCMT ref: 00439891
                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                    • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                    • String ID:
                    • API String ID: 2633735394-0
                    • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                    • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                    • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                    • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                    Function 0041AAA6 Relevance: 6.0, APIs: 4, Instructions: 45serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020), ref: 0041AAB5
                    • OpenServiceW.ADVAPI32(00000000,00000000,00000020), ref: 0041AAC9
                    • CloseServiceHandle.ADVAPI32(00000000), ref: 0041AAD6
                    • ControlService.ADVAPI32(00000000,00000001,?), ref: 0041AAE5
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Service$Open$CloseControlHandleManager
                    • String ID:
                    • API String ID: 1243734080-0
                    • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                    • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                    • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                    • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                    Function 0041ABAA Relevance: 6.0, APIs: 4, Instructions: 45serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 0041ABB9
                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 0041ABCD
                    • CloseServiceHandle.ADVAPI32(00000000), ref: 0041ABDA
                    • ControlService.ADVAPI32(00000000,00000002,?), ref: 0041ABE9
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Service$Open$CloseControlHandleManager
                    • String ID:
                    • API String ID: 1243734080-0
                    • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                    • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                    • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                    • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                    Function 0041AC11 Relevance: 6.0, APIs: 4, Instructions: 45serviceCOMMON
                    Download Yara Rule
                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 0041AC20
                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 0041AC34
                    • CloseServiceHandle.ADVAPI32(00000000), ref: 0041AC41
                    • ControlService.ADVAPI32(00000000,00000003,?), ref: 0041AC50
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Service$Open$CloseControlHandleManager
                    • String ID:
                    • API String ID: 1243734080-0
                    • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                    • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                    • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                    • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                    Function 004050E4 Relevance: 6.0, APIs: 4, Instructions: 35synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00405120
                    • SetEvent.KERNEL32(?), ref: 0040512C
                    • WaitForSingleObject.KERNEL32(00000001,000000FF), ref: 00405137
                    • CloseHandle.KERNEL32(00000001), ref: 00405140
                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                    • String ID:
                    • API String ID: 2993684571-0
                    • Opcode ID: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
                    • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                    • Opcode Fuzzy Hash: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
                    • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                    Function 0041CD58 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                    • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                    • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Console$AttributeText$BufferHandleInfoScreen
                    • String ID:
                    • API String ID: 3024135584-0
                    • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                    • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                    • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                    • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                    Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                    Download Yara Rule
                    APIs
                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                      • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                    • String ID:
                    • API String ID: 1761009282-0
                    • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                    • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                    • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                    • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                    Function 0043B710 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 266COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: __aulldvrm
                    • String ID: +$-
                    • API String ID: 1302938615-2137968064
                    • Opcode ID: 04d354a1ee3c3114d05b9158b16b821a0c575007d3bba7a72ede702c46c073ac
                    • Instruction ID: 1ebf0e099ed227456b8e5295ede85010dd3e0b5e3832c94c1649290a6a7a69b8
                    • Opcode Fuzzy Hash: 04d354a1ee3c3114d05b9158b16b821a0c575007d3bba7a72ede702c46c073ac
                    • Instruction Fuzzy Hash: 9F911A70D041499FCF24DE69C8417EEBBB5EF59324F14A25BEA71A7390D3388902CB99
                    Function 0040404C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                      • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                      • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                    • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                    • String ID: 0NG
                    • API String ID: 368326130-1567132218
                    • Opcode ID: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
