Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SALKI098765R400.exe

Overview

General Information

Sample name:SALKI098765R400.exe
Analysis ID:1501651
MD5:2a2526a15732cd1f3f8859fe3f504cb9
SHA1:53f5eee1f770d79666d7421823f29ee21d8cba3e
SHA256:406306efb272acd3c69ab3b1c1fadea2c41bf817ce71e5872b6ff426248207d5
Tags:exe
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SALKI098765R400.exe (PID: 7148 cmdline: "C:\Users\user\Desktop\SALKI098765R400.exe" MD5: 2A2526A15732CD1F3F8859FE3F504CB9)
    • Monteverdi.exe (PID: 4508 cmdline: "C:\Users\user\Desktop\SALKI098765R400.exe" MD5: 2A2526A15732CD1F3F8859FE3F504CB9)
      • Monteverdi.exe (PID: 7280 cmdline: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\user\AppData\Local\Temp\kzprjxuapxdhlyxhl" MD5: 2A2526A15732CD1F3F8859FE3F504CB9)
      • Monteverdi.exe (PID: 7324 cmdline: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\user\AppData\Local\Temp\vcukjqfccfvunelldxmk" MD5: 2A2526A15732CD1F3F8859FE3F504CB9)
      • Monteverdi.exe (PID: 7336 cmdline: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\user\AppData\Local\Temp\xwickiyvqnnyythxmizmrgn" MD5: 2A2526A15732CD1F3F8859FE3F504CB9)
      • Monteverdi.exe (PID: 7384 cmdline: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\user\AppData\Local\Temp\xwickiyvqnnyythxmizmrgn" MD5: 2A2526A15732CD1F3F8859FE3F504CB9)
  • wscript.exe (PID: 7672 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monteverdi.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • Monteverdi.exe (PID: 7720 cmdline: "C:\Users\user\AppData\Local\scrolar\Monteverdi.exe" MD5: 2A2526A15732CD1F3F8859FE3F504CB9)
      • Monteverdi.exe (PID: 7748 cmdline: "C:\Users\user\AppData\Local\scrolar\Monteverdi.exe" MD5: 2A2526A15732CD1F3F8859FE3F504CB9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "192.210.150.26:8787:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-NKQ1SM", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.3712323766.00000000014BB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6c4b8:$a1: Remcos restarted by watchdog!
            • 0x6ca30:$a3: %02i:%02i:%02i:%03i
            Click to see the 45 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            20.2.Monteverdi.exe.3500000.1.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              20.2.Monteverdi.exe.3500000.1.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                20.2.Monteverdi.exe.3500000.1.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  20.2.Monteverdi.exe.3500000.1.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x690b8:$a1: Remcos restarted by watchdog!
                  • 0x69630:$a3: %02i:%02i:%02i:%03i
                  20.2.Monteverdi.exe.3500000.1.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x6310c:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x6317c:$str_b2: Executing file:
                  • 0x641fc:$str_b3: GetDirectListeningPort
                  • 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x63d28:$str_b7: \update.vbs
                  • 0x631a4:$str_b9: Downloaded file:
                  • 0x63190:$str_b10: Downloading file:
                  • 0x63234:$str_b12: Failed to upload file:
                  • 0x641c4:$str_b13: StartForward
                  • 0x641e4:$str_b14: StopForward
                  • 0x63c80:$str_b15: fso.DeleteFile "
                  • 0x63c14:$str_b16: On Error Resume Next
                  • 0x63cb0:$str_b17: fso.DeleteFolder "
                  • 0x63224:$str_b18: Uploaded file:
                  • 0x631e4:$str_b19: Unable to delete:
                  • 0x63c48:$str_b20: while fso.FileExists("
                  • 0x636c1:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 55 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monteverdi.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monteverdi.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monteverdi.vbs" , ProcessId: 7672, ProcessName: wscript.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monteverdi.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monteverdi.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monteverdi.vbs" , ProcessId: 7672, ProcessName: wscript.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe, ProcessId: 4508, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monteverdi.vbs

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe, ProcessId: 4508, TargetFilename: C:\ProgramData\remcos\logs.dat

                  Suricata Signatures

                  Timestamp:2024-08-30T09:23:25.186663+0200
                  SID:2032776
                  Severity:1
                  Source Port:49699
                  Destination Port:8787
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-30T09:23:25.988192+0200
                  SID:2032777
                  Severity:1
                  Source Port:8787
                  Destination Port:49699
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-30T09:25:41.161619+0200
                  SID:2032777
                  Severity:1
                  Source Port:8787
                  Destination Port:49699
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-30T09:23:27.318743+0200
                  SID:2803304
                  Severity:3
                  Source Port:49701
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Unknown Traffic

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000015.00000002.1401843979.00000000014B4000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "192.210.150.26:8787:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-NKQ1SM", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                  Multi AV Scanner detection for domain / URL
                  Source: 192.210.150.26Virustotal: Detection: 8%Perma Link
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeReversingLabs: Detection: 31%
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeVirustotal: Detection: 45%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: SALKI098765R400.exeReversingLabs: Detection: 31%
                  Source: SALKI098765R400.exeVirustotal: Detection: 45%Perma Link
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 20.2.Monteverdi.exe.3500000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.3e50000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.3bf0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.3bf0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.Monteverdi.exe.3500000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.3e50000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3712323766.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3711463284.0000000001108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.1402805199.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.1401843979.00000000014B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3713280494.00000000040AF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3711463284.0000000001144000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3713180077.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3712832737.0000000003AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.1392771241.0000000003500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Monteverdi.exe PID: 4508, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Monteverdi.exe PID: 7720, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Monteverdi.exe PID: 7748, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: SALKI098765R400.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,2_2_004338C8
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,21_2_004338C8
                  Source: Monteverdi.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 20.2.Monteverdi.exe.3500000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.3e50000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.3bf0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.3bf0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.Monteverdi.exe.3500000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.3e50000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.1402805199.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3713180077.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.1392771241.0000000003500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Monteverdi.exe PID: 4508, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Monteverdi.exe PID: 7720, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Monteverdi.exe PID: 7748, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00407538 _wcslen,CoGetObject,2_2_00407538
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_00407538 _wcslen,CoGetObject,21_2_00407538
                  Source: SALKI098765R400.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_0048DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0048DBBE
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,2_2_000BDBBE
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_0040928E
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,2_2_0041C322
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,2_2_0040C388
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_004096A0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,2_2_00408847
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00407877 FindFirstFileW,FindNextFileW,2_2_00407877
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0044E8F9 FindFirstFileExA,2_2_0044E8F9
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00419B86
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040BD72
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,2_2_100010F1
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_10006580 FindFirstFileExA,2_2_10006580
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0040AE51 FindFirstFileW,FindNextFileW,12_2_0040AE51
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,13_2_00407EF8
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407898
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,21_2_0040928E
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,21_2_0041C322
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,21_2_0040C388
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,21_2_004096A0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,21_2_00408847
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_00407877 FindFirstFileW,FindNextFileW,21_2_00407877
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0044E8F9 FindFirstFileExA,21_2_0044E8F9
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,21_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,21_2_00419B86
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,21_2_0040BD72
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_00407CD2

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.7:49699 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 192.210.150.26:8787 -> 192.168.2.7:49699
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 192.210.150.26
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49701 -> 178.237.33.50:80
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,2_2_0041B411
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Monteverdi.exe, 0000000C.00000003.1302649890.00000000015E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                  Source: Monteverdi.exe, 0000000C.00000003.1302649890.00000000015E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                  Source: Monteverdi.exe, 00000002.00000002.3713450372.0000000004140000.00000040.10000000.00040000.00000000.sdmp, Monteverdi.exe, 0000000F.00000002.1293028796.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                  Source: Monteverdi.exe, 0000000C.00000002.1303944981.00000000015EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ccounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                  Source: Monteverdi.exe, 0000000C.00000002.1303944981.00000000015EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ccounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                  Source: Monteverdi.exe, Monteverdi.exe, 0000000F.00000002.1293028796.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                  Source: Monteverdi.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: Monteverdi.exe, 00000002.00000002.3714005533.0000000007210000.00000040.10000000.00040000.00000000.sdmp, Monteverdi.exe, 0000000C.00000002.1303137303.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                  Source: Monteverdi.exe, 00000002.00000002.3714005533.0000000007210000.00000040.10000000.00040000.00000000.sdmp, Monteverdi.exe, 0000000C.00000002.1303137303.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                  Source: Monteverdi.exe, 00000002.00000002.3712912601.0000000003B7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                  Source: Monteverdi.exeString found in binary or memory: http://geoplugin.net/json.gp
                  Source: Monteverdi.exe, 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Monteverdi.exe, 00000002.00000002.3713180077.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Monteverdi.exe, 00000014.00000002.1392771241.0000000003500000.00000004.00001000.00020000.00000000.sdmp, Monteverdi.exe, 00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Monteverdi.exe, 00000015.00000002.1402805199.0000000003E50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: Monteverdi.exe, 00000002.00000002.3712912601.0000000003B7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://ocsp.digicert.com0:
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://ocsp.digicert.com0H
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://ocsp.digicert.com0I
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://ocsp.msocsp.com0
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://ocsp.msocsp.com0S
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: bhvA0.tmp.12.drString found in binary or memory: http://www.digicert.com/CPS0~
                  Source: Monteverdi.exe, Monteverdi.exe, 0000000F.00000002.1293028796.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                  Source: Monteverdi.exe, Monteverdi.exe, 0000000F.00000002.1293028796.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Monteverdi.exe, 0000000F.00000002.1293433595.000000000116D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                  Source: Monteverdi.exe, 00000002.00000002.3713450372.0000000004140000.00000040.10000000.00040000.00000000.sdmp, Monteverdi.exe, 0000000F.00000002.1293028796.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                  Source: Monteverdi.exe, 0000000F.00000002.1293433595.000000000116D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comppData
                  Source: Monteverdi.exe, 00000002.00000002.3713450372.0000000004140000.00000040.10000000.00040000.00000000.sdmp, Monteverdi.exe, 0000000F.00000002.1293028796.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                  Source: Monteverdi.exe, 0000000C.00000002.1303495583.00000000011F4000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                  Source: Monteverdi.exe, 0000000F.00000002.1293028796.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?bd78002c55888096ce060c58
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?c2fcd52267835a3e34f9ac05
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?69c749c200c753dfb00f5bc8299ab8eb
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?a2555e10569a45fe03b885d268c50da9
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://fp-as.azureedge.net/apc/trans.gif?23ecc2fb73d617d9826364f47d1067db
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://fp-as.azureedge.net/apc/trans.gif?7bac4e73e9b20fcc41dc97447167937d
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                  Source: Monteverdi.exeString found in binary or memory: https://login.yahoo.com/config/login
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-07-50-22/PreSignInSettingsConfig.json
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=d75433bcf1f9312f1975
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=ad62f4
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                  Source: Monteverdi.exe, Monteverdi.exe, 0000000F.00000002.1293028796.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: Monteverdi.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: bhvA0.tmp.12.drString found in binary or memory: https://www.office.com/

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000002_2_0040A2F3
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,2_2_0040B749
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard,2_2_004168FC
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,12_2_0040987A
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,12_2_004098E2
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,13_2_00406DFC
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,13_2_00406E9F
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_004068B5
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,15_2_004072B5
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard,21_2_004168FC
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,2_2_0040B749
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_0043912D GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_0043912D
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004B9576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_004B9576
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000E9576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_000E9576
                  Source: Yara matchFile source: 20.2.Monteverdi.exe.3500000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.3e50000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.3bf0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.3bf0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.Monteverdi.exe.3500000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.3e50000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.1402805199.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3713180077.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.1392771241.0000000003500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Monteverdi.exe PID: 4508, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Monteverdi.exe PID: 7720, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Monteverdi.exe PID: 7748, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 20.2.Monteverdi.exe.3500000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.3e50000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.3bf0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.3bf0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.Monteverdi.exe.3500000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.3e50000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3712323766.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3711463284.0000000001108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.1402805199.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.1401843979.00000000014B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3713280494.00000000040AF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3711463284.0000000001144000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3713180077.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3712832737.0000000003AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.1392771241.0000000003500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Monteverdi.exe PID: 4508, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Monteverdi.exe PID: 7720, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Monteverdi.exe PID: 7748, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0041CA73 SystemParametersInfoW,2_2_0041CA73
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0041CA73 SystemParametersInfoW,21_2_0041CA73

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 20.2.Monteverdi.exe.3500000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 20.2.Monteverdi.exe.3500000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 20.2.Monteverdi.exe.3500000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 21.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 21.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 21.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 21.2.Monteverdi.exe.3e50000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 21.2.Monteverdi.exe.3e50000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 21.2.Monteverdi.exe.3e50000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.Monteverdi.exe.3bf0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.Monteverdi.exe.3bf0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.Monteverdi.exe.3bf0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.Monteverdi.exe.3bf0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.Monteverdi.exe.3bf0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.Monteverdi.exe.3bf0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 20.2.Monteverdi.exe.3500000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 20.2.Monteverdi.exe.3500000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 20.2.Monteverdi.exe.3500000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 21.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 21.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 21.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 21.2.Monteverdi.exe.3e50000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 21.2.Monteverdi.exe.3e50000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 21.2.Monteverdi.exe.3e50000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000015.00000002.1402805199.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000015.00000002.1402805199.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000015.00000002.1402805199.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000002.00000002.3713180077.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000002.00000002.3713180077.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000002.00000002.3713180077.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000014.00000002.1392771241.0000000003500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000014.00000002.1392771241.0000000003500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000014.00000002.1392771241.0000000003500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: Process Memory Space: Monteverdi.exe PID: 4508, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: Monteverdi.exe PID: 7720, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: Monteverdi.exe PID: 7748, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: SALKI098765R400.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: SALKI098765R400.exe, 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7c7406c3-a
                  Source: SALKI098765R400.exe, 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_4b075477-7
                  Source: Monteverdi.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: Monteverdi.exe, 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0b591387-e
                  Source: Monteverdi.exe, 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_56a6061d-c
                  Source: Monteverdi.exe, 00000014.00000002.1391006106.0000000000112000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_05eeca00-6
                  Source: Monteverdi.exe, 00000014.00000002.1391006106.0000000000112000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_b3e5abb5-d
                  Source: Monteverdi.exe, 00000015.00000002.1400958321.0000000000112000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6be7de4d-7
                  Source: Monteverdi.exe, 00000015.00000002.1400958321.0000000000112000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_a318a32c-6
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_00423170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00423170
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_00439052 NtdllDialogWndProc_W,0_2_00439052
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004390A7 NtdllDialogWndProc_W,0_2_004390A7
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004B90A1 SendMessageW,NtdllDialogWndProc_W,0_2_004B90A1
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004B911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_004B911E
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004BA2D7 NtdllDialogWndProc_W,0_2_004BA2D7
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004B93CB NtdllDialogWndProc_W,0_2_004B93CB
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004B9380 NtdllDialogWndProc_W,0_2_004B9380
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004B9400 ClientToScreen,NtdllDialogWndProc_W,0_2_004B9400
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004B9576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_004B9576
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004B953A GetWindowLongW,NtdllDialogWndProc_W,0_2_004B953A
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004397C0 GetParent,NtdllDialogWndProc_W,0_2_004397C0
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_0043997D NtdllDialogWndProc_W,GetSysColor,SetBkColor,74E4C8D0,NtdllDialogWndProc_W,0_2_0043997D
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004B8AAA NtdllDialogWndProc_W,0_2_004B8AAA
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004B8B02 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_004B8B02
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_00438BA4 NtdllDialogWndProc_W,0_2_00438BA4
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004B8D0E PostMessageW,GetFocus,GetDlgCtrlID,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,0_2_004B8D0E
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004B9E74 NtdllDialogWndProc_W,0_2_004B9E74
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004B9EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,0_2_004B9EF3
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004B8FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_004B8FC9
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004B9F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_004B9F86
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00053170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,2_2_00053170
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00069052 NtdllDialogWndProc_W,2_2_00069052
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000690A7 NtdllDialogWndProc_W,2_2_000690A7
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000E90A1 SendMessageW,NtdllDialogWndProc_W,2_2_000E90A1
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000E911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,2_2_000E911E
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000EA2D7 NtdllDialogWndProc_W,2_2_000EA2D7
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000E9380 NtdllDialogWndProc_W,2_2_000E9380
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000E93CB NtdllDialogWndProc_W,2_2_000E93CB
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000E9400 ClientToScreen,NtdllDialogWndProc_W,2_2_000E9400
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000E953A GetWindowLongW,NtdllDialogWndProc_W,2_2_000E953A
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000E9576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_000E9576
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000697C0 GetParent,NtdllDialogWndProc_W,2_2_000697C0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0006997D NtdllDialogWndProc_W,GetSysColor,SetBkColor,74E4C8D0,NtdllDialogWndProc_W,2_2_0006997D
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000E8AAA NtdllDialogWndProc_W,2_2_000E8AAA
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000E8B02 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,2_2_000E8B02
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00068BA4 NtdllDialogWndProc_W,2_2_00068BA4
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000E8D0E PostMessageW,GetFocus,GetDlgCtrlID,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,2_2_000E8D0E
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000E9E74 NtdllDialogWndProc_W,2_2_000E9E74
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000E9EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,2_2_000E9EF3
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000E9F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,2_2_000E9F86
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000E8FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,2_2_000E8FC9
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,2_2_0041812A
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,2_2_0041330D
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0041D620 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,2_2_0041D620
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,2_2_0041BBC6
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,2_2_0041BB9A
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,12_2_0040DD85
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_00401806 NtdllDefWindowProc_W,12_2_00401806
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_004018C0 NtdllDefWindowProc_W,12_2_004018C0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_004016FD NtdllDefWindowProc_A,13_2_004016FD
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_004017B7 NtdllDefWindowProc_A,13_2_004017B7
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_00402CAC NtdllDefWindowProc_A,15_2_00402CAC
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_00402D66 NtdllDefWindowProc_A,15_2_00402D66
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,21_2_0041330D
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0041D620 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,21_2_0041D620
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,21_2_0041BBC6
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,21_2_0041BB9A
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,2_2_004167EF
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,21_2_004167EF
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004291C00_2_004291C0
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_0044E1E00_2_0044E1E0
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004413940_2_00441394
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004417060_2_00441706
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004B48730_2_004B4873
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_0044781B0_2_0044781B
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004279690_2_00427969
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_0043997D0_2_0043997D
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004419B00_2_004419B0
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_0042CAF00_2_0042CAF0
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_00441C770_2_00441C77
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_00441F320_2_00441F32
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_0043AFAC0_2_0043AFAC
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_01FB36200_2_01FB3620
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000591C02_2_000591C0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0007E1E02_2_0007E1E0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000713942_2_00071394
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000717062_2_00071706
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0007781B2_2_0007781B
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000E48732_2_000E4873
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000579692_2_00057969
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0006997D2_2_0006997D
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000719B02_2_000719B0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0005CAF02_2_0005CAF0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00071C772_2_00071C77
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00071F322_2_00071F32
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0006AFAC2_2_0006AFAC
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0043706A2_2_0043706A
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_004140052_2_00414005
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0043E11C2_2_0043E11C
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_004541D92_2_004541D9
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_004381E82_2_004381E8
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0041F18B2_2_0041F18B
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_004462702_2_00446270
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0043E34B2_2_0043E34B
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_004533AB2_2_004533AB
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0042742E2_2_0042742E
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_004375662_2_00437566
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0043E5A82_2_0043E5A8
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_004387F02_2_004387F0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0043797E2_2_0043797E
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_004339D72_2_004339D7
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0044DA492_2_0044DA49
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00427AD72_2_00427AD7
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0041DBF32_2_0041DBF3
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00427C402_2_00427C40
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00437DB32_2_00437DB3
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00435EEB2_2_00435EEB
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0043DEED2_2_0043DEED
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00426E9F2_2_00426E9F
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_100171942_2_10017194
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_1000B5C12_2_1000B5C1
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_03BE36202_2_03BE3620
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0044B04012_2_0044B040
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0043610D12_2_0043610D
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0044731012_2_00447310
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0044A49012_2_0044A490
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0040755A12_2_0040755A
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0043C56012_2_0043C560
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0044B61012_2_0044B610
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0044D6C012_2_0044D6C0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_004476F012_2_004476F0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0044B87012_2_0044B870
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0044081D12_2_0044081D
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0041495712_2_00414957
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_004079EE12_2_004079EE
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_00407AEB12_2_00407AEB
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0044AA8012_2_0044AA80
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_00412AA912_2_00412AA9
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_00404B7412_2_00404B74
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_00404B0312_2_00404B03
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0044BBD812_2_0044BBD8
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_00404BE512_2_00404BE5
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_00404C7612_2_00404C76
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_00415CFE12_2_00415CFE
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_00416D7212_2_00416D72
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_00446D3012_2_00446D30
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_00446D8B12_2_00446D8B
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_00406E8F12_2_00406E8F
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_0040503813_2_00405038
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_0041208C13_2_0041208C
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_004050A913_2_004050A9
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_0040511A13_2_0040511A
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_0043C13A13_2_0043C13A
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_004051AB13_2_004051AB
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_0044930013_2_00449300
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_0040D32213_2_0040D322
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_0044A4F013_2_0044A4F0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_0043A5AB13_2_0043A5AB
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_0041363113_2_00413631
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_0044669013_2_00446690
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_0044A73013_2_0044A730
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_004398D813_2_004398D8
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_004498E013_2_004498E0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_0044A88613_2_0044A886
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_0043DA0913_2_0043DA09
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_00438D5E13_2_00438D5E
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_00449ED013_2_00449ED0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_0041FE8313_2_0041FE83
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_00430F5413_2_00430F54
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_004050C215_2_004050C2
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_004014AB15_2_004014AB
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_0040513315_2_00405133
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_004051A415_2_004051A4
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_0040124615_2_00401246
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_0040CA4615_2_0040CA46
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_0040523515_2_00405235
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_004032C815_2_004032C8
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_0040168915_2_00401689
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_00402F6015_2_00402F60
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 20_2_034F362020_2_034F3620
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0043706A21_2_0043706A
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0041400521_2_00414005
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0043E11C21_2_0043E11C
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_004541D921_2_004541D9
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_004381E821_2_004381E8
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0041F18B21_2_0041F18B
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0044627021_2_00446270
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0043E34B21_2_0043E34B
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_004533AB21_2_004533AB
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0042742E21_2_0042742E
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0043756621_2_00437566
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0043E5A821_2_0043E5A8
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_004387F021_2_004387F0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0043797E21_2_0043797E
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_004339D721_2_004339D7
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0044DA4921_2_0044DA49
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_00427AD721_2_00427AD7
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0041DBF321_2_0041DBF3
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_00427C4021_2_00427C40
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_00437DB321_2_00437DB3
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_00435EEB21_2_00435EEB
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0043DEED21_2_0043DEED
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_00426E9F21_2_00426E9F
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0214362021_2_02143620
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 0040417E appears 46 times
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 004169A7 appears 87 times
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 004165FF appears 35 times
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 00434801 appears 82 times
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 00457AA8 appears 34 times
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 00445951 appears 56 times
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 00402213 appears 38 times
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 00422297 appears 42 times
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 004052FD appears 32 times
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 00434E70 appears 108 times
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 00401FAB appears 39 times
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 00411FA2 appears 32 times
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 00402093 appears 100 times
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 0044DB70 appears 41 times
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 004020DF appears 40 times
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 004046F7 appears 34 times
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 00401E65 appears 69 times
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 00444B5A appears 37 times
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 00413025 appears 79 times
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 00416760 appears 69 times
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: String function: 0044854A appears 36 times
                  Source: SALKI098765R400.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 20.2.Monteverdi.exe.3500000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 20.2.Monteverdi.exe.3500000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 20.2.Monteverdi.exe.3500000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 21.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 21.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 21.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 21.2.Monteverdi.exe.3e50000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 21.2.Monteverdi.exe.3e50000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 21.2.Monteverdi.exe.3e50000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.Monteverdi.exe.3bf0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.Monteverdi.exe.3bf0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.Monteverdi.exe.3bf0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.Monteverdi.exe.3bf0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.Monteverdi.exe.3bf0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.Monteverdi.exe.3bf0000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 20.2.Monteverdi.exe.3500000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 20.2.Monteverdi.exe.3500000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 20.2.Monteverdi.exe.3500000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 21.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 21.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 21.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 21.2.Monteverdi.exe.3e50000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 21.2.Monteverdi.exe.3e50000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 21.2.Monteverdi.exe.3e50000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000015.00000002.1402805199.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000015.00000002.1402805199.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000015.00000002.1402805199.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000002.00000002.3713180077.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000002.00000002.3713180077.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000002.00000002.3713180077.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000014.00000002.1392771241.0000000003500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000014.00000002.1392771241.0000000003500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000014.00000002.1392771241.0000000003500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: Process Memory Space: Monteverdi.exe PID: 4508, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: Monteverdi.exe PID: 7720, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: Monteverdi.exe PID: 7748, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@16/16@2/2
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004937B5 GetLastError,FormatMessageW,0_2_004937B5
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,2_2_0041798D
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,15_2_00410DE1
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,21_2_0041798D
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,12_2_00418758
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_0048D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0048D4DC
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004242A2 FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_004242A2
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_0041AADB
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeFile created: C:\Users\user\AppData\Local\scrolarJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-NKQ1SM
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeFile created: C:\Users\user~1\AppData\Local\Temp\autECCA.tmpJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monteverdi.vbs"
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSystem information queried: HandleInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Monteverdi.exe, Monteverdi.exe, 0000000C.00000002.1303137303.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: Monteverdi.exe, Monteverdi.exe, 0000000D.00000002.1287082723.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: Monteverdi.exe, 00000002.00000002.3714005533.0000000007210000.00000040.10000000.00040000.00000000.sdmp, Monteverdi.exe, 0000000C.00000002.1303137303.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: Monteverdi.exe, Monteverdi.exe, 0000000C.00000002.1303137303.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: Monteverdi.exe, Monteverdi.exe, 0000000C.00000002.1303137303.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: Monteverdi.exe, Monteverdi.exe, 0000000C.00000002.1303137303.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: Monteverdi.exe, 0000000C.00000003.1302649890.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, Monteverdi.exe, 0000000C.00000002.1303944981.00000000015EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: Monteverdi.exe, Monteverdi.exe, 0000000C.00000002.1303137303.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: SALKI098765R400.exeReversingLabs: Detection: 31%
                  Source: SALKI098765R400.exeVirustotal: Detection: 45%
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeFile read: C:\Users\user\Desktop\SALKI098765R400.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                  Source: unknownProcess created: C:\Users\user\Desktop\SALKI098765R400.exe "C:\Users\user\Desktop\SALKI098765R400.exe"
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeProcess created: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe "C:\Users\user\Desktop\SALKI098765R400.exe"
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess created: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe C:\Users\user\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\user\AppData\Local\Temp\kzprjxuapxdhlyxhl"
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess created: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe C:\Users\user\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\user\AppData\Local\Temp\vcukjqfccfvunelldxmk"
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess created: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe C:\Users\user\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\user\AppData\Local\Temp\xwickiyvqnnyythxmizmrgn"
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess created: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe C:\Users\user\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\user\AppData\Local\Temp\xwickiyvqnnyythxmizmrgn"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monteverdi.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe "C:\Users\user\AppData\Local\scrolar\Monteverdi.exe"
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess created: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe "C:\Users\user\AppData\Local\scrolar\Monteverdi.exe"
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeProcess created: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe "C:\Users\user\Desktop\SALKI098765R400.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess created: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe C:\Users\user\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\user\AppData\Local\Temp\kzprjxuapxdhlyxhl"Jump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess created: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe C:\Users\user\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\user\AppData\Local\Temp\vcukjqfccfvunelldxmk"Jump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess created: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe C:\Users\user\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\user\AppData\Local\Temp\xwickiyvqnnyythxmizmrgn"Jump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess created: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe C:\Users\user\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\user\AppData\Local\Temp\xwickiyvqnnyythxmizmrgn"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe "C:\Users\user\AppData\Local\scrolar\Monteverdi.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess created: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe "C:\Users\user\AppData\Local\scrolar\Monteverdi.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: pstorec.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: pstorec.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: SALKI098765R400.exeStatic file information: File size 1055744 > 1048576
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004242DE
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_00440A76 push ecx; ret 0_2_00440A89
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00070A76 push ecx; ret 2_2_00070A89
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00457186 push ecx; ret 2_2_00457199
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0045E55D push esi; ret 2_2_0045E566
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00457AA8 push eax; ret 2_2_00457AC6
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00434EB6 push ecx; ret 2_2_00434EC9
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_10002806 push ecx; ret 2_2_10002819
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0044693D push ecx; ret 12_2_0044694D
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0044DB70 push eax; ret 12_2_0044DB84
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0044DB70 push eax; ret 12_2_0044DBAC
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_00451D54 push eax; ret 12_2_00451D61
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_0044B090 push eax; ret 13_2_0044B0A4
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_0044B090 push eax; ret 13_2_0044B0CC
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_00451D34 push eax; ret 13_2_00451D41
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_00444E71 push ecx; ret 13_2_00444E81
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_00414060 push eax; ret 15_2_00414074
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_00414060 push eax; ret 15_2_0041409C
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_00414039 push ecx; ret 15_2_00414049
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_004164EB push 0000006Ah; retf 15_2_004165C4
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_00416553 push 0000006Ah; retf 15_2_004165C4
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_00416555 push 0000006Ah; retf 15_2_004165C4
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_00457186 push ecx; ret 21_2_00457199
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0045E55D push esi; ret 21_2_0045E566
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_00457AA8 push eax; ret 21_2_00457AC6
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_00434EB6 push ecx; ret 21_2_00434EC9
                  Source: initial sampleStatic PE information: section name: UPX0
                  Source: initial sampleStatic PE information: section name: UPX1
                  Source: initial sampleStatic PE information: section name: UPX0
                  Source: initial sampleStatic PE information: section name: UPX1
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00406EEB ShellExecuteW,URLDownloadToFileW,2_2_00406EEB
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeFile created: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monteverdi.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monteverdi.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monteverdi.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_0041AADB
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_0043F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0043F98E
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0006F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_0006F98E
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,2_2_0041CBE1
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0040F7E2 Sleep,ExitProcess,2_2_0040F7E2
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0040F7E2 Sleep,ExitProcess,21_2_0040F7E2
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,12_2_0040DD85
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,2_2_0041A7D9
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,21_2_0041A7D9
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeWindow / User API: threadDelayed 1944Jump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeWindow / User API: threadDelayed 7570Jump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeWindow / User API: foregroundWindowGot 1761Jump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeAPI coverage: 9.8 %
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeAPI coverage: 9.5 %
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeAPI coverage: 6.5 %
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe TID: 3036Thread sleep count: 220 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe TID: 3036Thread sleep time: -110000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe TID: 2704Thread sleep count: 1944 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe TID: 2704Thread sleep time: -5832000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe TID: 2704Thread sleep count: 7570 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe TID: 2704Thread sleep time: -22710000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_0048DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0048DBBE
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,2_2_000BDBBE
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_0040928E
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,2_2_0041C322
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,2_2_0040C388
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_004096A0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,2_2_00408847
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00407877 FindFirstFileW,FindNextFileW,2_2_00407877
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0044E8F9 FindFirstFileExA,2_2_0044E8F9
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00419B86
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040BD72
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,2_2_100010F1
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_10006580 FindFirstFileExA,2_2_10006580
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0040AE51 FindFirstFileW,FindNextFileW,12_2_0040AE51
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 13_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,13_2_00407EF8
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407898
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,21_2_0040928E
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,21_2_0041C322
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,21_2_0040C388
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,21_2_004096A0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,21_2_00408847
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_00407877 FindFirstFileW,FindNextFileW,21_2_00407877
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0044E8F9 FindFirstFileExA,21_2_0044E8F9
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,21_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,21_2_00419B86
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,21_2_0040BD72
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_00407CD2
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004242DE
                  Source: wscript.exe, 00000013.00000002.1378356606.00000228D7DA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\cal
                  Source: Monteverdi.exe, 00000015.00000003.1392071022.00000000014A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iLKvMcIMSH4MJ
                  Source: Monteverdi.exe, 00000002.00000002.3712912601.0000000003B88000.00000004.00000020.00020000.00000000.sdmp, Monteverdi.exe, 00000002.00000002.3711463284.0000000001144000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: bhvA0.tmp.12.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
                  Source: Monteverdi.exe, 00000014.00000003.1378858705.0000000000A64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iLKvMcIM
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeAPI call chain: ExitProcess graph end nodegraph_0-31302
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeAPI call chain: ExitProcess graph end nodegraph_2-85309
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_00452622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00452622
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 12_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,12_2_0040DD85
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004242DE
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_00444CE8 mov eax, dword ptr fs:[00000030h]0_2_00444CE8
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_01FB3510 mov eax, dword ptr fs:[00000030h]0_2_01FB3510
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_01FB34B0 mov eax, dword ptr fs:[00000030h]0_2_01FB34B0
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_01FB1E90 mov eax, dword ptr fs:[00000030h]0_2_01FB1E90
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_01FB1E7E mov eax, dword ptr fs:[00000030h]0_2_01FB1E7E
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00074CE8 mov eax, dword ptr fs:[00000030h]2_2_00074CE8
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00443355 mov eax, dword ptr fs:[00000030h]2_2_00443355
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_10004AB4 mov eax, dword ptr fs:[00000030h]2_2_10004AB4
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_03BE1E90 mov eax, dword ptr fs:[00000030h]2_2_03BE1E90
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_03BE1E7E mov eax, dword ptr fs:[00000030h]2_2_03BE1E7E
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_03BE3510 mov eax, dword ptr fs:[00000030h]2_2_03BE3510
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_03BE34B0 mov eax, dword ptr fs:[00000030h]2_2_03BE34B0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 20_2_034F1E7E mov eax, dword ptr fs:[00000030h]20_2_034F1E7E
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 20_2_034F3510 mov eax, dword ptr fs:[00000030h]20_2_034F3510
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 20_2_034F1E90 mov eax, dword ptr fs:[00000030h]20_2_034F1E90
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 20_2_034F34B0 mov eax, dword ptr fs:[00000030h]20_2_034F34B0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_00443355 mov eax, dword ptr fs:[00000030h]21_2_00443355
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_021434B0 mov eax, dword ptr fs:[00000030h]21_2_021434B0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_02143510 mov eax, dword ptr fs:[00000030h]21_2_02143510
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_02141E7E mov eax, dword ptr fs:[00000030h]21_2_02141E7E
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_02141E90 mov eax, dword ptr fs:[00000030h]21_2_02141E90
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00411D39 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,2_2_00411D39
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_00452622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00452622
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_0044083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0044083F
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004409D5 SetUnhandledExceptionFilter,0_2_004409D5
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_00440C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00440C21
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00082622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00082622
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0007083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0007083F
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_000709D5 SetUnhandledExceptionFilter,2_2_000709D5
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00070C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00070C21
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0043503C
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00434A8A
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0043BB71
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00434BD8 SetUnhandledExceptionFilter,2_2_00434BD8
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_100060E2
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_10002639
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_10002B1C
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_0043503C
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_00434A8A
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_0043BB71
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 21_2_00434BD8 SetUnhandledExceptionFilter,21_2_00434BD8