                    • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                    • Opcode Fuzzy Hash: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
                    • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                    Function 00418A92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                    Download Yara Rule
                    APIs
                    • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418ABE
                    • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B0B
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: CreateStream
                    • String ID: image/jpeg
                    • API String ID: 1369699375-3785015651
                    • Opcode ID: 8883413a241ecd6daa78ef1183ec8e175d09e4f7b2134cb7e7ff04ec22b53db4
                    • Instruction ID: 71c7567624fb1f0fb67e5b365d5baafb3eed0516d04e2b9615b8e3d4f66a2876
                    • Opcode Fuzzy Hash: 8883413a241ecd6daa78ef1183ec8e175d09e4f7b2134cb7e7ff04ec22b53db4
                    • Instruction Fuzzy Hash: 13317F71504300AFC301EF65CC84DAFB7E9FF8A704F00496EF985A7251DB7999448BA6
                    Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                    Download Yara Rule
                    APIs
                    • GetACP.KERNEL32(?,20001004,?,00000002), ref: 00451C12
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID: ACP$OCP
                    • API String ID: 0-711371036
                    • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                    • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                    • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                    • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                    Function 00418B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                    Download Yara Rule
                    APIs
                    • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BAA
                    • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418BCF
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: CreateStream
                    • String ID: image/png
                    • API String ID: 1369699375-2966254431
                    • Opcode ID: 6411a8012ecf1a64a1773f4eaa23e3f4fcdf1f742ac8238d8550c3e8c78666f9
                    • Instruction ID: c6f894421d6f6d4ca6915e56eba1d7ff3797fde04a376feef2065c2e579c4a83
                    • Opcode Fuzzy Hash: 6411a8012ecf1a64a1773f4eaa23e3f4fcdf1f742ac8238d8550c3e8c78666f9
                    • Instruction Fuzzy Hash: 30219371204211AFC705EB61CC88CBFBBADEFCA754F10092EF54693161DB399945CBA6
                    Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32 ref: 00416640
                    • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: DownloadFileSleep
                    • String ID: !D@
                    • API String ID: 1931167962-604454484
                    • Opcode ID: 1ee2299181c43429df041adb64fff50d3160e985c7a9a19c3789c6205816a6ff
                    • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                    • Opcode Fuzzy Hash: 1ee2299181c43429df041adb64fff50d3160e985c7a9a19c3789c6205816a6ff
                    • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                    Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: LocalTime
                    • String ID: %02i:%02i:%02i:%03i $PkGNG
                    • API String ID: 481472006-224355505
                    • Opcode ID: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
                    • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                    • Opcode Fuzzy Hash: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
                    • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                    Function 004074FD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON
                    Download Yara Rule
                    APIs
                    • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: Object
                    • String ID: $$cF
                    • API String ID: 2936123098-3386849937
                    • Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                    • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                    • Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                    • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                    Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,0046668C,004750F0), ref: 0040B172
                      • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                    • CloseHandle.KERNEL32(?), ref: 0040B0B4
                    • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                    • String ID: DgF
                    • API String ID: 1623830855-1037166027
                    • Opcode ID: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
                    • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                    • Opcode Fuzzy Hash: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
                    • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                    Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                    Download Yara Rule
                    APIs
                    • waveInPrepareHeader.WINMM(00474D94,00000020,00476BD4,00476BD4,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                    • waveInAddBuffer.WINMM(00474D94,00000020,?,00000000,00401A15), ref: 0040185F
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: wave$BufferHeaderPrepare
                    • String ID: XMG
                    • API String ID: 2315374483-813777761
                    • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                    • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                    • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                    • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                    Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                    Download Yara Rule
                    APIs
                    • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: LocaleValid
                    • String ID: IsValidLocaleName$JD
                    • API String ID: 1901932003-2234456777
                    • Opcode ID: 5d1d288eeeb841aa5a36f8f054c23ab4e3c6f6951bec319ecd69c156a4618a4b