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Contains functionality to inject code into remote processes
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,2_2_0041812A
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: NULL target: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: NULL target: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeSection loaded: NULL target: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe2_2_00412132
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe21_2_00412132
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_0043F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0043F98E
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00419662 mouse_event,2_2_00419662
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess created: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe C:\Users\user\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\user\AppData\Local\Temp\kzprjxuapxdhlyxhl"Jump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess created: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe C:\Users\user\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\user\AppData\Local\Temp\vcukjqfccfvunelldxmk"Jump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess created: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe C:\Users\user\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\user\AppData\Local\Temp\xwickiyvqnnyythxmizmrgn"Jump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeProcess created: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe C:\Users\user\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\user\AppData\Local\Temp\xwickiyvqnnyythxmizmrgn"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe "C:\Users\user\AppData\Local\scrolar\Monteverdi.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_00481663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00481663
                  Source: SALKI098765R400.exe, 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmp, Monteverdi.exe, 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmp, Monteverdi.exe, 00000014.00000002.1391006106.0000000000112000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: Monteverdi.exe, 00000002.00000002.3712111142.00000000013E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager38
                  Source: Monteverdi.exe, 00000002.00000002.3712111142.00000000013E4000.00000004.00000020.00020000.00000000.sdmp, Monteverdi.exe, 00000002.00000002.3712323766.00000000014CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: SALKI098765R400.exe, Monteverdi.exeBinary or memory string: Shell_TrayWnd
                  Source: Monteverdi.exe, 00000002.00000002.3712111142.00000000013E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managery8
                  Source: Monteverdi.exe, 00000002.00000002.3712111142.00000000013E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager.
                  Source: Monteverdi.exe, 00000002.00000002.3712323766.00000000014CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                  Source: Monteverdi.exe, 00000002.00000002.3712323766.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, Monteverdi.exe, 00000002.00000002.3711463284.0000000001144000.00000004.00000020.00020000.00000000.sdmp, Monteverdi.exe, 00000002.00000002.3712323766.00000000014CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: Monteverdi.exe, 00000002.00000002.3712111142.00000000013E4000.00000004.00000020.00020000.00000000.sdmp, Monteverdi.exe, 00000002.00000002.3712323766.00000000014CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerSM\
                  Source: Monteverdi.exe, 00000002.00000002.3712111142.000000000142C000.00000004.00000020.00020000.00000000.sdmp, logs.dat.2.drBinary or memory string: [Program Manager]
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_00440698 cpuid 0_2_00440698
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: EnumSystemLocalesW,2_2_0045201B
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: EnumSystemLocalesW,2_2_004520B6
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_00452143
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: GetLocaleInfoW,2_2_00452393
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: EnumSystemLocalesW,2_2_00448484
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_004524BC
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: GetLocaleInfoW,2_2_004525C3
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_00452690
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: GetLocaleInfoW,2_2_0044896D
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: GetLocaleInfoA,2_2_0040F90C
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_00451D58
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: EnumSystemLocalesW,2_2_00451FD0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: EnumSystemLocalesW,21_2_0045201B
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: EnumSystemLocalesW,21_2_004520B6
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,21_2_00452143
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: GetLocaleInfoW,21_2_00452393
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: EnumSystemLocalesW,21_2_00448484
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,21_2_004524BC
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: GetLocaleInfoW,21_2_004525C3
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,21_2_00452690
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: GetLocaleInfoW,21_2_0044896D
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: GetLocaleInfoA,21_2_0040F90C
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,21_2_00451D58
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: EnumSystemLocalesW,21_2_00451FD0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_00440A9D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00440A9D
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_0041B69E GetComputerNameExW,GetUserNameW,2_2_0041B69E
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: 2_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,2_2_00449210
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeCode function: 0_2_004242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004242DE
                  Source: C:\Users\user\Desktop\SALKI098765R400.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 20.2.Monteverdi.exe.3500000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.3e50000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.3bf0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.3bf0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.Monteverdi.exe.3500000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.3e50000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3712323766.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3711463284.0000000001108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.1402805199.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.1401843979.00000000014B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3713280494.00000000040AF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3711463284.0000000001144000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3713180077.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3712832737.0000000003AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.1392771241.0000000003500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Monteverdi.exe PID: 4508, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Monteverdi.exe PID: 7720, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Monteverdi.exe PID: 7748, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data2_2_0040BA4D
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data21_2_0040BA4D
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\2_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: \key3.db2_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\21_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: \key3.db21_2_0040BB6B
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Instant Messenger accounts or passwords
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                  Tries to steal Mail credentials (via file registry)
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: ESMTPPassword13_2_004033F0
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword13_2_00402DB3
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword13_2_00402DB3
                  Yara detected WebBrowserPassView password recovery tool
                  Source: Yara matchFile source: Process Memory Space: Monteverdi.exe PID: 4508, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Monteverdi.exe PID: 7280, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-NKQ1SMJump to behavior
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-NKQ1SMJump to behavior
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 20.2.Monteverdi.exe.3500000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.3e50000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.3bf0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Monteverdi.exe.3bf0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.Monteverdi.exe.3500000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.Monteverdi.exe.3e50000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3712323766.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3711463284.0000000001108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.1402805199.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.1401843979.00000000014B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3713280494.00000000040AF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3711463284.0000000001144000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3713180077.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3712832737.0000000003AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.1392771241.0000000003500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Monteverdi.exe PID: 4508, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Monteverdi.exe PID: 7720, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Monteverdi.exe PID: 7748, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: cmd.exe2_2_0040569A
                  Source: C:\Users\user\AppData\Local\scrolar\Monteverdi.exeCode function: cmd.exe21_2_0040569A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		Valid Accounts11
                  Native API                  		111
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts12
                  Command and Scripting Interpreter                  		1
                  DLL Side-Loading                  		1
                  Bypass User Account Control                  		21
                  Obfuscated Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		2
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts2
                  Service Execution                  		1
                  Windows Service                  		1
                  Access Token Manipulation                  		1
                  Software Packing                  		2
                  Credentials in Registry                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Remote Access Software                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron2
                  Registry Run Keys / Startup Folder                  		1
                  Windows Service                  		1
                  DLL Side-Loading                  		3
                  Credentials In Files                  		3
                  File and Directory Discovery                  		Distributed Component Object Model121
                  Input Capture                  		2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script222
                  Process Injection                  		1
                  Bypass User Account Control                  		LSA Secrets38
                  System Information Discovery                  		SSH3
                  Clipboard Data                  		12
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                  Registry Run Keys / Startup Folder                  		1
                  Masquerading                  		Cached Domain Credentials131
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Virtualization/Sandbox Evasion                  		DCSync1
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Access Token Manipulation                  		Proc Filesystem4
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt222
                  Process Injection                  		/etc/passwd and /etc/shadow11
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501651 Sample: SALKI098765R400.exe Startdate: 30/08/2024 Architecture: WINDOWS Score: 100 38 171.39.242.20.in-addr.arpa 2->38 40 geoplugin.net 2->40 56 Multi AV Scanner detection for domain / URL 2->56 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 12 other signatures 2->62 8 SALKI098765R400.exe 6 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\Monteverdi.exe, PE32 8->32 dropped 74 Binary is likely a compiled AutoIt script file 8->74 14 Monteverdi.exe 3 19 8->14         started        76 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->76 19 Monteverdi.exe 2 12->19         started        signatures6 process7 dnsIp8 42 192.210.150.26, 49699, 49700, 8787 AS-COLOCROSSINGUS United States 14->42 44 geoplugin.net 178.237.33.50, 49701, 80 ATOM86-ASATOM86NL Netherlands 14->44 34 C:\Users\user\AppData\...\Monteverdi.vbs, data 14->34 dropped 36 C:\ProgramData\remcos\logs.dat, data 14->36 dropped 46 Multi AV Scanner detection for dropped file 14->46 48 Contains functionality to bypass UAC (CMSTPLUA) 14->48 50 Detected Remcos RAT 14->50 54 10 other signatures 14->54 21 Monteverdi.exe 1 14->21         started        24 Monteverdi.exe 1 14->24         started        26 Monteverdi.exe 2 14->26         started        28 Monteverdi.exe 14->28         started        52 Binary is likely a compiled AutoIt script file 19->52 30 Monteverdi.exe 2 19->30         started        file9 signatures10 process11 signatures12 64 Tries to steal Instant Messenger accounts or passwords 21->64 66 Tries to harvest and steal browser information (history, passwords, etc) 21->66 68 Tries to steal Mail credentials (via file / registry access) 24->68 70 Detected Remcos RAT 30->70 72 Binary is likely a compiled AutoIt script file 30->72

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  SALKI098765R400.exe32%ReversingLabsWin32.Trojan.AutoitInject
                  SALKI098765R400.exe45%VirustotalBrowse
                  SALKI098765R400.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\scrolar\Monteverdi.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\scrolar\Monteverdi.exe32%ReversingLabsWin32.Trojan.AutoitInject
                  C:\Users\user\AppData\Local\scrolar\Monteverdi.exe45%VirustotalBrowse

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  geoplugin.net1%VirustotalBrowse
                  171.39.242.20.in-addr.arpa0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.imvu.comr0%URL Reputationsafe
                  https://aefd.nelreports.net/api/report?cat=bingth0%URL Reputationsafe
                  http://www.imvu.com0%URL Reputationsafe
                  https://aefd.nelreports.net/api/report?cat=wsb0%URL Reputationsafe
                  https://aefd.nelreports.net/api/report?cat=bingaotak0%URL Reputationsafe
                  https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg0%URL Reputationsafe
                  https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                  http://geoplugin.net/json.gpSystem320%URL Reputationsafe
                  http://geoplugin.net/json.gp0%URL Reputationsafe
                  http://geoplugin.net/0%URL Reputationsafe
                  https://aefd.nelreports.net/api/report?cat=bingaot0%URL Reputationsafe
                  http://geoplugin.net/json.gp/C0%URL Reputationsafe
                  https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat0%URL Reputationsafe
                  https://aefd.nelreports.net/api/report?cat=bingrms0%URL Reputationsafe
                  https://login.yahoo.com/config/login0%URL Reputationsafe
                  http://www.ebuddy.com0%URL Reputationsafe
                  https://www.office.com/0%Avira URL Cloudsafe
                  https://fp-afd.azurefd.us/apc/trans.gif?a2555e10569a45fe03b885d268c50da90%Avira URL Cloudsafe
                  http://www.nirsoft.net0%Avira URL Cloudsafe
                  http://www.imvu.comppData0%Avira URL Cloudsafe
                  https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P0%Avira URL Cloudsafe
                  http://www.nirsoft.net0%VirustotalBrowse
                  https://www.office.com/0%VirustotalBrowse
                  https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?c2fcd52267835a3e34f9ac050%Avira URL Cloudsafe
                  192.210.150.260%Avira URL Cloudsafe
                  http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                  https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?bd78002c55888096ce060c580%Avira URL Cloudsafe
                  https://www.google.com0%Avira URL Cloudsafe
                  https://fp-afd.azurefd.us/apc/trans.gif?69c749c200c753dfb00f5bc8299ab8eb0%Avira URL Cloudsafe
                  https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
                  192.210.150.268%VirustotalBrowse
                  https://www.google.com0%VirustotalBrowse
                  http://www.nirsoft.net/0%Avira URL Cloudsafe
                  https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&0%Avira URL Cloudsafe
                  http://www.nirsoft.net/0%VirustotalBrowse
                  https://www.google.com/accounts/servicelogin0%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  geoplugin.net
                  		178.237.33.50
                  		truefalseunknown
                  171.39.242.20.in-addr.arpa
                  		unknown
                  		unknowntrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  192.210.150.26true
                  • 8%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gpfalse
                  • URL Reputation: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=PbhvA0.tmp.12.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.office.com/bhvA0.tmp.12.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://fp-afd.azurefd.us/apc/trans.gif?a2555e10569a45fe03b885d268c50da9bhvA0.tmp.12.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.imvu.comrMonteverdi.exe, 00000002.00000002.3713450372.0000000004140000.00000040.10000000.00040000.00000000.sdmp, Monteverdi.exe, 0000000F.00000002.1293028796.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://aefd.nelreports.net/api/report?cat=bingthbhvA0.tmp.12.drfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.imvu.comMonteverdi.exe, Monteverdi.exe, 0000000F.00000002.1293028796.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Monteverdi.exe, 0000000F.00000002.1293433595.000000000116D000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://aefd.nelreports.net/api/report?cat=wsbbhvA0.tmp.12.drfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.imvu.comppDataMonteverdi.exe, 0000000F.00000002.1293433595.000000000116D000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.nirsoft.netMonteverdi.exe, 0000000C.00000002.1303495583.00000000011F4000.00000004.00000010.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://aefd.nelreports.net/api/report?cat=bingaotakbhvA0.tmp.12.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svgbhvA0.tmp.12.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://deff.nelreports.net/api/report?cat=msnbhvA0.tmp.12.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?c2fcd52267835a3e34f9ac05bhvA0.tmp.12.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?bd78002c55888096ce060c58bhvA0.tmp.12.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gpSystem32Monteverdi.exe, 00000002.00000002.3712912601.0000000003B7A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comMonteverdi.exe, 00000002.00000002.3713450372.0000000004140000.00000040.10000000.00040000.00000000.sdmp, Monteverdi.exe, 0000000F.00000002.1293028796.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.comMonteverdi.exe, Monteverdi.exe, 0000000F.00000002.1293028796.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/Monteverdi.exe, 00000002.00000002.3712912601.0000000003B7A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://aefd.nelreports.net/api/report?cat=bingaotbhvA0.tmp.12.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://fp-afd.azurefd.us/apc/trans.gif?69c749c200c753dfb00f5bc8299ab8ebbhvA0.tmp.12.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gp/CMonteverdi.exe, 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Monteverdi.exe, 00000002.00000002.3713180077.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Monteverdi.exe, 00000014.00000002.1392771241.0000000003500000.00000004.00001000.00020000.00000000.sdmp, Monteverdi.exe, 00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Monteverdi.exe, 00000015.00000002.1402805199.0000000003E50000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhvA0.tmp.12.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://aefd.nelreports.net/api/report?cat=bingrmsbhvA0.tmp.12.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.google.com/accounts/serviceloginMonteverdi.exefalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://login.yahoo.com/config/loginMonteverdi.exefalse
                  • URL Reputation: safe
                  		unknown
                  http://www.nirsoft.net/Monteverdi.exe, 0000000F.00000002.1293028796.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&bhvA0.tmp.12.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.ebuddy.comMonteverdi.exe, Monteverdi.exe, 0000000F.00000002.1293028796.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  192.210.150.26
                  		unknownUnited States
                  		36352AS-COLOCROSSINGUStrue
                  178.237.33.50
                  		geoplugin.netNetherlands
                  		8455ATOM86-ASATOM86NLfalse

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1501651
                  Start date and time:2024-08-30 09:22:30 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 9m 12s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:29
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:SALKI098765R400.exe
                  Detection:MAL
                  Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@16/16@2/2
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 84%
                  • Number of executed functions: 109
                  • Number of non-executed functions: 307
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe
                  • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  05:12:07API Interceptor7083331x Sleep call for process: Monteverdi.exe modified
                  09:23:27AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monteverdi.vbs