                    • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                    • Opcode Fuzzy Hash: 5d1d288eeeb841aa5a36f8f054c23ab4e3c6f6951bec319ecd69c156a4618a4b
                    • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                    Function 0044378C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: _free
                    • String ID: $G
                    • API String ID: 269201875-4251033865
                    • Opcode ID: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                    • Instruction ID: ffc8389238c956ab6c1ca4f2b01b58cd1871601a5e35f3520dab429f03a8b914
                    • Opcode Fuzzy Hash: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                    • Instruction Fuzzy Hash: 7DE0E592A0182014F6717A3F6C0575B0545CBC2B7FF11833BF538861C1CFAC4A46519E
                    Function 004437E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: _free
                    • String ID: $G
                    • API String ID: 269201875-4251033865
                    • Opcode ID: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                    • Instruction ID: d76a88c3c7e0b504eff74fb84b9f6db8507cba8af1ea4ea387731c34734dfbbf
                    • Opcode Fuzzy Hash: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                    • Instruction Fuzzy Hash: AAE0E562A0182040F675BA3F2D05B9B49C5DB8173BF11433BF538861C1DFAC4A4251AE
                    Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                    • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                    • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID:
                    • String ID: uD
                    • API String ID: 0-2547262877
                    • Opcode ID: 052a532a64cf39ead61894e252f2db94df575de73dc0b065ad17a2540c1b1917
                    • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                    • Opcode Fuzzy Hash: 052a532a64cf39ead61894e252f2db94df575de73dc0b065ad17a2540c1b1917
                    • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                    Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileW.KERNEL32(00000000,?,?,0040ACB3,0000005C,?,?,?,00000000), ref: 0040B876
                    • RemoveDirectoryW.KERNEL32(00000000,?,?,0040ACB3,0000005C,?,?,?,00000000), ref: 0040B8A1
                    Strings
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_401000_vbc.jbxd
                    Similarity
                    • API ID: DeleteDirectoryFileRemove
                    • String ID: hdF
                    • API String ID: 3325800564-665520524
                    • Opcode ID: 2e0f71548beba5a730f37ec643fdbde7cff5540ab6036cf56b22bcb1e85fbdea
                    • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
                    • Opcode Fuzzy Hash: 2e0f71548beba5a730f37ec643fdbde7cff5540ab6036cf56b22bcb1e85fbdea
                    • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
                    Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 00440D27
                    • GetLastError.KERNEL32 ref: 00440D35
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 00440D90
                    Memory Dump Source
                    • Source File: 00000025.00000002.2647024450.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_37_2_42f000_vbc.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$ErrorLast
                    • String ID:
                    • API String ID: 1717984340-0
                    • Opcode ID: 856d8eaa39934b337600fada48554ad489c200a5de82f2d8df133671ab9e99c3
                    • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                    • Opcode Fuzzy Hash: 856d8eaa39934b337600fada48554ad489c200a5de82f2d8df133671ab9e99c3
                    • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759

                    Execution Graph

                    Execution Coverage:37.2%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:87
                    Total number of Limit Nodes:6
                    execution_graph 2698 e307e7 2699 e307ee 2698->2699 2701 e308c3 12 API calls 2699->2701 2702 e30b16 12 API calls 2699->2702 2700 e30870 2701->2700 2702->2700 2611 e30848 2612 e30863 2611->2612 2616 e308c3 2612->2616 2623 e30b16 2612->2623 2613 e30870 2617 e308da 2616->2617 2619 e3090f 2616->2619 2617->2619 2630 e33291 2617->2630 2636 e333ab 2617->2636 2642 e333d7 2617->2642 2618 e30b80 2618->2613 2619->2613 2624 e308da 2623->2624 2626 e3090f 2624->2626 2627 e33291 12 API calls 2624->2627 2628 e333d7 12 API calls 2624->2628 2629 e333ab 12 API calls 2624->2629 2625 e30b80 2625->2613 2626->2613 2627->2625 2628->2625 2629->2625 2632 e3329c 2630->2632 2631 e3336f 2631->2618 2632->2631 2647 e336b1 2632->2647 2651 e336c0 2632->2651 2633 e33431 2633->2618 2637 e333b0 2636->2637 2638 e333c6 2637->2638 2640 e336b1 12 API calls 2637->2640 2641 e336c0 12 API calls 2637->2641 2639 e33431 2639->2618 2640->2639 2641->2639 2643 e333f8 2642->2643 2645 e336b1 12 API calls 2643->2645 2646 e336c0 12 API calls 2643->2646 2644 e33431 2644->2618 2645->2644 2646->2644 2648 e336d3 2647->2648 2649 e337ab 2648->2649 2655 e34b7e 2648->2655 2649->2633 2652 e336d3 2651->2652 2653 e337ab 2652->2653 2654 e34b7e 12 API calls 2652->2654 2653->2633 2654->2652 2656 e34ba5 2655->2656 2685 e34f58 2656->2685 2689 e34f4c 2656->2689 2657 e34c72 2659 e34eb0 2657->2659 2667 e35330 Wow64SetThreadContext 2657->2667 2668 e3532a Wow64SetThreadContext 2657->2668 2658 e34cd0 2658->2659 2669 e353f0 ReadProcessMemory 2658->2669 2670 e353ea ReadProcessMemory 2658->2670 2659->2648 2660 e34d06 2673 e354b0 VirtualAllocEx 2660->2673 2674 e354aa VirtualAllocEx 2660->2674 2661 e34d45 2661->2659 2679 e35550 WriteProcessMemory 2661->2679 2680 e35558 WriteProcessMemory 2661->2680 2662 e34d99 2663 e34e30 2662->2663 2677 e35550 WriteProcessMemory 2662->2677 2678 e35558 WriteProcessMemory 2662->2678 2675 e35550 WriteProcessMemory 2663->2675 2676 e35558 WriteProcessMemory 2663->2676 2664 e34e59 2664->2659 2681 e35330 Wow64SetThreadContext 2664->2681 2682 e3532a Wow64SetThreadContext 2664->2682 2665 e34e9d 2683 e35630 ResumeThread 2665->2683 2684 e3562a ResumeThread 2665->2684 2666 e34eae 2666->2648 2667->2658 2668->2658 2669->2660 2670->2660 2673->2661 2674->2661 2675->2664 2676->2664 2677->2662 2678->2662 2679->2662 2680->2662 2681->2665 2682->2665 2683->2666 2684->2666 2687 e34fe5 CreateProcessAsUserA 2685->2687 2688 e35200 2687->2688 2688->2688 2691 e34fe5 CreateProcessAsUserA 2689->2691 2692 e35200 2691->2692 2692->2692 2715 e30b58 2716 e30b76 2715->2716 2718 e33291 12 API calls 2716->2718 2719 e333d7 12 API calls 2716->2719 2720 e333ab 12 API calls 2716->2720 2717 e30b80 2718->2717 2719->2717 2720->2717 2721 e3073d 2723 e30745 2721->2723 2722 e307e6 2723->2722 2725 e308c3 12 API calls 2723->2725 2726 e30b16 12 API calls 2723->2726 2724 e30870 2725->2724 2726->2724

                    Executed Functions

                    Function 00E34F4C Relevance: 1.8, APIs: 1, Instructions: 264processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 149 e34f4c-e34ff1 151 e34ff3-e35018 149->151 152 e35045-e35067 149->152 151->152 157 e3501a-e3501c 151->157 155 e35069-e35091 152->155 156 e350be-e350ee 152->156 155->156 167 e35093-e35095 155->167 165 e35142-e351fe CreateProcessAsUserA 156->165 166 e350f0-e35115 156->166 158 e3503f-e35042 157->158 159 e3501e-e35028 157->159 158->152 160 e3502a 159->160 161 e3502c-e3503b 159->161 160->161 161->161 164 e3503d 161->164 164->158 179 e35200-e35206 165->179 180 e35207-e3527b 165->180 166->165 174 e35117-e35119 166->174 168 e35097-e350a1 167->168 169 e350b8-e350bb 167->169 171 e350a3 168->171 172 e350a5-e350b4 168->172 169->156 171->172 172->172 175 e350b6 172->175 177 e3511b-e35125 174->177 178 e3513c-e3513f 174->178 175->169 181 e35127 177->181 182 e35129-e35138 177->182 178->165 179->180 191 e3528b-e3528f 180->191 192 e3527d-e35281 180->192 181->182 182->182 183 e3513a 182->183 183->178 193 e35291-e35295 191->193 194 e3529f-e352a3 191->194 192->191 195 e35283-e35286 call e301cc 192->195 193->194 197 e35297-e3529a call e301cc 193->197 198 e352b3-e352b7 194->198 199 e352a5-e352a9 194->199 195->191 197->194 202 e352c9-e352d0 198->202 203 e352b9-e352bf 198->203 199->198 201 e352ab-e352ae call e301cc 199->201 201->198 205 e352d2-e352e1 202->205 206 e352e7 202->206 203->202 205->206 207 e352e8 206->207 207->207
                    APIs
                    • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E351EB
                    Memory Dump Source
                    • Source File: 0000002D.00000002.3252351574.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_45_2_e30000_Phtos.jbxd
                    Similarity
                    • API ID: CreateProcessUser
                    • String ID:
                    • API String ID: 2217836671-0
                    • Opcode ID: 2b53380f640c001f5367729c64b0d67f12528c1d02832cb40a86763623499368
                    • Instruction ID: 02d6857849a5534eb01266c3b3b31a1cfecd4fb209384fa904d4a7768699640b
                    • Opcode Fuzzy Hash: 2b53380f640c001f5367729c64b0d67f12528c1d02832cb40a86763623499368
                    • Instruction Fuzzy Hash: 81A14A71E006199FDB14CFA8C8857EEBBB6FF48304F0481A9E818A7391DB759985CF91
                    Function 00E34F58 Relevance: 1.8, APIs: 1, Instructions: 262processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 209 e34f58-e34ff1 211 e34ff3-e35018 209->211 212 e35045-e35067 209->212 211->212 217 e3501a-e3501c 211->217 215 e35069-e35091 212->215 216 e350be-e350ee 212->216 215->216 227 e35093-e35095 215->227 225 e35142-e351fe CreateProcessAsUserA 216->225 226 e350f0-e35115 216->226 218 e3503f-e35042 217->218 219 e3501e-e35028 217->219 218->212 220 e3502a 219->220 221 e3502c-e3503b 219->221 220->221 221->221 224 e3503d 221->224 224->218 239 e35200-e35206 225->239 240 e35207-e3527b 225->240 226->225 234 e35117-e35119 226->234 228 e35097-e350a1 227->228 229 e350b8-e350bb 227->229 231 e350a3 228->231 232 e350a5-e350b4 228->232 229->216 231->232 232->232 235 e350b6 232->235 237 e3511b-e35125 234->237 238 e3513c-e3513f 234->238 235->229 241 e35127 237->241 242 e35129-e35138 237->242 238->225 239->240 251 e3528b-e3528f 240->251 252 e3527d-e35281 240->252 241->242 242->242 243 e3513a 242->243 243->238 253 e35291-e35295 251->253 254 e3529f-e352a3 251->254 252->251 255 e35283-e35286 call e301cc 252->255 253->254 257 e35297-e3529a call e301cc 253->257 258 e352b3-e352b7 254->258 259 e352a5-e352a9 254->259 255->251 257->254 262 e352c9-e352d0 258->262 263 e352b9-e352bf 258->263 259->258 261 e352ab-e352ae call e301cc 259->261 261->258 265 e352d2-e352e1 262->265 266 e352e7 262->266 263->262 265->266 267 e352e8 266->267 267->267
                    APIs
                    • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E351EB
                    Memory Dump Source
                    • Source File: 0000002D.00000002.3252351574.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_45_2_e30000_Phtos.jbxd
                    Similarity
                    • API ID: CreateProcessUser
                    • String ID:
                    • API String ID: 2217836671-0
                    • Opcode ID: 302d43012d9ab248ed7062e37b8fefc650a75fb30b2817b4c053f1f9454e3ae3
                    • Instruction ID: 84afb94ac8a3b72a902f2c1fbcd5da71df50a264f17a0ead72b90cea49aa0a0b
                    • Opcode Fuzzy Hash: 302d43012d9ab248ed7062e37b8fefc650a75fb30b2817b4c053f1f9454e3ae3
                    • Instruction Fuzzy Hash: 2DA15971E00A199FDB14CFA8C8457EEBBB6FF48304F0481A9E818A7391DB759985CF91
                    Function 00E35550 Relevance: 1.6, APIs: 1, Instructions: 67injectionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 269 e35550-e355a9 271 e355ab-e355b7 269->271 272 e355b9-e355f2 WriteProcessMemory 269->272 271->272 273 e355f4-e355fa 272->273 274 e355fb-e3561c 272->274 273->274
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00E355E5
                    Memory Dump Source
                    • Source File: 0000002D.00000002.3252351574.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_45_2_e30000_Phtos.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: b1acb3eff79763e2dd9dc86c099361011eb0eb58f380670c7689d038ee4a6238
                    • Instruction ID: 9fa4903b3f208e671c68684be145a4ee33652102a69fa3ee3c1966dbddf868c5
                    • Opcode Fuzzy Hash: b1acb3eff79763e2dd9dc86c099361011eb0eb58f380670c7689d038ee4a6238
                    • Instruction Fuzzy Hash: 6621E4B1900259DFCB10CFAAC889BDEBFF5FB48314F10842AE459A7351D374A945CB64
                    Function 00E35558 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 276 e35558-e355a9 278 e355ab-e355b7 276->278 279 e355b9-e355f2 WriteProcessMemory 276->279 278->279 280 e355f4-e355fa 279->280 281 e355fb-e3561c 279->281 280->281
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00E355E5
                    Memory Dump Source