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  192.210.150.26FTE98767800000.bat.exeGet hashmaliciousRemcosBrowse
                    178.237.33.50RFQ_0030829024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp
                    SI_56127.vbsGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp
                    CAN_POST2617276.vbsGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp
                    rYhL.exeGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp
                    InQEpnEuHC.exeGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp
                    rBslc_Pymt-Hs.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                    • geoplugin.net/json.gp
                    FdSJYyDayo.exeGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp
                    Ravakhu24105.exeGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp
                    SecuriteInfo.com.Exploit.CVE-2017-11882.123.9070.28632.rtfGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp
                    BP-30M31_20240829_093844.exeGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    geoplugin.netSI_56127.vbsGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    CAN_POST2617276.vbsGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    rYhL.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    InQEpnEuHC.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    rBslc_Pymt-Hs.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                    • 178.237.33.50
                    FdSJYyDayo.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    Ravakhu24105.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    SecuriteInfo.com.Exploit.CVE-2017-11882.123.9070.28632.rtfGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    BP-30M31_20240829_093844.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    P.O_Qouts_t87E90Y-E4R7G-PDF.exeGet hashmaliciousRemcos, GuLoaderBrowse
                    • 178.237.33.50

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    AS-COLOCROSSINGUSRFQ -PO-SMT290824.xlsGet hashmaliciousRemcosBrowse
                    • 192.3.140.102
                    RFQ_0020829024SEPT.xla.xlsxGet hashmaliciousUnknownBrowse
                    • 198.46.178.181
                    Sepco RFQ.xlsGet hashmaliciousRemcosBrowse
                    • 192.3.193.155
                    Thermo Fisher RFQ_TFS-1805.xlsGet hashmaliciousGuLoaderBrowse
                    • 107.172.31.21
                    SecuriteInfo.com.Exploit.CVE-2017-11882.123.9070.28632.rtfGet hashmaliciousRemcosBrowse
                    • 198.46.178.181
                    BP-30M31_20240829_093844.exeGet hashmaliciousRemcosBrowse
                    • 192.3.243.155
                    SecuriteInfo.com.Exploit.CVE-2017-11882.123.24787.2174.rtfGet hashmaliciousRemcosBrowse
                    • 192.3.101.172
                    PMT-INV0230824AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                    • 198.46.178.181
                    French Group.jsGet hashmaliciousRemcosBrowse
                    • 192.3.101.17
                    ORDER.xlsGet hashmaliciousUnknownBrowse
                    • 192.3.193.155
                    ATOM86-ASATOM86NLRFQ_0030829024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    SI_56127.vbsGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    CAN_POST2617276.vbsGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    rYhL.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    InQEpnEuHC.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    rBslc_Pymt-Hs.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                    • 178.237.33.50
                    FdSJYyDayo.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    Ravakhu24105.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    SecuriteInfo.com.Exploit.CVE-2017-11882.123.9070.28632.rtfGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    BP-30M31_20240829_093844.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\remcos\logs.dat

                    Download File
                    Process:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe
                    File Type:data
                    Category:modified
                    Size (bytes):204
                    Entropy (8bit):3.327925492202851
                    Encrypted:false
                    SSDEEP:3:rhlKlm2HlPLU5JWRal2Jl+7R0DAlBG45klovDl64oojklovDl6v:6lmx5YcIeeDAlOWA41gWAv
                    MD5:F5976AC4524205ABAB261F4FCDB3D972
                    SHA1:071DED8FE9A74EC0DFE8C3E82BB76B1A879CF8D5
                    SHA-256:47902E828C875B4AAD3AB9E746BE73561396F26457D00D981D22829ED690489E
                    SHA-512:C5586F543DD5D6760712CB98D94258A7EC3E63BE6BEE29F56A15A2697C76D81F929D6DE9FEF917E028C336EB9AFB2D11DD28276853D18D842D11D8A49BAD8E06
                    Malicious:true
                    Yara Hits:
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                    Reputation:low
                    Preview:....[.2.0.2.4./.0.8./.3.0. .0.3.:.2.3.:.2.4. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

                    Download File
                    Process:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):962
                    Entropy (8bit):5.013811273052389
                    Encrypted:false
                    SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                    MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                    SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                    SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                    SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                    C:\Users\user\AppData\Local\Temp\aut23D8.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):407094
                    Entropy (8bit):7.892737288179779
                    Encrypted:false
                    SSDEEP:12288:dExDfygOOzfNpV4z9ltteFPq99IN2dqifUkLI3BqTgp5RxvE:dEogOO5pVW9sPadHcQIRqkfRm
                    MD5:A9818CDDDD3427558A1B52F3A897F7D5
                    SHA1:8C4E0E6B5D38718775853897B5ADE3DCA8860BD7
                    SHA-256:8EDCE98287539533D272D1B9624DEFF8FF5ADAF11C1CC5CFE5256BF4422BB77A
                    SHA-512:DBE1AA049950BE7299549744BF035DC0731BB9626C2EE6CA02C3FCCAE864817AFFECDA4189E1E9FEF8BE37D7486DED6DA801CDEDA6715F7A2694CB1C9EE3ED19
                    Malicious:false
                    Reputation:low
                    Preview:EA06.....G84:..G.R.u^^.L..4:......&...2j.!.p...,.T)....T..V...3..A$...g&.J&..5.mU..t.4.Mt..6....p.@.L.Mz.P......g..trW....9Y]..rx.i.<.@.sl....u.....|.#+....?..{...5p..... t X)..B......I...@.,...R.L.P,t... la........#...rE ..8 ..\z.C..).zg.+....k.I.Sg.z...C.Q........T.uI........d...L..z]...AL(....Z.uY.4...i.?.N...J...A.@...$....KE...X..Z.C.^@`>m]....T).\.^.l....Y.-VX. o@.......J.Rh....1...w ..7s.0..&.......Li.{..O4.J*..L..........U.P.....27".M...*,..Vj.. ....@.>....`...........(..H.....(|x..o*.P..{.....P(@.. .C..'3.=\.@......... ).p...i4...T.>...@j@.......P. ..1...C...H..J.fgH.R.}.\2...\jT8o..;..({.X..].K..N.b.M....v.5.~*uI...1.P..[.N.l...{..N.x87.uC.d.[i........b........*.4..>4..GW.S(.|G..z.T4..3.y..@..9..oI..........H.@....!Ih.y\6%4..oSZ4.1+.S.....m.zu...GW-.S..mt.!4...sj4#.>.......G...5 ..`..........P....j.Az:q..?_..P..WB.5.n..y.[.$........s.."....!c..k.oDn..`}o........._x\L.....(..P....@(+%....O..y4'..@w.@...I..p.....@..._...x.M...X..xg...P ..

                    C:\Users\user\AppData\Local\Temp\aut2437.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):11260
                    Entropy (8bit):7.621026394481169
                    Encrypted:false
                    SSDEEP:192:97FGNNtmiwVKCnqHkoZuBjxWM511oz6O0pEUENrnsBLU8PiNmfpcYjlNuq:7Grtmiw8WmgWM5112hVQb3c8
                    MD5:5AB857851BB90F19CFC4A5BEF68F6285
                    SHA1:DA5AE7783350302148E567C21E1A25FF312F43F3
                    SHA-256:D8D0DD78ACE87908E973377FB0CE249AE7D84B653AA45FD2AF1914516224564D
                    SHA-512:EE007315B9A590A64598532D1E78088362EB9F441945E71006978879DB03A6DB2CBAD08D1039793A27275548093BF3AE1ADF8C1445A9D6EE7D7A31039FFDB31D
                    Malicious:false
                    Reputation:low
                    Preview:EA06.....K.......d..Y%.P."./.K........... .B./....@...|`......p.........8......|.. ....3...P."......l.,.. ......@. ...........Y.....B.....C .M.....L...B.....L.....(.`..b..X.C6.!....4.....C3...n..M. ?...N."3a......... ...2......@....M..6.A.....h...!O....Y..>.0..@9...a4.......Lg.......&' ....@....p.... N....Sv.)..bj.MY........vf@.......14.p...'.....W@..(..,...E....8}V ....q.p..`........p~...M......l......d.....t.....l.s..*f..........6@"0.....b.(..53.@.....bvn......s........d.....6.....#.)........1a.0..S14.L...5.$' .......3.@.....@........vd.....h.... l...... .L..C...... ........eFh......@y55. ..90.,.-3p!..@I:...-.l`.....|........l.........c....G...7.......<.Y..*g.......A.>.....2.x.,>0..L..:.....>`'....9H.....'.Y..>@&.M.Q..D.S..J|...).6.....1b....I..O....@.O.... ,......`.... <.....X0.)... :..V&.H. .f.Q8...(<&@...$.I..z|.Y...H}........8.H...>i.....X..~ U....a..&.\.....& 0..=......H...;<....3 ...d.y.DO.`.y...h.C..ff...LAM?@........@.4.........n>i.&ff."...lA].......I8....

                    C:\Users\user\AppData\Local\Temp\aut28D9.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):407094
                    Entropy (8bit):7.892737288179779
                    Encrypted:false
                    SSDEEP:12288:dExDfygOOzfNpV4z9ltteFPq99IN2dqifUkLI3BqTgp5RxvE:dEogOO5pVW9sPadHcQIRqkfRm
                    MD5:A9818CDDDD3427558A1B52F3A897F7D5
                    SHA1:8C4E0E6B5D38718775853897B5ADE3DCA8860BD7
                    SHA-256:8EDCE98287539533D272D1B9624DEFF8FF5ADAF11C1CC5CFE5256BF4422BB77A
                    SHA-512:DBE1AA049950BE7299549744BF035DC0731BB9626C2EE6CA02C3FCCAE864817AFFECDA4189E1E9FEF8BE37D7486DED6DA801CDEDA6715F7A2694CB1C9EE3ED19
                    Malicious:false
                    Reputation:low
                    Preview:EA06.....G84:..G.R.u^^.L..4:......&...2j.!.p...,.T)....T..V...3..A$...g&.J&..5.mU..t.4.Mt..6....p.@.L.Mz.P......g..trW....9Y]..rx.i.<.@.sl....u.....|.#+....?..{...5p..... t X)..B......I...@.,...R.L.P,t... la........#...rE ..8 ..\z.C..).zg.+....k.I.Sg.z...C.Q........T.uI........d...L..z]...AL(....Z.uY.4...i.?.N...J...A.@...$....KE...X..Z.C.^@`>m]....T).\.^.l....Y.-VX. o@.......J.Rh....1...w ..7s.0..&.......Li.{..O4.J*..L..........U.P.....27".M...*,..Vj.. ....@.>....`...........(..H.....(|x..o*.P..{.....P(@.. .C..'3.=\.@......... ).p...i4...T.>...@j@.......P. ..1...C...H..J.fgH.R.}.\2...\jT8o..;..({.X..].K..N.b.M....v.5.~*uI...1.P..[.N.l...{..N.x87.uC.d.[i........b........*.4..>4..GW.S(.|G..z.T4..3.y..@..9..oI..........H.@....!Ih.y\6%4..oSZ4.1+.S.....m.zu...GW-.S..mt.!4...sj4#.>.......G...5 ..`..........P....j.Az:q..?_..P..WB.5.n..y.[.$........s.."....!c..k.oDn..`}o........._x\L.....(..P....@(+%....O..y4'..@w.@...I..p.....@..._...x.M...X..xg...P ..

                    C:\Users\user\AppData\Local\Temp\aut2938.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):11260
                    Entropy (8bit):7.621026394481169
                    Encrypted:false
                    SSDEEP:192:97FGNNtmiwVKCnqHkoZuBjxWM511oz6O0pEUENrnsBLU8PiNmfpcYjlNuq:7Grtmiw8WmgWM5112hVQb3c8
                    MD5:5AB857851BB90F19CFC4A5BEF68F6285
                    SHA1:DA5AE7783350302148E567C21E1A25FF312F43F3
                    SHA-256:D8D0DD78ACE87908E973377FB0CE249AE7D84B653AA45FD2AF1914516224564D
                    SHA-512:EE007315B9A590A64598532D1E78088362EB9F441945E71006978879DB03A6DB2CBAD08D1039793A27275548093BF3AE1ADF8C1445A9D6EE7D7A31039FFDB31D
                    Malicious:false
                    Reputation:low
                    Preview:EA06.....K.......d..Y%.P."./.K........... .B./....@...|`......p.........8......|.. ....3...P."......l.,.. ......@. ...........Y.....B.....C .M.....L...B.....L.....(.`..b..X.C6.!....4.....C3...n..M. ?...N."3a......... ...2......@....M..6.A.....h...!O....Y..>.0..@9...a4.......Lg.......&' ....@....p.... N....Sv.)..bj.MY........vf@.......14.p...'.....W@..(..,...E....8}V ....q.p..`........p~...M......l......d.....t.....l.s..*f..........6@"0.....b.(..53.@.....bvn......s........d.....6.....#.)........1a.0..S14.L...5.$' .......3.@.....@........vd.....h.... l...... .L..C...... ........eFh......@y55. ..90.,.-3p!..@I:...-.l`.....|........l.........c....G...7.......<.Y..*g.......A.>.....2.x.,>0..L..:.....>`'....9H.....'.Y..>@&.M.Q..D.S..J|...).6.....1b....I..O....@.O.... ,......`.... <.....X0.)... :..V&.H. .f.Q8...(<&@...$.I..z|.Y...H}........8.H...>i.....X..~ U....a..&.\.....& 0..=......H...;<....3 ...d.y.DO.`.y...h.C..ff...LAM?@........@.4.........n>i.&ff."...lA].......I8....

                    C:\Users\user\AppData\Local\Temp\autECCA.tmp

                    Download File
                    Process:C:\Users\user\Desktop\SALKI098765R400.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):407094
                    Entropy (8bit):7.892737288179779
                    Encrypted:false
                    SSDEEP:12288:dExDfygOOzfNpV4z9ltteFPq99IN2dqifUkLI3BqTgp5RxvE:dEogOO5pVW9sPadHcQIRqkfRm
                    MD5:A9818CDDDD3427558A1B52F3A897F7D5
                    SHA1:8C4E0E6B5D38718775853897B5ADE3DCA8860BD7
                    SHA-256:8EDCE98287539533D272D1B9624DEFF8FF5ADAF11C1CC5CFE5256BF4422BB77A
                    SHA-512:DBE1AA049950BE7299549744BF035DC0731BB9626C2EE6CA02C3FCCAE864817AFFECDA4189E1E9FEF8BE37D7486DED6DA801CDEDA6715F7A2694CB1C9EE3ED19
                    Malicious:false
                    Reputation:low
                    Preview:EA06.....G84:..G.R.u^^.L..4:......&...2j.!.p...,.T)....T..V...3..A$...g&.J&..5.mU..t.4.Mt..6....p.@.L.Mz.P......g..trW....9Y]..rx.i.<.@.sl....u.....|.#+....?..{...5p..... t X)..B......I...@.,...R.L.P,t... la........#...rE ..8 ..\z.C..).zg.+....k.I.Sg.z...C.Q........T.uI........d...L..z]...AL(....Z.uY.4...i.?.N...J...A.@...$....KE...X..Z.C.^@`>m]....T).\.^.l....Y.-VX. o@.......J.Rh....1...w ..7s.0..&.......Li.{..O4.J*..L..........U.P.....27".M...*,..Vj.. ....@.>....`...........(..H.....(|x..o*.P..{.....P(@.. .C..'3.=\.@......... ).p...i4...T.>...@j@.......P. ..1...C...H..J.fgH.R.}.\2...\jT8o..;..({.X..].K..N.b.M....v.5.~*uI...1.P..[.N.l...{..N.x87.uC.d.[i........b........*.4..>4..GW.S(.|G..z.T4..3.y..@..9..oI..........H.@....!Ih.y\6%4..oSZ4.1+.S.....m.zu...GW-.S..mt.!4...sj4#.>.......G...5 ..`..........P....j.Az:q..?_..P..WB.5.n..y.[.$........s.."....!c..k.oDn..`}o........._x\L.....(..P....@(+%....O..y4'..@w.@...I..p.....@..._...x.M...X..xg...P ..

                    C:\Users\user\AppData\Local\Temp\autED39.tmp

                    Download File
                    Process:C:\Users\user\Desktop\SALKI098765R400.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):11260
                    Entropy (8bit):7.621026394481169
                    Encrypted:false
                    SSDEEP:192:97FGNNtmiwVKCnqHkoZuBjxWM511oz6O0pEUENrnsBLU8PiNmfpcYjlNuq:7Grtmiw8WmgWM5112hVQb3c8
                    MD5:5AB857851BB90F19CFC4A5BEF68F6285
                    SHA1:DA5AE7783350302148E567C21E1A25FF312F43F3
                    SHA-256:D8D0DD78ACE87908E973377FB0CE249AE7D84B653AA45FD2AF1914516224564D
                    SHA-512:EE007315B9A590A64598532D1E78088362EB9F441945E71006978879DB03A6DB2CBAD08D1039793A27275548093BF3AE1ADF8C1445A9D6EE7D7A31039FFDB31D
                    Malicious:false
                    Preview:EA06.....K.......d..Y%.P."./.K........... .B./....@...|`......p.........8......|.. ....3...P."......l.,.. ......@. ...........Y.....B.....C .M.....L...B.....L.....(.`..b..X.C6.!....4.....C3...n..M. ?...N."3a......... ...2......@....M..6.A.....h...!O....Y..>.0..@9...a4.......Lg.......&' ....@....p.... N....Sv.)..bj.MY........vf@.......14.p...'.....W@..(..,...E....8}V ....q.p..`........p~...M......l......d.....t.....l.s..*f..........6@"0.....b.(..53.@.....bvn......s........d.....6.....#.)........1a.0..S14.L...5.$' .......3.@.....@........vd.....h.... l...... .L..C...... ........eFh......@y55. ..90.,.-3p!..@I:...-.l`.....|........l.........c....G...7.......<.Y..*g.......A.>.....2.x.,>0..L..:.....>`'....9H.....'.Y..>@&.M.Q..D.S..J|...).6.....1b....I..O....@.O.... ,......`.... <.....X0.)... :..V&.H. .f.Q8...(<&@...$.I..z|.Y...H}........8.H...>i.....X..~ U....a..&.\.....& 0..=......H...;<....3 ...d.y.DO.`.y...h.C..ff...LAM?@........@.4.........n>i.&ff."...lA].......I8....