                    • Source File: 0000002D.00000002.3252351574.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_45_2_e30000_Phtos.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: cbab9ca812c00ca2bbff17c06c590bb408f7618da5274665fa36cc9cb3f46704
                    • Instruction ID: 7f590950768be5932de3cd34b1ed86d8ce5cdb1e8edd237abdaa9faa2235e70c
                    • Opcode Fuzzy Hash: cbab9ca812c00ca2bbff17c06c590bb408f7618da5274665fa36cc9cb3f46704
                    • Instruction Fuzzy Hash: 4221E4B1900659DFCB10CF9AC885BDEBBF5FB48314F10842AE959A7350D374A944CFA4
                    Function 00E3532A Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 283 e3532a-e3537c 285 e35388-e353b4 Wow64SetThreadContext 283->285 286 e3537e-e35386 283->286 287 e353b6-e353bc 285->287 288 e353bd-e353de 285->288 286->285 287->288
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00E353A7
                    Memory Dump Source
                    • Source File: 0000002D.00000002.3252351574.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_45_2_e30000_Phtos.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: 745e1ce6b9471240f183a03be16443a2288ead3b3a70d32939313b0700b10daa
                    • Instruction ID: fee7e04591e956d7cd5739a2fd2a5d172bc68184db7677f37f3e4eab76b10e3a
                    • Opcode Fuzzy Hash: 745e1ce6b9471240f183a03be16443a2288ead3b3a70d32939313b0700b10daa
                    • Instruction Fuzzy Hash: 992115B2D006199FCB14CFAAC4857EEFBB4AB48310F10812AD418B3340D378A945CFA0
                    Function 00E35330 Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 290 e35330-e3537c 292 e35388-e353b4 Wow64SetThreadContext 290->292 293 e3537e-e35386 290->293 294 e353b6-e353bc 292->294 295 e353bd-e353de 292->295 293->292 294->295
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00E353A7
                    Memory Dump Source
                    • Source File: 0000002D.00000002.3252351574.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_45_2_e30000_Phtos.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: 6bae1720ce239d4ea58c78abfff54425c619ae056700a74d9b4f840bc5b599e7
                    • Instruction ID: 54bade4dc09dd67843dce080a85a649f2401f8e5762c3eb4e309ee3770604115
                    • Opcode Fuzzy Hash: 6bae1720ce239d4ea58c78abfff54425c619ae056700a74d9b4f840bc5b599e7
                    • Instruction Fuzzy Hash: 4E21F4B29106199FCB00CF9AC885BAEFBF4FB48324F10812AD418B3340D378A944CFA5
                    Function 00E353EA Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 297 e353ea-e35473 ReadProcessMemory 299 e35475-e3547b 297->299 300 e3547c-e3549d 297->300 299->300
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00E35466
                    Memory Dump Source
                    • Source File: 0000002D.00000002.3252351574.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_45_2_e30000_Phtos.jbxd
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: 40d22bdb2a204c6a15f529b22f4801c50f0d789616e595bd26438a751c1f6bc1
                    • Instruction ID: 29d30ddaf93d135e6a61696c0d9911facf274c0b9addc2d7893f3829fd6e0b86
                    • Opcode Fuzzy Hash: 40d22bdb2a204c6a15f529b22f4801c50f0d789616e595bd26438a751c1f6bc1
                    • Instruction Fuzzy Hash: 3F21F7B2900659DFCB10CFAAC485BEEFFF4EB48320F148029E569A7251D379A945CF61
                    Function 00E353F0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 302 e353f0-e35473 ReadProcessMemory 304 e35475-e3547b 302->304 305 e3547c-e3549d 302->305 304->305
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00E35466
                    Memory Dump Source
                    • Source File: 0000002D.00000002.3252351574.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_45_2_e30000_Phtos.jbxd
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: d6adce98684aeb617980423fc632eb5e790ff99cc80431382e28dcbf65a97039
                    • Instruction ID: 7b9f25f4ef1610b4198a5dbcd7ddfd12249ac8686df999b12a06253b50e3fc46
                    • Opcode Fuzzy Hash: d6adce98684aeb617980423fc632eb5e790ff99cc80431382e28dcbf65a97039
                    • Instruction Fuzzy Hash: BD21F4B2900649DFCB10CF9AC884BDEBBF4EB48320F108029E969A7250D375A544CFA5
                    Function 00E354AA Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 307 e354aa-e35528 VirtualAllocEx 309 e35531-e35545 307->309 310 e3552a-e35530 307->310 310->309
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00E3551B
                    Memory Dump Source
                    • Source File: 0000002D.00000002.3252351574.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_45_2_e30000_Phtos.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 0a2b970cc6a222dfb780f050da8b8db2e6de34cc1e68f6beca36cbec4bab363f
                    • Instruction ID: d0d74dbebf41c9421018907b4b1e349d9ec36d5d17871715d5cafca408cc679c
                    • Opcode Fuzzy Hash: 0a2b970cc6a222dfb780f050da8b8db2e6de34cc1e68f6beca36cbec4bab363f
                    • Instruction Fuzzy Hash: A41116B6900649DFCB10CF99D485BEEBFF5EB88320F208419E559A7250C375A944CFA0
                    Function 00E354B0 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 312 e354b0-e35528 VirtualAllocEx 314 e35531-e35545 312->314 315 e3552a-e35530 312->315 315->314
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00E3551B
                    Memory Dump Source
                    • Source File: 0000002D.00000002.3252351574.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_45_2_e30000_Phtos.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: c60d2d5838039a55b2e5b71ddc0aa331d08365b09df529feaad92e9869fe288c
                    • Instruction ID: 7ecc3aee932f72192b12074869e91b99294ca2206461fc457666ac5804bb4c02
                    • Opcode Fuzzy Hash: c60d2d5838039a55b2e5b71ddc0aa331d08365b09df529feaad92e9869fe288c
                    • Instruction Fuzzy Hash: EB1113B6800649DFCB10CF9AC884BDEBFF4EB48320F208419E528A7210C375A940CFA4
                    Function 00E3562A Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 317 e3562a-e3569c ResumeThread 319 e356a5-e356b9 317->319 320 e3569e-e356a4 317->320 320->319
                    APIs
                    • ResumeThread.KERNELBASE(B8257002), ref: 00E3568F
                    Memory Dump Source
                    • Source File: 0000002D.00000002.3252351574.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_45_2_e30000_Phtos.jbxd
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: b2f7ef54ca7b32011cb9eebc9dc2c41a93ad9ea59af4d247d3d3651c5c751eab
                    • Instruction ID: b3b10b67302fcb77bb75df7882f156b7321d05e35a3c1e0d39f27e000090b21c
                    • Opcode Fuzzy Hash: b2f7ef54ca7b32011cb9eebc9dc2c41a93ad9ea59af4d247d3d3651c5c751eab
                    • Instruction Fuzzy Hash: 211103B1800649CFCB20CF99D489BEEBFF4EB88324F208459D459A7350C775A944CFA5
                    Function 00E35630 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 322 e35630-e3569c ResumeThread 324 e356a5-e356b9 322->324 325 e3569e-e356a4 322->325 325->324
                    APIs
                    • ResumeThread.KERNELBASE(B8257002), ref: 00E3568F
                    Memory Dump Source
                    • Source File: 0000002D.00000002.3252351574.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_45_2_e30000_Phtos.jbxd
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 7d514a2cc13ab8c19cb7be5a605d975b2e52a9a3522a3ff7d9118d317c91ad4a
                    • Instruction ID: d796577b7bc03de2074f861c5b4afe2473efcdffdcdd2281e74571fb87de234b
                    • Opcode Fuzzy Hash: 7d514a2cc13ab8c19cb7be5a605d975b2e52a9a3522a3ff7d9118d317c91ad4a
                    • Instruction Fuzzy Hash: 161100B1800649CFCB10DF9AC489BDEBBF4EB48324F20842AD559A7350C375A944CFA5
                    Function 02AF0001 Relevance: .0, Instructions: 34COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000002D.00000002.3252626736.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_45_2_2af0000_Phtos.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e41fd1c6e2c7c9ce572d292d72c34d0385c89aa7906de0312a3a84287c347c89
                    • Instruction ID: 517205e14c9a845ce36bc8800a83b0740e5fea0603fd719d0177b41efe9acc34
                    • Opcode Fuzzy Hash: e41fd1c6e2c7c9ce572d292d72c34d0385c89aa7906de0312a3a84287c347c89
                    • Instruction Fuzzy Hash: 2AF092EAA1E7C14FD70B03242CB96557F708F6720970E05DFD0968F1E3E509190AC726

                    Execution Graph

                    Execution Coverage:34.5%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:94
                    Total number of Limit Nodes:10
                    execution_graph 2988 1740707 2991 174070e 2988->2991 2989 17407ce 2990 1740870 2991->2989 2992 1740b16 12 API calls 2991->2992 2993 17408c3 12 API calls 2991->2993 2992->2990 2993->2990 2969 1740b70 2970 1740b76 2969->2970 2972 1743296 12 API calls 2970->2972 2973 17433d7 12 API calls 2970->2973 2974 17433ab 12 API calls 2970->2974 2971 1740b80 2972->2971 2973->2971 2974->2971 2887 1740848 2888 1740863 2887->2888 2892 1740b16 2888->2892 2899 17408c3 2888->2899 2889 1740870 2895 17408da 2892->2895 2893 1740b2d 2893->2889 2894 1740b80 2894->2889 2895->2893 2906 1743296 2895->2906 2912 17433ab 2895->2912 2918 17433d7 2895->2918 2900 1740b2d 2899->2900 2902 17408da 2899->2902 2900->2889 2901 1740b80 2901->2889 2902->2900 2903 1743296 12 API calls 2902->2903 2904 17433d7 12 API calls 2902->2904 2905 17433ab 12 API calls 2902->2905 2903->2901 2904->2901 2905->2901 2907 174329a 2906->2907 2908 174336f 2907->2908 2923 17436c0 2907->2923 2927 17436b1 2907->2927 2908->2894 2909 1743431 2909->2894 2913 17433b0 2912->2913 2914 17433c6 2913->2914 2916 17436c0 12 API calls 2913->2916 2917 17436b1 12 API calls 2913->2917 2915 1743431 2915->2894 2916->2915 2917->2915 2919 17433f8 2918->2919 2921 17436c0 12 API calls 2919->2921 2922 17436b1 12 API calls 2919->2922 2920 1743431 2920->2894 2921->2920 2922->2920 2924 17436d3 2923->2924 2925 17437ab 2924->2925 2931 1744b7e 2924->2931 2925->2909 2928 17436d3 2927->2928 2929 17437ab 2928->2929 2930 1744b7e 12 API calls 2928->2930 2929->2909 2930->2928 2932 1744bed 2931->2932 2961 1744f58 2932->2961 2965 1744f4c 2932->2965 2933 1744c72 2935 1744eb0 2933->2935 2957 1745330 Wow64SetThreadContext 2933->2957 2958 174532a Wow64SetThreadContext 2933->2958 2934 1744cd0 2934->2935 2959 17453f0 ReadProcessMemory 2934->2959 2960 17453ea ReadProcessMemory 2934->2960 2935->2924 2936 1744d06 2945 17454b0 VirtualAllocEx 2936->2945 2946 17454aa VirtualAllocEx 2936->2946 2937 1744d45 2937->2935 2951 1745550 WriteProcessMemory 2937->2951 2952 1745558 WriteProcessMemory 2937->2952 2938 1744d99 2939 1744e30 2938->2939 2949 1745550 WriteProcessMemory 2938->2949 2950 1745558 WriteProcessMemory 2938->2950 2947 1745550 WriteProcessMemory 2939->2947 2948 1745558 WriteProcessMemory 2939->2948 2940 1744e59 2940->2935 2953 1745330 Wow64SetThreadContext 2940->2953 2954 174532a Wow64SetThreadContext 2940->2954 2941 1744e9d 2955 1745630 ResumeThread 2941->2955 2956 174562a ResumeThread 2941->2956 2942 1744eae 2942->2924 2945->2937 2946->2937 2947->2940 2948->2940 2949->2938 2950->2938 2951->2938 2952->2938 2953->2941 2954->2941 2955->2942 2956->2942 2957->2934 2958->2934 2959->2936 2960->2936 2963 1744fe5 CreateProcessAsUserA 2961->2963 2964 1745200 2963->2964 2967 1744fe5 CreateProcessAsUserA 2965->2967 2968 1745200 2967->2968 2975 1740b58 2976 1740b5c 2975->2976 2978 1740bcd 2975->2978 2979 1743296 12 API calls 2976->2979 2980 17433d7 12 API calls 2976->2980 2981 17433ab 12 API calls 2976->2981 2977 1740b80 2979->2977 2980->2977 2981->2977 2994 17407eb 2995 17407ee 2994->2995 2997 1740b16 12 API calls 2995->2997 2998 17408c3 12 API calls 2995->2998 2996 1740870 2997->2996 2998->2996

                    Executed Functions

                    Function 01744F4C Relevance: 1.8, APIs: 1, Instructions: 266processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 49 1744f4c-1744ff1 51 1745045-1745067 49->51 52 1744ff3-1745018 49->52 56 17450be-17450ee 51->56 57 1745069-1745091 51->57 52->51 55 174501a-174501c 52->55 58 174501e-1745028 55->58 59 174503f-1745042 55->59 65 17450f0-1745115 56->65 66 1745142-17451fe CreateProcessAsUserA 56->66 57->56 67 1745093-1745095 57->67 60 174502c-174503b 58->60 61 174502a 58->61 59->51 60->60 64 174503d 60->64 61->60 64->59 65->66 75 1745117-1745119 65->75 79 1745207-174527b 66->79 80 1745200-1745206 66->80 68 1745097-17450a1 67->68 69 17450b8-17450bb 67->69 72 17450a5-17450b4 68->72 73 17450a3 68->73 69->56 72->72 74 17450b6 72->74 73->72 74->69 77 174513c-174513f 75->77 78 174511b-1745125 75->78 77->66 81 1745127 78->81 82 1745129-1745138 78->82 91 174527d-1745281 79->91 92 174528b-174528f 79->92 80->79 81->82 82->82 83 174513a 82->83 83->77 91->92 93 1745283-1745286 call 17401cc 91->93 94 1745291-1745295 92->94 95 174529f-17452a3 92->95 93->92 94->95 97 1745297-174529a call 17401cc 94->97 98 17452a5-17452a9 95->98 99 17452b3-17452b7 95->99 97->95 98->99 101 17452ab-17452ae call 17401cc 98->101 102 17452c9-17452d0 99->102 103 17452b9-17452bf 99->103 101->99 104 17452e7 102->104 105 17452d2-17452e1 102->105 103->102 108 17452e8 104->108 105->104 108->108