                    C:\Users\user\AppData\Local\Temp\autF0E1.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):407094
                    Entropy (8bit):7.892737288179779
                    Encrypted:false
                    SSDEEP:12288:dExDfygOOzfNpV4z9ltteFPq99IN2dqifUkLI3BqTgp5RxvE:dEogOO5pVW9sPadHcQIRqkfRm
                    MD5:A9818CDDDD3427558A1B52F3A897F7D5
                    SHA1:8C4E0E6B5D38718775853897B5ADE3DCA8860BD7
                    SHA-256:8EDCE98287539533D272D1B9624DEFF8FF5ADAF11C1CC5CFE5256BF4422BB77A
                    SHA-512:DBE1AA049950BE7299549744BF035DC0731BB9626C2EE6CA02C3FCCAE864817AFFECDA4189E1E9FEF8BE37D7486DED6DA801CDEDA6715F7A2694CB1C9EE3ED19
                    Malicious:false
                    Preview:EA06.....G84:..G.R.u^^.L..4:......&...2j.!.p...,.T)....T..V...3..A$...g&.J&..5.mU..t.4.Mt..6....p.@.L.Mz.P......g..trW....9Y]..rx.i.<.@.sl....u.....|.#+....?..{...5p..... t X)..B......I...@.,...R.L.P,t... la........#...rE ..8 ..\z.C..).zg.+....k.I.Sg.z...C.Q........T.uI........d...L..z]...AL(....Z.uY.4...i.?.N...J...A.@...$....KE...X..Z.C.^@`>m]....T).\.^.l....Y.-VX. o@.......J.Rh....1...w ..7s.0..&.......Li.{..O4.J*..L..........U.P.....27".M...*,..Vj.. ....@.>....`...........(..H.....(|x..o*.P..{.....P(@.. .C..'3.=\.@......... ).p...i4...T.>...@j@.......P. ..1...C...H..J.fgH.R.}.\2...\jT8o..;..({.X..].K..N.b.M....v.5.~*uI...1.P..[.N.l...{..N.x87.uC.d.[i........b........*.4..>4..GW.S(.|G..z.T4..3.y..@..9..oI..........H.@....!Ih.y\6%4..oSZ4.1+.S.....m.zu...GW-.S..mt.!4...sj4#.>.......G...5 ..`..........P....j.Az:q..?_..P..WB.5.n..y.[.$........s.."....!c..k.oDn..`}o........._x\L.....(..P....@(+%....O..y4'..@w.@...I..p.....@..._...x.M...X..xg...P ..

                    C:\Users\user\AppData\Local\Temp\autF15F.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):11260
                    Entropy (8bit):7.621026394481169
                    Encrypted:false
                    SSDEEP:192:97FGNNtmiwVKCnqHkoZuBjxWM511oz6O0pEUENrnsBLU8PiNmfpcYjlNuq:7Grtmiw8WmgWM5112hVQb3c8
                    MD5:5AB857851BB90F19CFC4A5BEF68F6285
                    SHA1:DA5AE7783350302148E567C21E1A25FF312F43F3
                    SHA-256:D8D0DD78ACE87908E973377FB0CE249AE7D84B653AA45FD2AF1914516224564D
                    SHA-512:EE007315B9A590A64598532D1E78088362EB9F441945E71006978879DB03A6DB2CBAD08D1039793A27275548093BF3AE1ADF8C1445A9D6EE7D7A31039FFDB31D
                    Malicious:false
                    Preview:EA06.....K.......d..Y%.P."./.K........... .B./....@...|`......p.........8......|.. ....3...P."......l.,.. ......@. ...........Y.....B.....C .M.....L...B.....L.....(.`..b..X.C6.!....4.....C3...n..M. ?...N."3a......... ...2......@....M..6.A.....h...!O....Y..>.0..@9...a4.......Lg.......&' ....@....p.... N....Sv.)..bj.MY........vf@.......14.p...'.....W@..(..,...E....8}V ....q.p..`........p~...M......l......d.....t.....l.s..*f..........6@"0.....b.(..53.@.....bvn......s........d.....6.....#.)........1a.0..S14.L...5.$' .......3.@.....@........vd.....h.... l...... .L..C...... ........eFh......@y55. ..90.,.-3p!..@I:...-.l`.....|........l.........c....G...7.......<.Y..*g.......A.>.....2.x.,>0..L..:.....>`'....9H.....'.Y..>@&.M.Q..D.S..J|...).6.....1b....I..O....@.O.... ,......`.... <.....X0.)... :..V&.H. .f.Q8...(<&@...$.I..z|.Y...H}........8.H...>i.....X..~ U....a..&.\.....& 0..=......H...;<....3 ...d.y.DO.`.y...h.C..ff...LAM?@........@.4.........n>i.&ff."...lA].......I8....

                    C:\Users\user\AppData\Local\Temp\bhvA0.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe
                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x8ed81b20, page size 32768, DirtyShutdown, Windows version 10.0
                    Category:dropped
                    Size (bytes):14680064
                    Entropy (8bit):0.9773395381746423
                    Encrypted:false
                    SSDEEP:6144:ogMnQEUUMBPPpBPJmNjfiEWC7WswQpWK/qZCCkxpu514dCVZ3L9yqXx4SU8GxJHL:Jn/cj5tND5ApBK4K
                    MD5:B35689031399BB043B8876DD60E00CA9
                    SHA1:CADD361793A36AE9237AF30910D748C473B88D96
                    SHA-256:5D49757AA0C92D12C81D6A3567F7B3A80B6678A0CABDDF5EBB8ED88F7BDD9937
                    SHA-512:45EF2B0BC0B4E6837972F099768881662840E23E7A5FEE8BA13AE7ADB2DB967704BCE10D94898E300F3DB24D2886CE141B63620A10DA9EEF5E1C66B23FD56F22
                    Malicious:false
                    Preview:... ... ................./..(...{........................&......6...{.......|M.h.(.........................:.I..(...{..............................................................................................P...........eJ......n........................................................................................................... .......93...{a..............................................................................................................................................................................................(...{..................................eU.......|m..................K.......|M..........................#......h.(.....................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\jinrikisha

                    Download File
                    Process:C:\Users\user\Desktop\SALKI098765R400.exe
                    File Type:ASCII text, with very long lines (57348), with no line terminators
                    Category:modified
                    Size (bytes):57348
                    Entropy (8bit):2.7914356676849774
                    Encrypted:false
                    SSDEEP:768:iKfIDzeocvCtm7ed8PqqAprbnZMoTFZldqSjP9WWhMb+0axFWaEHw4kW3UlEJZnE:Pfezeo3rN9Zlt7m2QI0o
                    MD5:AB1D29274213556FD265D9E44A8E2813
                    SHA1:902AF8ADB5D52A2871DC1E956162514D829BE033
                    SHA-256:9DBB2C43E92FB67336AFDED940C19E37DE86CA86554341C9C8C94030F84F893D
                    SHA-512:A4FE1E9ADF1CD45E9843268899035B417009E3DFBB6B11BDE32C04BF202A25DFDEC670ED08A83DCECE1A9EFED590EC950DFE3A60F6395479F289E0ADAC207033
                    Malicious:false
                    Preview:0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/c/2/c/d/5/5/e/b/8/0/c/3/3/2/0/b/e/c/f/5/4/b/8/0/0/0/0/0/0/0/0/c/f/5/4/7/c/7/0/b/e/c/f/d/4/9/8/8/f/d/4/b/8/8/0/4/7/0/c/5/8/0/0/0/0/0/0/c/8/5/9/f/f/f/f/a/6/0/5/8/f/5/4/d/8/4/2/4/7/0/0/0/0/0/0/0/0/c/8/d/b/3/8/8/0/c/e/3/8/c/e/b/8/5/5/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/0/0/c/0/2/c/e/5/f/5/9/5/4/a/3/f/8/1/4/2/c/4/b/8/0/1/4/2/c/7/b/8/4/1/4/2/4/7/b/8/1/5/7/5/6/5/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/0/0/8/0/2/c/a/f/5/7/b/4/2/4/2/0/8/8/c/0/4/2/c/5/b/8/8/0/4/2/4/4/b/8/4/0/4/2/4/5/b/8/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/0/0/4/0/2/c/d/5/5/e/b/8/0/d/7/f/c/f/5/4/b/8/f/f/f/f/f/f/6/5/9/e/4/f/d/4/9/8/1/0/1/c/3/8/4/f/d/4/b/8/c/f/5/4/9/8/0/d/5/4/3/3/8/0/8/e/1/c/c/f/5/4/b/8/0/d/d/4/9/8/a/c/3/3/8/f/5/5/3/2/f/1/a/f/1/c/

                    C:\Users\user\AppData\Local\Temp\kzprjxuapxdhlyxhl

                    Download File
                    Process:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe
                    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                    Category:modified
                    Size (bytes):2
                    Entropy (8bit):1.0
                    Encrypted:false
                    SSDEEP:3:Qn:Qn
                    MD5:F3B25701FE362EC84616A93A45CE9998
                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                    Malicious:false
                    Preview:..

                    C:\Users\user\AppData\Local\Temp\pensum

                    Download File
                    Process:C:\Users\user\Desktop\SALKI098765R400.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):494080
                    Entropy (8bit):7.648262339543158
                    Encrypted:false
                    SSDEEP:6144:NnWbcCKo52g0got6izBVRxIYJtIs4twEwE9kAm37iV2C3w2O80bpaiQsOZM3eA1M:NngcClMgotPzBVRNEP7/W8JnKfBC7
                    MD5:CF1214864AB14D2BF906B73636DA3A0E
                    SHA1:AD71B3268D6F91395727D02DDD007E5B75CFBCC9
                    SHA-256:5960B9AC19D8D6C016E018D72F6376E4EC87BDF440B126393BEBE526B5E10DBC
                    SHA-512:1502D6017B1523FDA0526479A4481A966707BB3F8D8EB3B890079C5FD92F58D6554DA59268940C2FDAD0D2DAEAAE863E9E46549A3A1A2DCDF2184FCCD7DE4BA4
                    Malicious:false
                    Preview:x..CW1OGJKCU.PL.FQCT1OG.KCU4IPL5FQCT1OGNKCU4IPL5FQCT1OGNKCU,HPL;Y.MT.F.o.B..h.$\5q3&^(5/&c6U'>#Af3&tC:)n"-up..lX)5&z<BMjKCU4IPL9=.n.+.9.Q.+|S.2..v=.+.9..f+.S.2..u=.+.9.).+}S.2..@=.+.9...*fS.2...<&+.9...*^S.2t$.=.+.9.Q.+BR.2...<x+.9..j+}S.2...<.+.9." =|S.25FQCT1OGNKCU4IPL5FQCT1OG..CUxHWL..%T1OGNKCU.IRM>G_CTCJGN_AU4IPL..RCT!OGN.FU4I.L5VQCT3OGKKBU4IPL0FPCT1OGNkKU4MPL5FQCV1O.NKSU4YPL5FACT!OGNKCU$IPL5FQCT1OG..EU0HPL5.VC.yOGNKCU4IPL5FQCT1OGN.DU.rPLe.WCl1OGNKCU4IPL5FQCT1OG..EU,IPL..WC.1OGNKCU4IPL5.TCT4OGNKCU4IPL5FQCT1OGNKCU4IPL.24; 1OG.:FU4YPL54TCT5OGNKCU4IPL5FQCt1O'`9'4@(PL.?PCT.JGN1BU4?UL5FQCT1OGNKCUtIP.."0751OG..CU4YWL5HQCT.IGNKCU4IPL5FQC.1O.`?/&4IPL<FQCTAHGNICU4.VL5FQCT1OGNKCUtIP..!7*0BOG~ICU4.WL5BQCT1HGNKCU4IPL5FQC.1O.`90'WIPL..QCT.HGN.CU4MWL5FQCT1OGNKCUtIP..44/;ROG.pCU4.WL5zQCT.HGNKCU4IPL5FQC.1O.NKCU4IPL5FQCT1OGNKCU4IPL5FQCT1OGNKCU4IPL5FQCT1OGNKCU4IPL5FQCT1OGNKCU4IPL5FQCT1OGNKCU4IPL5FQCT1OGNKCU4IPL5FQCT1OGNKCU4IPL5FQCT1OGNKCU4IPL5FQCT1OGNKCU4IPL5FQCT1OGNKCU4IPL5FQCT1OGNKCU4IPL5FQCT1OG

                    C:\Users\user\AppData\Local\scrolar\Monteverdi.exe

                    Download File
                    Process:C:\Users\user\Desktop\SALKI098765R400.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                    Category:modified
                    Size (bytes):1055744
                    Entropy (8bit):7.813008176433629
                    Encrypted:false
                    SSDEEP:24576:4iUmSB/o5d1ubcvqqJGyUyTlUJS0Xtw5amFnRn2cdB:4/mU/ohubcvqq8oUJS7agd
                    MD5:2A2526A15732CD1F3F8859FE3F504CB9
                    SHA1:53F5EEE1F770D79666D7421823F29EE21D8CBA3E
                    SHA-256:406306EFB272ACD3C69AB3B1C1FADEA2C41BF817CE71E5872B6FF426248207D5
                    SHA-512:029F573EDC92908F027A46D035D0CE6B69F9AC2CD0B82DD1DF75BB8EE43A02850E644217FC68D67B4A9633ED408534F7E46896AFB7F337B71D9072B5140003D8
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 32%
                    • Antivirus: Virustotal, Detection: 45%, Browse
                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L....5.f.........."..........P....................@..........................."...........@...@.......@.....................$.".$.......$F..................H.".....................................................................................UPX0....................................UPX1................................@....rsrc....P.......L..................@..............................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monteverdi.vbs

                    Download File
                    Process:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):284
                    Entropy (8bit):3.4373558688331642
                    Encrypted:false
                    SSDEEP:6:DMM8lfm3OOQdUfclMMlW8g1UEZ+lX1WlG6qrolK3OdnriIM8lfQVn:DsO+vNlMkXg1Q1+uOFmA2n
                    MD5:C1C7282FCCD13340B8054E207AB62D30
                    SHA1:8C5A5377B5EDCEC367C66B987477F597FA637F49
                    SHA-256:7DBC28AC6C9D7AC66C986BEBFE0655352847C0ABEC06B3E81EE26162FED1608C
                    SHA-512:D5B86AA42F635336BAE0EBE72F8AE8F1E34ACE54FCC138BAC80C9F4E769FF8D3AF1521CB1A1FC84437CE4FDF2D577388FE2CC4EB35470F972B15EDB22C3CEDB3
                    Malicious:true
                    Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.s.c.r.o.l.a.r.\.M.o.n.t.e.v.e.r.d.i...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                    Entropy (8bit):7.813008176433629
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.39%
                    • UPX compressed Win32 Executable (30571/9) 0.30%
                    • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    File name:SALKI098765R400.exe
                    File size:1'055'744 bytes
                    MD5:2a2526a15732cd1f3f8859fe3f504cb9
                    SHA1:53f5eee1f770d79666d7421823f29ee21d8cba3e
                    SHA256:406306efb272acd3c69ab3b1c1fadea2c41bf817ce71e5872b6ff426248207d5
                    SHA512:029f573edc92908f027a46d035d0ce6b69f9ac2cd0b82dd1df75bb8ee43a02850e644217fc68d67b4a9633ed408534f7e46896afb7f337b71d9072b5140003d8
                    SSDEEP:24576:4iUmSB/o5d1ubcvqqJGyUyTlUJS0Xtw5amFnRn2cdB:4/mU/ohubcvqq8oUJS7agd
                    TLSH:EE25CFF1317DD393E1A18EB11FDA86B0B9F176ACD8D0160D60F59B2E93E2350149C9EA
                    File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                    File Icon

                    Icon Hash:6194944323030383

                    Static PE Info

                    General

                    Entrypoint:0x5897a0
                    Entrypoint Section:UPX1
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                    Time Stamp:0x66D135E7 [Fri Aug 30 03:00:55 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:1
                    File Version Major:5
                    File Version Minor:1
                    Subsystem Version Major:5
                    Subsystem Version Minor:1
                    Import Hash:21371b611d91188d602926b15db6bd48