                    APIs
                    • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 017451EB
                    Memory Dump Source
                    • Source File: 00000036.00000002.3851888996.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_54_2_1740000_Phtos.jbxd
                    Similarity
                    • API ID: CreateProcessUser
                    • String ID:
                    • API String ID: 2217836671-0
                    • Opcode ID: 887508af8de722b1a20cafa21ceaec321a74092688c50706d9680ebf4789b6b0
                    • Instruction ID: 30037059459d6b1dbcdb22221c4fe9abbefd60d210b160b28941ae7c5489b2eb
                    • Opcode Fuzzy Hash: 887508af8de722b1a20cafa21ceaec321a74092688c50706d9680ebf4789b6b0
                    • Instruction Fuzzy Hash: FAA14971E002199FDB14CFA8C9417EEFBB6FF49304F0481AAE818A7291DB749985CF91
                    Function 01744F58 Relevance: 1.8, APIs: 1, Instructions: 262processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 109 1744f58-1744ff1 111 1745045-1745067 109->111 112 1744ff3-1745018 109->112 116 17450be-17450ee 111->116 117 1745069-1745091 111->117 112->111 115 174501a-174501c 112->115 118 174501e-1745028 115->118 119 174503f-1745042 115->119 125 17450f0-1745115 116->125 126 1745142-17451fe CreateProcessAsUserA 116->126 117->116 127 1745093-1745095 117->127 120 174502c-174503b 118->120 121 174502a 118->121 119->111 120->120 124 174503d 120->124 121->120 124->119 125->126 135 1745117-1745119 125->135 139 1745207-174527b 126->139 140 1745200-1745206 126->140 128 1745097-17450a1 127->128 129 17450b8-17450bb 127->129 132 17450a5-17450b4 128->132 133 17450a3 128->133 129->116 132->132 134 17450b6 132->134 133->132 134->129 137 174513c-174513f 135->137 138 174511b-1745125 135->138 137->126 141 1745127 138->141 142 1745129-1745138 138->142 151 174527d-1745281 139->151 152 174528b-174528f 139->152 140->139 141->142 142->142 143 174513a 142->143 143->137 151->152 153 1745283-1745286 call 17401cc 151->153 154 1745291-1745295 152->154 155 174529f-17452a3 152->155 153->152 154->155 157 1745297-174529a call 17401cc 154->157 158 17452a5-17452a9 155->158 159 17452b3-17452b7 155->159 157->155 158->159 161 17452ab-17452ae call 17401cc 158->161 162 17452c9-17452d0 159->162 163 17452b9-17452bf 159->163 161->159 164 17452e7 162->164 165 17452d2-17452e1 162->165 163->162 168 17452e8 164->168 165->164 168->168
                    APIs
                    • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 017451EB
                    Memory Dump Source
                    • Source File: 00000036.00000002.3851888996.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_54_2_1740000_Phtos.jbxd
                    Similarity
                    • API ID: CreateProcessUser
                    • String ID:
                    • API String ID: 2217836671-0
                    • Opcode ID: 7b0c83d2d4bc6d0feeedbdbfd2abd931a0f31f8219e76ff710071162f14c83b7
                    • Instruction ID: 35a3a8e0f2f98df01846458ea9631dd4944ef8ae35f9bfadc2c6983432da4ae1
                    • Opcode Fuzzy Hash: 7b0c83d2d4bc6d0feeedbdbfd2abd931a0f31f8219e76ff710071162f14c83b7
                    • Instruction Fuzzy Hash: 0DA14871E002199FEB14CFA9C9417EDFBB6FF49304F0481AAE818A7291DB749985CF91
                    Function 01745550 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 268 1745550-17455a9 270 17455b9-17455f2 WriteProcessMemory 268->270 271 17455ab-17455b7 268->271 272 17455f4-17455fa 270->272 273 17455fb-174561c 270->273 271->270 272->273
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 017455E5
                    Memory Dump Source
                    • Source File: 00000036.00000002.3851888996.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_54_2_1740000_Phtos.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: fa087f6b8a46225f5c58f95160dc45f7961b21eb7db63bbdff9c55af2a33059a
                    • Instruction ID: 91b1359b668f1fc85e6c2f51db64913cfd883635026620b211e92df1da26ed4d
                    • Opcode Fuzzy Hash: fa087f6b8a46225f5c58f95160dc45f7961b21eb7db63bbdff9c55af2a33059a
                    • Instruction Fuzzy Hash: 9421E2B1901259DFCB10CFAAC885BEEFBF5BB48310F10842AE958E7251D374A544CBA5
                    Function 01745558 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 275 1745558-17455a9 277 17455b9-17455f2 WriteProcessMemory 275->277 278 17455ab-17455b7 275->278 279 17455f4-17455fa 277->279 280 17455fb-174561c 277->280 278->277 279->280
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 017455E5
                    Memory Dump Source
                    • Source File: 00000036.00000002.3851888996.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_54_2_1740000_Phtos.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 1d1434564e87b8e0e70e4dd9f256239a70bed8413cda4143f012ac715f1bb6d0
                    • Instruction ID: 3e345a5c5633c3ce0e2b024a944bfb642465665bfbd0ce9b0fb402458885abbd
                    • Opcode Fuzzy Hash: 1d1434564e87b8e0e70e4dd9f256239a70bed8413cda4143f012ac715f1bb6d0
                    • Instruction Fuzzy Hash: E921D2B1901259DFDB10CF9AC885BEEFBF5FB48310F10842AE958A7251D374A944CBA4
                    Function 0174532A Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 282 174532a-174537c 284 174537e-1745386 282->284 285 1745388-17453b4 Wow64SetThreadContext 282->285 284->285 286 17453b6-17453bc 285->286 287 17453bd-17453de 285->287 286->287
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 017453A7
                    Memory Dump Source
                    • Source File: 00000036.00000002.3851888996.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_54_2_1740000_Phtos.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: d8b57adafbea0eb5c59258d8c90f29587f736d7ffac5d7b780e4254975eb78d8
                    • Instruction ID: 33c3b24cb4721f967d184135df81b1dc4428e5d4a665529e72c12aa1e5910dbb
                    • Opcode Fuzzy Hash: d8b57adafbea0eb5c59258d8c90f29587f736d7ffac5d7b780e4254975eb78d8
                    • Instruction Fuzzy Hash: BF2136B1D102599FCB04CF9AC945BEEFBF4BB48314F14812AE558B3240D378A944CFA5
                    Function 01745330 Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 289 1745330-174537c 291 174537e-1745386 289->291 292 1745388-17453b4 Wow64SetThreadContext 289->292 291->292 293 17453b6-17453bc 292->293 294 17453bd-17453de 292->294 293->294
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 017453A7