                    Entrypoint Preview

                    Instruction
                    pushad
                    mov esi, 0052D000h
                    lea edi, dword ptr [esi-0012C000h]
                    push edi
                    jmp 00007F7860B3531Dh
                    nop
                    mov al, byte ptr [esi]
                    inc esi
                    mov byte ptr [edi], al
                    inc edi
                    add ebx, ebx
                    jne 00007F7860B35319h
                    mov ebx, dword ptr [esi]
                    sub esi, FFFFFFFCh
                    adc ebx, ebx
                    jc 00007F7860B352FFh
                    mov eax, 00000001h
                    add ebx, ebx
                    jne 00007F7860B35319h
                    mov ebx, dword ptr [esi]
                    sub esi, FFFFFFFCh
                    adc ebx, ebx
                    adc eax, eax
                    add ebx, ebx
                    jnc 00007F7860B3531Dh
                    jne 00007F7860B3533Ah
                    mov ebx, dword ptr [esi]
                    sub esi, FFFFFFFCh
                    adc ebx, ebx
                    jc 00007F7860B35331h
                    dec eax
                    add ebx, ebx
                    jne 00007F7860B35319h
                    mov ebx, dword ptr [esi]
                    sub esi, FFFFFFFCh
                    adc ebx, ebx
                    adc eax, eax
                    jmp 00007F7860B352E6h
                    add ebx, ebx
                    jne 00007F7860B35319h
                    mov ebx, dword ptr [esi]
                    sub esi, FFFFFFFCh
                    adc ebx, ebx
                    adc ecx, ecx
                    jmp 00007F7860B35364h
                    xor ecx, ecx
                    sub eax, 03h
                    jc 00007F7860B35323h
                    shl eax, 08h
                    mov al, byte ptr [esi]
                    inc esi
                    xor eax, FFFFFFFFh
                    je 00007F7860B35387h
                    sar eax, 1
                    mov ebp, eax
                    jmp 00007F7860B3531Dh
                    add ebx, ebx
                    jne 00007F7860B35319h
                    mov ebx, dword ptr [esi]
                    sub esi, FFFFFFFCh
                    adc ebx, ebx
                    jc 00007F7860B352DEh
                    inc ecx
                    add ebx, ebx
                    jne 00007F7860B35319h
                    mov ebx, dword ptr [esi]
                    sub esi, FFFFFFFCh
                    adc ebx, ebx
                    jc 00007F7860B352D0h
                    add ebx, ebx
                    jne 00007F7860B35319h
                    mov ebx, dword ptr [esi]
                    sub esi, FFFFFFFCh
                    adc ebx, ebx
                    adc ecx, ecx
                    add ebx, ebx
                    jnc 00007F7860B35301h
                    jne 00007F7860B3531Bh
                    mov ebx, dword ptr [esi]
                    sub esi, FFFFFFFCh
                    adc ebx, ebx
                    jnc 00007F7860B352F6h
                    add ecx, 02h
                    cmp ebp, FFFFFB00h
                    adc ecx, 02h
                    lea edx, dword ptr [edi+ebp]
                    cmp ebp, FFFFFFFCh
                    jbe 00007F7860B35320h
                    mov al, byte ptr [edx]

                    Rich Headers

                    Programming Language:
                    • [ C ] VS2008 SP1 build 30729
                    • [IMP] VS2008 SP1 build 30729

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x22e6240x424.rsrc
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x18a0000xa4624.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x22ea480x14.rsrc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x1899840x18UPX1
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1899a40xa0UPX1
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    UPX00x10000x12c0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    UPX10x12d0000x5d0000x5cc00fd377e27b93509f430e1e5c7a15e098aFalse0.9874336674528302data7.935831100956208IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0x18a0000xa50000xa4c004f5067470545e8a2e1fa952890e9013dFalse0.7756647738050075data7.652495272632473IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_ICON0x18a5dc0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                    RT_ICON0x18a7080x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                    RT_ICON0x18a8340x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                    RT_ICON0x18a9600x1826PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9217081850533808
                    RT_ICON0x18c18c0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishGreat Britain0.04561989826097244
                    RT_ICON0x19c9b80x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishGreat Britain0.08419171746899307
                    RT_ICON0x1a5e640x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishGreat Britain0.10757855822550831
                    RT_ICON0x1ab2f00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishGreat Britain0.09559518186112423
                    RT_ICON0x1af51c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.15549792531120332
                    RT_ICON0x1b1ac80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.1824577861163227
                    RT_ICON0x1b2b740x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishGreat Britain0.2934426229508197
                    RT_ICON0x1b35000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.3421985815602837
                    RT_MENU0xfd9380x50emptyEnglishGreat Britain0
                    RT_STRING0xfd9880x594emptyEnglishGreat Britain0
                    RT_STRING0xfdf1c0x68aemptyEnglishGreat Britain0
                    RT_STRING0xfe5a80x490emptyEnglishGreat Britain0
                    RT_STRING0xfea380x5fcemptyEnglishGreat Britain0
                    RT_STRING0xff0340x65cemptyEnglishGreat Britain0
                    RT_STRING0xff6900x466emptyEnglishGreat Britain0
                    RT_STRING0xffaf80x158emptyEnglishGreat Britain0
                    RT_RCDATA0x1b396c0x7a6e4data1.000321052253747
                    RT_GROUP_ICON0x22e0540x84dataEnglishGreat Britain0.7272727272727273
                    RT_GROUP_ICON0x22e0dc0x14dataEnglishGreat Britain1.25
                    RT_GROUP_ICON0x22e0f40x14dataEnglishGreat Britain1.15
                    RT_GROUP_ICON0x22e10c0x14dataEnglishGreat Britain1.25
                    RT_VERSION0x22e1240x10cdataEnglishGreat Britain0.5895522388059702
                    RT_MANIFEST0x22e2340x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                    Imports

                    DLLImport
                    KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                    ADVAPI32.dllGetAce
                    COMCTL32.dllImageList_Remove
                    COMDLG32.dllGetSaveFileNameW
                    GDI32.dllLineTo
                    IPHLPAPI.DLLIcmpSendEcho
                    MPR.dllWNetGetConnectionW
                    ole32.dllCoGetObject
                    OLEAUT32.dllOleLoadPicture
                    PSAPI.DLLGetProcessMemoryInfo
                    SHELL32.dllDragFinish
                    USER32.dllGetDC
                    USERENV.dllLoadUserProfileW
                    UxTheme.dllIsThemeActive
                    VERSION.dllVerQueryValueW
                    WININET.dllFtpOpenFileW
                    WINMM.dlltimeGetTime
                    WSOCK32.dllconnect

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishGreat Britain

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                    2024-08-30T09:23:25.186663+0200TCP2032776ET MALWARE Remcos 3.x Unencrypted Checkin1496998787192.168.2.7192.210.150.26
                    2024-08-30T09:23:25.988192+0200TCP2032777ET MALWARE Remcos 3.x Unencrypted Server Response1878749699192.210.150.26192.168.2.7
                    2024-08-30T09:25:41.161619+0200TCP2032777ET MALWARE Remcos 3.x Unencrypted Server Response1878749699192.210.150.26192.168.2.7
                    2024-08-30T09:23:27.318743+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa34970180192.168.2.7178.237.33.50

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Aug 30, 2024 09:23:25.063132048 CEST496998787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:25.186124086 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:25.186213017 CEST496998787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:25.186662912 CEST496998787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:25.191442966 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:25.988192081 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:25.989645004 CEST496998787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:25.994541883 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.087068081 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.092344046 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.097378016 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.097467899 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.097510099 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.102315903 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.142168999 CEST496998787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.601885080 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.601902962 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.601916075 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.601937056 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.601980925 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.601985931 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.601998091 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.602016926 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.602035999 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.602046013 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.602057934 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.602068901 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.602081060 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.602088928 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.602121115 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.608387947 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.608401060 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.608413935 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.608454943 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.617340088 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.617398977 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.693711042 CEST4970180192.168.2.7178.237.33.50
                    Aug 30, 2024 09:23:26.694214106 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.694283009 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.694324970 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.694338083 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.694417000 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.694430113 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.694442034 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.694449902 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.694472075 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.694917917 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.694972038 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.695004940 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.695166111 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.695183039 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.695194960 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.695205927 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.695220947 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.695238113 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.695777893 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.695789099 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.695801020 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.695837975 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.695847034 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.695866108 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.695884943 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.696651936 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.696664095 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.696676016 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.696697950 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.696708918 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.696722984 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.696732044 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.696773052 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.697485924 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.697544098 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.697576046 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.698533058 CEST8049701178.237.33.50192.168.2.7
                    Aug 30, 2024 09:23:26.698582888 CEST4970180192.168.2.7178.237.33.50
                    Aug 30, 2024 09:23:26.699096918 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.702610970 CEST4970180192.168.2.7178.237.33.50
                    Aug 30, 2024 09:23:26.707364082 CEST8049701178.237.33.50192.168.2.7
                    Aug 30, 2024 09:23:26.751564980 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.756752968 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.756782055 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.756836891 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.786813021 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.786834955 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.786850929 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.786855936 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.786861897 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.786874056 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.786911011 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.786969900 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.787137032 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.787183046 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.787193060 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.787214041 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.787244081 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.787255049 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.787266016 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.787277937 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.787288904 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.787296057 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.788131952 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.788144112 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.788165092 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.788167000 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.788177013 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.788187981 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.788193941 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.788197994 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.788211107 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.788229942 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.788247108 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.789079905 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.789098024 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.789117098 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.789129972 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.789134979 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.789140940 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.789150953 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.789160967 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.789163113 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.789181948 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.789995909 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.790005922 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.790019989 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.790024042 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.790057898 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.790057898 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.790074110 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.790085077 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.790096045 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.790107965 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.790127993 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.790898085 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.790918112 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.790930033 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.790941000 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.790950060 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.790954113 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.790965080 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.790968895 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.790976048 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.791013956 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.791788101 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.791822910 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.791836977 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.791852951 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.791865110 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.791887045 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.845299959 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.879384041 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.879406929 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.879417896 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.879430056 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.879437923 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.879441023 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.879460096 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.879472017 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.879472017 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.879482985 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.879513979 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.879523039 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.879523993 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.879534006 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.879545927 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.879570007 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.879606009 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.879832029 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.879923105 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.879957914 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.880018950 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.880029917 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.880039930 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.880049944 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.880074024 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.880084991 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.880084991 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.880095959 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.880106926 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.880116940 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.880117893 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.880125046 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.880126953 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.880137920 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.880139112 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.880157948 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.880872011 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.880892992 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.880908012 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.880913019 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.880939960 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.880961895 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.880971909 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.880981922 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.880999088 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.881001949 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.881028891 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.881040096 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.881045103 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.881048918 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.881061077 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.881064892 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.881072044 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.881103039 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.881905079 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.881917000 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.881927967 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.881937981 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.881948948 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.881949902 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.881967068 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.881968975 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.881978989 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.881994963 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.881997108 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.882008076 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.882013083 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.882018089 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.882028103 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.882040024 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.882040024 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.882078886 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.882798910 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.882819891 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.882831097 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.882841110 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.882842064 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.882853985 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.882863998 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.882869005 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.882879972 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.882896900 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.882899046 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.882909060 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.882919073 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.882929087 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.882930040 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.882936001 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.882941008 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.882961988 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.883717060 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.883755922 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.883779049 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.883796930 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.883807898 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.883817911 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.883827925 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.883836031 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.883838892 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.883867979 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.883887053 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.883898020 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.883898973 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.883909941 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.883920908 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.883929014 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.883933067 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.883960962 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.884632111 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.884651899 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.884674072 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.893179893 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.971816063 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.971832991 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.971846104 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.971857071 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.971869946 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.971875906 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.971904039 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.971950054 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.971961021 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.971980095 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.972095013 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972111940 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972122908 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972127914 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.972134113 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972146034 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972157001 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972158909 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.972167969 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972178936 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972184896 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.972189903 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972201109 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972208977 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.972210884 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972227097 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.972258091 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.972371101 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972382069 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972393990 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972428083 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.972608089 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972626925 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972640038 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972646952 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.972651958 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972670078 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972678900 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.972681046 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972692966 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972698927 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972707987 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.972711086 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972731113 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.972738981 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.972795010 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972805977 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972815990 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972826958 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972845078 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972855091 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.972856998 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972867012 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972877026 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972879887 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.972888947 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972898006 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.972898960 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972909927 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972915888 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.972922087 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.972939014 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.972974062 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.973421097 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973433018 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973445892 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973464966 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973469973 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.973483086 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973495007 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973505020 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.973506927 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973526001 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.973551035 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973562002 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973572969 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973583937 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973584890 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.973596096 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973617077 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.973628044 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.973683119 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973694086 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973705053 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973715067 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973725080 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973728895 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.973736048 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973743916 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.973747015 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973757982 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973769903 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.973778963 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.973793030 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.974380970 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974399090 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974419117 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974428892 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974430084 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.974441051 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974451065 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974455118 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.974462986 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974478960 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.974505901 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.974577904 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974589109 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974601030 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974611998 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974628925 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974631071 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.974641085 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974652052 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974658966 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.974662066 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974679947 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974690914 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974694014 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.974701881 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974711895 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974720955 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.974723101 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974735975 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.974736929 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.974755049 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.974916935 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.975384951 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975397110 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975408077 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975424051 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975439072 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.975441933 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975452900 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975460052 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.975464106 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975475073 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975486040 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975487947 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.975496054 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975507021 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975513935 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.975518942 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975528002 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.975565910 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.975572109 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975583076 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975594044 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975605011 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975615025 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975614071 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.975625992 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975632906 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.975636959 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975647926 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975657940 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:26.975699902 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:26.975718021 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.012574911 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.064460993 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.064548969 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.064560890 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.064572096 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.064583063 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.064594030 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.064595938 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.064604998 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.064610004 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.064651012 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.064872026 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.064884901 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.064896107 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.064905882 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.064910889 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.064915895 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.064925909 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.064937115 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.064941883 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.064946890 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.064959049 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.064969063 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.064979076 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.064980984 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.064989090 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.064999104 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065006018 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.065011024 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065021038 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065035105 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.065037012 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065045118 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.065047026 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065059900 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065066099 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.065072060 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065084934 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.065110922 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.065298080 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065314054 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065355062 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.065481901 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065494061 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065505028 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065522909 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065534115 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065538883 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.065557003 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.065560102 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065571070 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065582037 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065592051 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.065612078 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065623045 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065629959 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.065633059 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065644026 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065654039 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.065654993 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065665960 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065673113 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.065676928 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065687895 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065706015 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065716028 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.065716982 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065726995 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065737009 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065742016 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.065747023 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065758944 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065757990 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.065768957 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065773964 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.065778971 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065788984 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065799952 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065799952 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.065809965 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065820932 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065838099 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065845013 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.065848112 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065859079 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065869093 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065880060 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.065885067 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.065917015 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.069544077 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069557905 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069581032 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069591999 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069598913 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.069602013 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069612026 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069614887 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.069627047 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069643021 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069658041 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.069658995 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069670916 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069683075 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069684029 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.069694042 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069708109 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.069730997 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.069875002 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069885969 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069895983 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069905996 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069917917 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069921970 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.069927931 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069940090 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069948912 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069950104 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.069960117 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069969893 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069971085 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.069979906 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.069991112 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070002079 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.070028067 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070030928 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.070038080 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070049047 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070067883 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.070096016 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.070233107 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070244074 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070255041 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070266008 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070275068 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070280075 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.070286036 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070296049 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070302010 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.070306063 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070317030 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070327997 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070331097 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.070333958 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070343971 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070353985 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070358038 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.070363998 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070374966 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070378065 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.070410967 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.070554018 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070596933 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.070656061 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070667028 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070677042 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070687056 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070697069 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070698023 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.070708990 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.070728064 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.070758104 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.074240923 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.156780005 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.156795025 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.156807899 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.156829119 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.156840086 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.156852961 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.156857014 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.156871080 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.156898022 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.156929016 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.156975031 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.156994104 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157006025 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157016039 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157017946 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.157027006 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157046080 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157046080 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.157063961 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157074928 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157075882 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.157093048 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157104015 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157108068 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.157114983 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157125950 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157128096 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.157143116 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157154083 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157165051 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157165051 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.157177925 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157183886 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.157190084 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157205105 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.157215118 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157226086 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157233000 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.157238007 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157252073 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157262087 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157278061 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157278061 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.157294989 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157305956 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.157313108 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157325029 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157330990 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.157341957 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157345057 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.157375097 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.157397985 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157414913 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157426119 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157437086 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157454014 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157464981 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157466888 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.157475948 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:27.157485962 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.157509089 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.318630934 CEST8049701178.237.33.50192.168.2.7
                    Aug 30, 2024 09:23:27.318742990 CEST4970180192.168.2.7178.237.33.50
                    Aug 30, 2024 09:23:27.806019068 CEST496998787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:27.810925007 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:28.318542004 CEST8049701178.237.33.50192.168.2.7
                    Aug 30, 2024 09:23:28.318593025 CEST4970180192.168.2.7178.237.33.50
                    Aug 30, 2024 09:23:29.795130014 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:29.800084114 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:29.800100088 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:29.800111055 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:29.800120115 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:29.800127983 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:29.800194025 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:29.800208092 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:29.800312042 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:29.800321102 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:29.800352097 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:29.800359964 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:29.805126905 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:29.805175066 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:29.805255890 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:29.805264950 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:29.805310965 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:29.805319071 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:29.805327892 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:29.855572939 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:29.861032009 CEST878749700192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:29.861253977 CEST497008787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:41.056037903 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:23:41.057640076 CEST496998787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:23:41.062500000 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:24:11.248229980 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:24:11.249665976 CEST496998787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:24:11.254611969 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:24:41.102015018 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:24:41.103437901 CEST496998787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:24:41.108280897 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:25:11.136490107 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:25:11.137687922 CEST496998787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:25:11.146043062 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:25:16.627252102 CEST4970180192.168.2.7178.237.33.50
                    Aug 30, 2024 09:25:17.080199003 CEST4970180192.168.2.7178.237.33.50
                    Aug 30, 2024 09:25:17.783277035 CEST4970180192.168.2.7178.237.33.50
                    Aug 30, 2024 09:25:18.986407042 CEST4970180192.168.2.7178.237.33.50
                    Aug 30, 2024 09:25:21.481592894 CEST4970180192.168.2.7178.237.33.50
                    Aug 30, 2024 09:25:26.377060890 CEST4970180192.168.2.7178.237.33.50
                    Aug 30, 2024 09:25:35.986499071 CEST4970180192.168.2.7178.237.33.50
                    Aug 30, 2024 09:25:41.161618948 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:25:41.162966013 CEST496998787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:25:41.167814016 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:26:11.179107904 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:26:11.180911064 CEST496998787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:26:11.185827017 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:26:41.317833900 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:26:41.318991899 CEST496998787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:26:41.324628115 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:27:11.351001024 CEST878749699192.210.150.26192.168.2.7
                    Aug 30, 2024 09:27:11.352195978 CEST496998787192.168.2.7192.210.150.26
                    Aug 30, 2024 09:27:11.357054949 CEST878749699192.210.150.26192.168.2.7