                    Memory Dump Source
                    • Source File: 00000036.00000002.3851888996.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_54_2_1740000_Phtos.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: f911e52fd2150cc9d208e4e15f0a60b4e9808216cf58587988555d39e1ddb365
                    • Instruction ID: dd8fc343065ff0a37c50df6ef15348f5fae5040d0c9dade5cdbc3895e4eed7db
                    • Opcode Fuzzy Hash: f911e52fd2150cc9d208e4e15f0a60b4e9808216cf58587988555d39e1ddb365
                    • Instruction Fuzzy Hash: 182103B1D102199FDB04CF9AC985BEEFBF4BB49324F10812AE518B3240D378A9448FA5
                    Function 017453EA Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 296 17453ea-1745473 ReadProcessMemory 298 1745475-174547b 296->298 299 174547c-174549d 296->299 298->299
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01745466
                    Memory Dump Source
                    • Source File: 00000036.00000002.3851888996.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_54_2_1740000_Phtos.jbxd
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: a25661dbbdfc1b1632597c0a042a524ba089f612b5a86bbce2a6e2b4b306a100
                    • Instruction ID: a3155cedd67b1d62f9d05beac1482244ef77cda7a6892ee9f823acfd7b8226bf
                    • Opcode Fuzzy Hash: a25661dbbdfc1b1632597c0a042a524ba089f612b5a86bbce2a6e2b4b306a100
                    • Instruction Fuzzy Hash: B221C7B5900249DFCB10CF9AC984BDEFBF4FB48324F148429E958A7251D378A654CFA5
                    Function 017453F0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 301 17453f0-1745473 ReadProcessMemory 303 1745475-174547b 301->303 304 174547c-174549d 301->304 303->304
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01745466
                    Memory Dump Source
                    • Source File: 00000036.00000002.3851888996.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_54_2_1740000_Phtos.jbxd
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: 1e56808c7b8b617483c0603e12dd2b19ee3e7d926dd1204cad51627967f46ea8
                    • Instruction ID: 76ff951debbec672c8d6d2060fd205649a25c0dc3f7de937897123420800726c
                    • Opcode Fuzzy Hash: 1e56808c7b8b617483c0603e12dd2b19ee3e7d926dd1204cad51627967f46ea8
                    • Instruction Fuzzy Hash: 3021D3B5900249DFCB10DF9AC984BDEFBF4FB48320F14842AE968A7251D378A544CFA5
                    Function 017454AA Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 306 17454aa-1745528 VirtualAllocEx 308 1745531-1745545 306->308 309 174552a-1745530 306->309 309->308
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0174551B
                    Memory Dump Source
                    • Source File: 00000036.00000002.3851888996.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_54_2_1740000_Phtos.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: dedb8cdcf47f14004cc3e703b3e26d3176f2dc359febd72ffd8927b86124eb99
                    • Instruction ID: c89081874f09ceb9407e6bf8f5d6954ee85ee6ce7f2ae7d75dc1d32591412856
                    • Opcode Fuzzy Hash: dedb8cdcf47f14004cc3e703b3e26d3176f2dc359febd72ffd8927b86124eb99
                    • Instruction Fuzzy Hash: 9C1102B6800248DFCB10DF99D984BDEFFF5EB48320F248419E568A7210C335A654CFA4
                    Function 017454B0 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 311 17454b0-1745528 VirtualAllocEx 313 1745531-1745545 311->313 314 174552a-1745530 311->314 314->313
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0174551B
                    Memory Dump Source
                    • Source File: 00000036.00000002.3851888996.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_54_2_1740000_Phtos.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 0e2706c3c8711aac8d373475c8d710c1340f6eb58e3c2406b8ea496f92befb6e
                    • Instruction ID: a3f6c634d719eaadc974b75eddabbfb3a4cfabdd07453986c1d199a3ffca097a
                    • Opcode Fuzzy Hash: 0e2706c3c8711aac8d373475c8d710c1340f6eb58e3c2406b8ea496f92befb6e
                    • Instruction Fuzzy Hash: 4C11E0B5900249DFCB10DF9AD884BDEFFF5EB48324F208429E568A7250C375A944CFA5
                    Function 0174562A Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 316 174562a-174569c ResumeThread 318 17456a5-17456b9 316->318 319 174569e-17456a4 316->319 319->318
                    APIs
                    Memory Dump Source
                    • Source File: 00000036.00000002.3851888996.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_54_2_1740000_Phtos.jbxd
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 4b613bf01afa26a4384586433c2c04617b7a62af08bc53796127ef2cd0416614
                    • Instruction ID: 81e9d893da562e1d54878758bd7f14853006db28bacd2e65f6b7d5d40b06560f
                    • Opcode Fuzzy Hash: 4b613bf01afa26a4384586433c2c04617b7a62af08bc53796127ef2cd0416614
                    • Instruction Fuzzy Hash: 191100B5800258CFCB10CF99D944BDEFBF4AB49324F24845AD558B7350C374AA44CFA5
                    Function 01745630 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 321 1745630-174569c ResumeThread 323 17456a5-17456b9 321->323 324 174569e-17456a4 321->324 324->323
                    APIs
                    Memory Dump Source
                    • Source File: 00000036.00000002.3851888996.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_54_2_1740000_Phtos.jbxd
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: cb861e353d06e8218441b035f447c3b98fba53a9549ddafc87bb6e50123ab3f6
                    • Instruction ID: 5a97e77fc3a23129767987150141f5f08d050efb58e61e58dad4edca4d01a411
                    • Opcode Fuzzy Hash: cb861e353d06e8218441b035f447c3b98fba53a9549ddafc87bb6e50123ab3f6
                    • Instruction Fuzzy Hash: 451112B1800248CFCB10DF9AD444BDEFBF4EB49324F20846AD558A7250C374A944CFA5
                    Function 01770000 Relevance: .1, Instructions: 51COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000036.00000002.3851973227.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_54_2_1770000_Phtos.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f6f6438fe404e88325c9d953445f7b4f2610f64044538e353e0fc497f1204c2c
                    • Instruction ID: 4c7ab76208a4998bac0e077ecf9a1c371ea674682155af6364eb7851412e8b0b
                    • Opcode Fuzzy Hash: f6f6438fe404e88325c9d953445f7b4f2610f64044538e353e0fc497f1204c2c
                    • Instruction Fuzzy Hash: 610132A194E7C45FEB0387758D24290BF329F03262B5E40CBD0C0CF1A7E66A0D4AD326