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Aug 30, 2024 09:23:26.676449060 CEST6480053192.168.2.71.1.1.1
                    Aug 30, 2024 09:23:26.685570002 CEST53648001.1.1.1192.168.2.7
                    Aug 30, 2024 09:23:54.447324991 CEST5354915162.159.36.2192.168.2.7
                    Aug 30, 2024 09:23:54.912585020 CEST5503853192.168.2.71.1.1.1
                    Aug 30, 2024 09:23:54.935590982 CEST53550381.1.1.1192.168.2.7

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Aug 30, 2024 09:23:26.676449060 CEST192.168.2.71.1.1.10x4a66Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                    Aug 30, 2024 09:23:54.912585020 CEST192.168.2.71.1.1.10x587aStandard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Aug 30, 2024 09:23:26.685570002 CEST1.1.1.1192.168.2.70x4a66No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                    Aug 30, 2024 09:23:54.935590982 CEST1.1.1.1192.168.2.70x587aName error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • geoplugin.net

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.749701178.237.33.50804508C:\Users\user\AppData\Local\scrolar\Monteverdi.exe
                    TimestampBytes transferredDirectionData
                    Aug 30, 2024 09:23:26.702610970 CEST71OUTGET /json.gp HTTP/1.1
                    Host: geoplugin.net
                    Cache-Control: no-cache
                    Aug 30, 2024 09:23:27.318630934 CEST1170INHTTP/1.1 200 OK
                    date: Fri, 30 Aug 2024 07:23:27 GMT
                    server: Apache
                    content-length: 962
                    content-type: application/json; charset=utf-8
                    cache-control: public, max-age=300
                    access-control-allow-origin: *
                    Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                    Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:03:23:22
                    Start date:30/08/2024
                    Path:C:\Users\user\Desktop\SALKI098765R400.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\SALKI098765R400.exe"
                    Imagebase:0x420000
                    File size:1'055'744 bytes
                    MD5 hash:2A2526A15732CD1F3F8859FE3F504CB9
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:2
                    Start time:03:23:23
                    Start date:30/08/2024
                    Path:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\SALKI098765R400.exe"
                    Imagebase:0x50000
                    File size:1'055'744 bytes
                    MD5 hash:2A2526A15732CD1F3F8859FE3F504CB9
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3712323766.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3711463284.0000000001108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3713280494.00000000040AF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3711463284.0000000001144000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.3713180077.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3713180077.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.3713180077.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.3713180077.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.3713180077.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.3713180077.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3712832737.0000000003AE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    Antivirus matches:
                    • Detection: 100%, Joe Sandbox ML
                    • Detection: 32%, ReversingLabs
                    • Detection: 45%, Virustotal, Browse
                    Reputation:low
                    Has exited:false

                    General

                    Target ID:12
                    Start time:03:23:26
                    Start date:30/08/2024
                    Path:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\user\AppData\Local\Temp\kzprjxuapxdhlyxhl"
                    Imagebase:0x50000
                    File size:1'055'744 bytes
                    MD5 hash:2A2526A15732CD1F3F8859FE3F504CB9
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:13
                    Start time:03:23:26
                    Start date:30/08/2024
                    Path:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\user\AppData\Local\Temp\vcukjqfccfvunelldxmk"
                    Imagebase:0x50000
                    File size:1'055'744 bytes
                    MD5 hash:2A2526A15732CD1F3F8859FE3F504CB9
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:14
                    Start time:03:23:27
                    Start date:30/08/2024
                    Path:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\user\AppData\Local\Temp\xwickiyvqnnyythxmizmrgn"
                    Imagebase:0x50000
                    File size:1'055'744 bytes
                    MD5 hash:2A2526A15732CD1F3F8859FE3F504CB9
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:15
                    Start time:03:23:27
                    Start date:30/08/2024
                    Path:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\user\AppData\Local\Temp\xwickiyvqnnyythxmizmrgn"
                    Imagebase:0x50000
                    File size:1'055'744 bytes
                    MD5 hash:2A2526A15732CD1F3F8859FE3F504CB9
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:19
                    Start time:03:23:35
                    Start date:30/08/2024
                    Path:C:\Windows\System32\wscript.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monteverdi.vbs"
                    Imagebase:0x7ff72a170000
                    File size:170'496 bytes
                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:20
                    Start time:03:23:36
                    Start date:30/08/2024
                    Path:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Local\scrolar\Monteverdi.exe"
                    Imagebase:0x50000
                    File size:1'055'744 bytes
                    MD5 hash:2A2526A15732CD1F3F8859FE3F504CB9
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000014.00000002.1392771241.0000000003500000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.1392771241.0000000003500000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.1392771241.0000000003500000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000014.00000002.1392771241.0000000003500000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000014.00000002.1392771241.0000000003500000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000014.00000002.1392771241.0000000003500000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:21
                    Start time:03:23:37
                    Start date:30/08/2024
                    Path:C:\Users\user\AppData\Local\scrolar\Monteverdi.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Local\scrolar\Monteverdi.exe"
                    Imagebase:0x50000
                    File size:1'055'744 bytes
                    MD5 hash:2A2526A15732CD1F3F8859FE3F504CB9
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000015.00000002.1401362384.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000015.00000002.1402805199.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000015.00000002.1402805199.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000015.00000002.1402805199.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000015.00000002.1402805199.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000015.00000002.1402805199.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000015.00000002.1402805199.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000015.00000002.1401843979.00000000014B4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:5.4%
                      Dynamic/Decrypted Code Coverage:2%
                      Signature Coverage:8%
                      Total number of Nodes:889
                      Total number of Limit Nodes:56
                      execution_graph 30277 431482 30281 431460 30277->30281 30281->30277 30282 43152f 30281->30282 30283 4763b2 30281->30283 30291 431647 30281->30291 30294 42ec40 30281->30294 30365 43fe0b 30281->30365 30374 43fddb 30281->30374 30383 431940 30282->30383 30393 49359c 14 API calls 30283->30393 30287 431940 9 API calls 30288 431563 30287->30288 30289 431940 9 API calls 30288->30289 30290 431629 30289->30290 30290->30291 30312 48d4ce 30290->30312 30315 43effa 30290->30315 30306 42ec76 30294->30306 30295 440242 RtlEnterCriticalSection RtlLeaveCriticalSection RtlLeaveCriticalSection WaitForSingleObjectEx RtlEnterCriticalSection 30295->30306 30298 43fddb 8 API calls 30298->30306 30299 474b0b 30396 49359c 14 API calls 30299->30396 30300 42a8c7 8 API calls 30300->30306 30303 42fbe3 30305 42ed9d 30303->30305 30307 474bdc 30303->30307 30311 42f3ae 30303->30311 30304 42a961 8 API calls 30304->30306 30305->30281 30306->30295 30306->30298 30306->30299 30306->30300 30306->30303 30306->30304 30306->30305 30309 474beb 30306->30309 30310 4401f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 30306->30310 30306->30311 30394 4306a0 8 API calls 30306->30394 30397 49359c 14 API calls 30307->30397 30398 49359c 14 API calls 30309->30398 30310->30306 30311->30305 30395 49359c 14 API calls 30311->30395 30399 48dbbe lstrlenW 30312->30399 30404 429c6e 30315->30404 30318 43fddb 8 API calls 30319 43f02b 30318->30319 30320 43fe0b 8 API calls 30319->30320 30321 43f03c 30320->30321 30471 426246 CloseHandle 30321->30471 30323 43f047 30418 42a961 30323->30418 30325 43f0b1 30333 43f0b8 30325->30333 30447 43fa5b 30325->30447 30329 43f056 30423 427510 8 API calls 30329->30423 30331 43f062 30473 426246 CloseHandle 30331->30473 30335 47f127 30333->30335 30336 43f0d3 30333->30336 30334 43f06c 30424 425745 30334->30424 30339 43fe0b 8 API calls 30335->30339 30452 426270 30336->30452 30342 47f12c 30339->30342 30346 47f140 30342->30346 30480 43f866 ReadFile SetFilePointerEx 30342->30480 30343 43f085 30432 4253de 30343->30432 30344 47f0a0 30479 426216 CloseHandle 30344->30479 30353 47f144 30346->30353 30481 490e85 8 API calls ___scrt_fastfail 30346->30481 30350 43f0ea 30350->30353 30475 4262b5 8 API calls 30350->30475 30354 43f093 30474 4253c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 30354->30474 30355 43f0fe 30358 43f125 30355->30358 30359 43f138 30355->30359 30357 43f0a4 30357->30325 30476 426246 CloseHandle 30358->30476 30359->30291 30360 43f09a 30360->30357 30478 48ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 30360->30478 30363 43f12c 30363->30359 30477 426216 CloseHandle 30363->30477 30366 43fddb ___std_exception_copy 30365->30366 30367 43fdfa 30366->30367 30370 43fdfc 30366->30370 30558 444ead 7 API calls _ValidateLocalCookies 30366->30558 30367->30281 30369 44066d 30560 4432a4 RaiseException 30369->30560 30370->30369 30559 4432a4 RaiseException 30370->30559 30373 44068a 30373->30281 30375 43fde0 ___std_exception_copy 30374->30375 30376 43fdfa 30375->30376 30379 43fdfc 30375->30379 30561 444ead 7 API calls _ValidateLocalCookies 30375->30561 30376->30281 30378 44066d 30563 4432a4 RaiseException 30378->30563 30379->30378 30562 4432a4 RaiseException 30379->30562 30382 44068a 30382->30281 30384 431981 30383->30384 30392 43195d 30383->30392 30564 440242 5 API calls __Init_thread_wait 30384->30564 30385 431549 30385->30287 30388 43198b 30388->30392 30565 4401f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent 30388->30565 30389 438727 30389->30385 30567 4401f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent 30389->30567 30392->30385 30566 440242 5 API calls __Init_thread_wait 30392->30566 30393->30291 30394->30306 30395->30305 30396->30305 30397->30309 30398->30305 30400 48dbdc GetFileAttributesW 30399->30400 30401 48d4d5 30399->30401 30400->30401 30402 48dbe8 FindFirstFileW 30400->30402 30401->30291 30402->30401 30403 48dbf9 FindClose 30402->30403 30403->30401 30405 46f545 30404->30405 30409 429c7e 30404->30409 30406 46f556 30405->30406 30488 426b57 30405->30488 30500 42a6c3 30406->30500 30411 43fddb 8 API calls 30409->30411 30410 46f560 30410->30410 30412 429c91 30411->30412 30413 429c9a 30412->30413 30414 429cac 30412->30414 30482 429cb3 30413->30482 30416 42a961 8 API calls 30414->30416 30417 429ca2 30416->30417 30417->30318 30417->30325 30419 43fe0b 8 API calls 30418->30419 30420 42a976 30419->30420 30421 43fddb 8 API calls 30420->30421 30422 42a984 30421->30422 30472 426246 CloseHandle 30422->30472 30423->30331 30425 464035 30424->30425 30426 42575c CreateFileW 30424->30426 30427 42577b 30425->30427 30428 46403b CreateFileW 30425->30428 30426->30427 30427->30343 30427->30344 30428->30427 30429 464063 30428->30429 30512 4254c6 30429->30512 30433 4253f3 30432->30433 30446 4253f0 30432->30446 30434 4254c6 3 API calls 30433->30434 30433->30446 30435 425410 30434->30435 30436 463f4b 30435->30436 30437 42541d 30435->30437 30438 43fa5b 3 API calls 30436->30438 30439 43fe0b 8 API calls 30437->30439 30438->30446 30440 425429 30439->30440 30518 425722 30440->30518 30445 4254c6 3 API calls 30445->30446 30446->30354 30448 4254c6 3 API calls 30447->30448 30449 43fa79 30448->30449 30450 4254c6 3 API calls 30449->30450 30451 43fa9a 30450->30451 30451->30333 30453 43fe0b 8 API calls 30452->30453 30454 426295 30453->30454 30455 43fddb 8 API calls 30454->30455 30456 4262a3 30455->30456 30457 43f141 30456->30457 30458 43f188 30457->30458 30459 43f14c 30457->30459 30460 42a6c3 8 API calls 30458->30460 30459->30458 30462 43f15b 30459->30462 30461 48caeb 30460->30461 30469 48cb1a 30461->30469 30536 48ca89 ReadFile SetFilePointerEx 30461->30536 30537 4249bd 8 API calls 30461->30537 30463 43f170 30462->30463 30464 43f17d 30462->30464 30528 43f18e 30463->30528 30535 48cbf2 12 API calls 30464->30535 30467 43f179 30467->30350 30469->30350 30471->30323 30472->30329 30473->30334 30474->30360 30475->30355 30476->30363 30477->30359 30478->30357 30479->30325 30480->30346 30481->30353 30483 429cc2 _wcslen 30482->30483 30484 43fe0b 8 API calls 30483->30484 30485 429cea 30484->30485 30486 43fddb 8 API calls 30485->30486 30487 429d00 30486->30487 30487->30417 30489 464ba1 30488->30489 30491 426b67 _wcslen 30488->30491 30507 4293b2 30489->30507 30493 426ba2 30491->30493 30494 426b7d 30491->30494 30492 464baa 30492->30492 30495 43fddb 8 API calls 30493->30495 30506 426f34 8 API calls 30494->30506 30497 426bae 30495->30497 30499 43fe0b 8 API calls 30497->30499 30498 426b85 30498->30406 30499->30498 30501 42a6d0 30500->30501 30502 42a6dd 30500->30502 30501->30410 30503 43fddb 8 API calls 30502->30503 30504 42a6e7 30503->30504 30505 43fe0b 8 API calls 30504->30505 30505->30501 30506->30498 30508 4293c9 30507->30508 30509 4293c0 30507->30509 30508->30492 30509->30508 30511 42aec9 8 API calls 30509->30511 30511->30508 30517 4254dd 30512->30517 30513 425564 SetFilePointerEx SetFilePointerEx 30516 425530 30513->30516 30514 463f9c SetFilePointerEx 30515 463f8b 30515->30514 30516->30427 30517->30513 30517->30514 30517->30515 30517->30516 30519 43fddb 8 API calls 30518->30519 30520 425433 30519->30520 30521 429a40 30520->30521 30522 429abb 30521->30522 30526 429a4e 30521->30526 30527 43e40f SetFilePointerEx 30522->30527 30523 42543f 30523->30445 30525 429a8c ReadFile 30525->30523 30525->30526 30526->30523 30526->30525 30527->30526 30538 43f1d8 30528->30538 30533 43f1c1 30533->30467 30535->30467 30536->30461 30537->30461 30539 43fe0b 8 API calls 30538->30539 30540 43f1ef 30539->30540 30541 43fddb 8 API calls 30540->30541 30542 43f1a6 30541->30542 30543 4297b6 30542->30543 30550 429a1e 30543->30550 30545 4297fc 30545->30533 30549 426e14 10 API calls 30545->30549 30546 429a40 2 API calls 30547 4297c7 30546->30547 30547->30545 30547->30546 30557 429b01 8 API calls 30547->30557 30549->30533 30551 429a2f 30550->30551 30552 46f378 30550->30552 30551->30547 30553 43fddb 8 API calls 30552->30553 30554 46f382 30553->30554 30555 43fe0b 8 API calls 30554->30555 30556 46f397 30555->30556 30557->30547 30558->30366 30559->30369 30560->30373 30561->30375 30562->30378 30563->30382 30564->30388 30565->30392 30566->30389 30567->30385 30568 422b83 7 API calls 30571 422cd4 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 30568->30571 30572 422d65 LoadIconW 30571->30572 30574 422c5e 30572->30574 30575 424f80 30576 43fe0b 8 API calls 30575->30576 30577 424f95 30576->30577 30578 425722 8 API calls 30577->30578 30579 424fa1 30578->30579 30580 4250a5 30579->30580 30581 463d1d 30579->30581 30586 424fdc 30579->30586 30589 4242a2 30580->30589 30597 49304d RtlEnterCriticalSection RtlLeaveCriticalSection SetFilePointerEx GetLastError 30581->30597 30584 463d22 30598 42511f RtlEnterCriticalSection RtlLeaveCriticalSection SetFilePointerEx GetLastError 30584->30598 30586->30584 30587 42506e 30586->30587 30596 42511f RtlEnterCriticalSection RtlLeaveCriticalSection SetFilePointerEx GetLastError 30586->30596 30590 4242b8 30589->30590 30591 4242d9 30590->30591 30592 4242bc FindResourceExW 30590->30592 30591->30586 30592->30591 30593 4635ba LoadResource 30592->30593 30593->30591 30594 4635cf SizeofResource 30593->30594 30594->30591 30595 4635e3 LockResource 30594->30595 30595->30591 30596->30586 30597->30584 30598->30587 30599 421044 30602 4210f3 30599->30602 30601 42104a 30638 421398 30602->30638 30606 42116a 30607 42a961 8 API calls 30606->30607 30608 421174 30607->30608 30609 42a961 8 API calls 30608->30609 30610 42117e 30609->30610 30611 42a961 8 API calls 30610->30611 30612 421188 30611->30612 30613 42a961 8 API calls 30612->30613 30614 4211c6 30613->30614 30615 42a961 8 API calls 30614->30615 30616 421292 30615->30616 30648 42171c 30616->30648 30620 4212c4 30621 42a961 8 API calls 30620->30621 30622 4212ce 30621->30622 30623 431940 9 API calls 30622->30623 30624 4212f9 30623->30624 30669 421aab 30624->30669 30626 421315 30627 421325 GetStdHandle 30626->30627 30628 462485 30627->30628 30630 42137a 30627->30630 30629 46248e 30628->30629 30628->30630 30631 43fddb 8 API calls 30629->30631 30632 421387 OleInitialize 30630->30632 30633 462495 30631->30633 30632->30601 30676 49011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 30633->30676 30635 46249e 30677 490944 CreateThread 30635->30677 30637 4624aa CloseHandle 30637->30630 30678 4213f1 30638->30678 30641 4213f1 8 API calls 30642 4213d0 30641->30642 30643 42a961 8 API calls 30642->30643 30644 4213dc 30643->30644 30645 426b57 8 API calls 30644->30645 30646 421129 30645->30646 30647 421bc3 6 API calls 30646->30647 30647->30606 30649 42a961 8 API calls 30648->30649 30650 42172c 30649->30650 30651 42a961 8 API calls 30650->30651 30652 421734 30651->30652 30653 42a961 8 API calls 30652->30653 30654 42174f 30653->30654 30655 43fddb 8 API calls 30654->30655 30656 42129c 30655->30656 30657 421b4a 30656->30657 30658 421b58 30657->30658 30659 42a961 8 API calls 30658->30659 30660 421b63 30659->30660 30661 42a961 8 API calls 30660->30661 30662 421b6e 30661->30662 30663 42a961 8 API calls 30662->30663 30664 421b79 30663->30664 30665 42a961 8 API calls 30664->30665 30666 421b84 30665->30666 30667 43fddb 8 API calls 30666->30667 30668 421b96 RegisterClipboardFormatW 30667->30668 30668->30620 30670 421abb 30669->30670 30671 46272d 30669->30671 30673 43fddb 8 API calls 30670->30673 30685 493209 9 API calls 30671->30685 30675 421ac3 30673->30675 30674 462738 30675->30626 30676->30635 30677->30637 30679 42a961 8 API calls 30678->30679 30680 4213fc 30679->30680 30681 42a961 8 API calls 30680->30681 30682 421404 30681->30682 30683 42a961 8 API calls 30682->30683 30684 4213c6 30683->30684 30684->30641 30685->30674 30686 48904e 30687 489059 30686->30687 30688 489067 30686->30688 30689 4293b2 8 API calls 30687->30689 30692 426e90 30688->30692 30691 489065 30689->30691 30693 426ea3 30692->30693 30694 426f24 30692->30694 30693->30694 30696 426eaf 30693->30696 30695 4293b2 8 API calls 30694->30695 30701 426ec1 30695->30701 30697 426ee7 30696->30697 30698 426eb9 30696->30698 30700 43fddb 8 API calls 30697->30700 30704 426f34 8 API calls 30698->30704 30702 426ef1 30700->30702 30701->30691 30703 43fe0b 8 API calls 30702->30703 30703->30701 30704->30701 30705 42c108 30706 42c189 30705->30706 30707 47091a 30705->30707 30708 43fddb 8 API calls 30706->30708 30726 493209 9 API calls 30707->30726 30711 42c190 30708->30711 30710 42c253 30713 470976 30710->30713 30716 42c297 30710->30716 30711->30710 30721 42c350 30711->30721 30727 42a8c7 8 API calls 30711->30727 30728 42aceb 9 API calls 30713->30728 30719 4709bf 30716->30719 30723 42aceb 9 API calls 30716->30723 30718 42c335 30718->30719 30724 42a704 8 API calls 30718->30724 30722 42c3ac 30721->30722 30725 43ce17 8 API calls 30721->30725 30723->30718 30724->30721 30725->30721 30726->30711 30727->30710 30728->30719 30729 42df10 30732 42b710 30729->30732 30733 42b72b 30732->30733 30734 470146 30733->30734 30735 4700f8 30733->30735 30761 42b750 30733->30761 30772 4a58a2 24 API calls __Init_thread_footer 30734->30772 30738 470102 30735->30738 30741 47010f 30735->30741 30735->30761 30770 4a5d33 24 API calls 30738->30770 30753 42ba20 30741->30753 30771 4a61d0 24 API calls __Init_thread_footer 30741->30771 30743 43d336 17 API calls 30743->30761 30745 4703d9 30745->30745 30747 42ba4e 30749 470322 30776 4a5c0c 14 API calls 30749->30776 30753->30747 30777 49359c 14 API calls 30753->30777 30757 42bbe0 17 API calls 30757->30761 30758 42ec40 23 API calls 30758->30761 30761->30743 30761->30747 30761->30749 30761->30753 30761->30757 30761->30758 30762 42a81b 18 API calls 30761->30762 30763 43d2f0 17 API calls 30761->30763 30764 43a01b 23 API calls 30761->30764 30765 440242 5 API calls __Init_thread_wait 30761->30765 30766 43edcd 8 API calls 30761->30766 30767 4401f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent 30761->30767 30768 43ee53 14 API calls 30761->30768 30769 43e5ca 24 API calls 30761->30769 30773 42aceb 9 API calls 30761->30773 30774 47f6bf 9 API calls 30761->30774 30775 42a8c7 8 API calls 30761->30775 30762->30761 30763->30761 30764->30761 30765->30761 30766->30761 30767->30761 30768->30761 30769->30761 30770->30741 30771->30753 30772->30761 30773->30761 30774->30761 30775->30761 30776->30753 30777->30745 30778 421056 30781 42344d 30778->30781 30780 42106a 30782 42345d 30781->30782 30783 42a961 8 API calls 30782->30783 30784 423513 30783->30784 30812 423a5a 30784->30812 30786 42351c 30819 423357 30786->30819 30793 42a961 8 API calls 30794 42354d 30793->30794 30795 42a6c3 8 API calls 30794->30795 30796 423556 RegOpenKeyExW 30795->30796 30797 463176 RegQueryValueExW 30796->30797 30801 423578 30796->30801 30798 463193 30797->30798 30799 46320c RegCloseKey 30797->30799 30800 43fe0b 8 API calls 30798->30800 30799->30801 30811 46321e _wcslen 30799->30811 30802 4631ac 30800->30802 30801->30780 30803 425722 8 API calls 30802->30803 30804 4631b7 RegQueryValueExW 30803->30804 30806 4631d4 30804->30806 30808 4631ee 30804->30808 30805 424c6d 8 API calls 30805->30811 30807 426b57 8 API calls 30806->30807 30807->30808 30808->30799 30809 429cb3 8 API calls 30809->30811 30810 42515f 8 API calls 30810->30811 30811->30801 30811->30805 30811->30809 30811->30810 30840 461f50 30812->30840 30815 429cb3 8 API calls 30816 423a8d 30815->30816 30842 423aa2 30816->30842 30818 423a97 30818->30786 30820 461f50 30819->30820 30821 423364 GetFullPathNameW 30820->30821 30822 423386 30821->30822 30823 426b57 8 API calls 30822->30823 30824 4233a4 30823->30824 30825 4233c6 30824->30825 30826 4630bb 30825->30826 30827 4233dd 30825->30827 30829 43fddb 8 API calls 30826->30829 30856 4233ee 30827->30856 30831 4630c5 _wcslen 30829->30831 30830 4233e8 30834 42515f 30830->30834 30832 43fe0b 8 API calls 30831->30832 30833 4630fe 30832->30833 30835 42516e 30834->30835 30839 42518f 30834->30839 30837 43fe0b 8 API calls 30835->30837 30836 43fddb 8 API calls 30838 423544 30836->30838 30837->30839 30838->30793 30839->30836 30841 423a67 GetModuleFileNameW 30840->30841 30841->30815 30843 461f50 30842->30843 30844 423aaf GetFullPathNameW 30843->30844 30845 423ae9 30844->30845 30846 423ace 30844->30846 30848 42a6c3 8 API calls 30845->30848 30847 426b57 8 API calls 30846->30847 30849 423ada 30847->30849 30848->30849 30852 4237a0 30849->30852 30853 4237ae 30852->30853 30854 4293b2 8 API calls 30853->30854 30855 4237c2 30854->30855 30855->30818 30857 4233fe _wcslen 30856->30857 30858 423411 30857->30858 30859 46311d 30857->30859 30866 42a587 30858->30866 30861 43fddb 8 API calls 30859->30861 30863 463127 30861->30863 30862 42341e 30862->30830 30864 43fe0b 8 API calls 30863->30864 30865 463157 30864->30865 30868 42a59d 30866->30868 30870 42a598 30866->30870 30867 46f80f 30868->30867 30869 43fe0b 8 API calls 30868->30869 30869->30870 30870->30862 30871 423156 30874 423170 30871->30874 30875 423187 30874->30875 30876 4231eb 30875->30876 30877 42318c 30875->30877 30914 4231e9 30875->30914 30879 4231f1 30876->30879 30880 462dfb 30876->30880 30881 423265 PostQuitMessage 30877->30881 30882 423199 30877->30882 30878 4231d0 NtdllDefWindowProc_W 30915 42316a 30878->30915 30883 4231f8 30879->30883 30884 42321d SetTimer RegisterClipboardFormatW 30879->30884 30923 4218e2 10 API calls 30880->30923 30881->30915 30886 4231a4 30882->30886 30887 462e7c 30882->30887 30888 423201 KillTimer 30883->30888 30889 462d9c 30883->30889 30891 423246 CreatePopupMenu 30884->30891 30884->30915 30892 4231ae 30886->30892 30893 462e68 30886->30893 30938 48bf30 20 API calls ___scrt_fastfail 30887->30938 30919 4230f2 Shell_NotifyIconW ___scrt_fastfail 30888->30919 30899 462dd7 MoveWindow 30889->30899 30900 462da1 30889->30900 30890 462e1c 30924 43e499 19 API calls 30890->30924 30891->30915 30898 4231b9 30892->30898 30903 462e4d 30892->30903 30937 48c161 13 API calls ___scrt_fastfail 30893->30937 30906 4231c4 30898->30906 30907 423253 30898->30907 30899->30915 30901 462dc6 SetFocus 30900->30901 30902 462da7 30900->30902 30901->30915 30902->30906 30909 462db0 30902->30909 30903->30878 30936 480ad7 8 API calls 30903->30936 30904 423214 30920 423c50 DeleteObject DestroyWindow 30904->30920 30905 423263 30905->30915 30906->30878 30925 4230f2 Shell_NotifyIconW ___scrt_fastfail 30906->30925 30921 42326f 30 API calls ___scrt_fastfail 30907->30921 30908 462e8e 30908->30878 30908->30915 30922 4218e2 10 API calls 30909->30922 30914->30878 30917 462e41 30926 423837 30917->30926 30919->30904 30920->30915 30921->30905 30922->30915 30923->30890 30924->30906 30925->30917 30927 423862 ___scrt_fastfail 30926->30927 30939 424212 30927->30939 30930 4238e8 30932 463386 Shell_NotifyIconW 30930->30932 30933 423906 Shell_NotifyIconW 30930->30933 30943 423923 30933->30943 30935 42391c 30935->30914 30936->30914 30937->30905 30938->30908 30940 4635a4 30939->30940 30941 4238b7 30939->30941 30940->30941 30942 4635ad DestroyCursor 30940->30942 30941->30930 30965 48c874 LoadIconW ExtractIconExW 30941->30965 30942->30941 30944 423a13 30943->30944 30945 42393f 30943->30945 30944->30935 30946 426270 8 API calls 30945->30946 30947 42394d 30946->30947 30948 463393 LoadStringW 30947->30948 30949 42395a 30947->30949 30951 4633ad 30948->30951 30950 426b57 8 API calls 30949->30950 30952 42396f 30950->30952 30959 423994 ___scrt_fastfail 30951->30959 30967 42a8c7 8 API calls 30951->30967 30953 42397c 30952->30953 30954 4633c9 30952->30954 30953->30951 30956 423986 30953->30956 30968 426350 8 API calls 30954->30968 30966 426350 8 API calls 30956->30966 30962 4239f9 Shell_NotifyIconW 30959->30962 30960 4633d7 30960->30959 30961 4233c6 8 API calls 30960->30961 30963 4633f9 30961->30963 30962->30944 30964 4233c6 8 API calls 30963->30964 30964->30959 30965->30930 30966->30959 30967->30959 30968->30960 30969 4244d5 30970 4244e1 30969->30970 30971 463833 30970->30971 30972 46384c 30970->30972 30973 4244f5 30970->30973 30971->30972 30976 463869 30971->30976 31014 48da5a 15 API calls 30972->31014 31013 42940c 41 API calls _wcslen 30973->31013 30979 43fe0b 8 API calls 30976->30979 30977 463862 30977->30976 30978 42450d 30989 4638ae 30979->30989 30980 463a5f 30984 463a67 30980->30984 31016 48989b 14 API calls 30984->31016 30986 429cb3 8 API calls 30986->30989 30989->30980 30989->30984 30989->30986 30990 48967e 30989->30990 30993 490b5a 30989->30993 30999 42a4a1 30989->30999 31007 423ff7 30989->31007 31015 4895ad 9 API calls _wcslen 30989->31015 30991 43fe0b 8 API calls 30990->30991 30992 4896ae 30991->30992 30992->30989 30994 490b65 30993->30994 30995 43fddb 8 API calls 30994->30995 30996 490b7c 30995->30996 30997 429cb3 8 API calls 30996->30997 30998 490b87 30997->30998 30998->30989 31000 42a52b 30999->31000 31005 42a4b1 30999->31005 31002 43fe0b 8 API calls 31000->31002 31001 43fddb 8 API calls 31003 42a4b8 31001->31003 31002->31005 31004 43fddb 8 API calls 31003->31004 31006 42a4d6 31003->31006 31004->31006 31005->31001 31006->30989 31008 42400a 31007->31008 31010 4240ae 31007->31010 31009 43fe0b 8 API calls 31008->31009 31012 42403c 31008->31012 31009->31012 31010->30989 31011 43fddb 8 API calls 31011->31012 31012->31010 31012->31011 31013->30978 31014->30977 31015->30989 31016->30984 31017 421098 31020 4242de 31017->31020 31019 42109d 31021 42a961 8 API calls 31020->31021 31022 4242f5 GetVersionExW 31021->31022 31023 426b57 8 API calls 31022->31023 31024 424342 31023->31024 31025 4293b2 8 API calls 31024->31025 31037 424378 31024->31037 31026 42436c 31025->31026 31028 4237a0 8 API calls 31026->31028 31027 42441b GetCurrentProcess IsWow64Process 31029 424437 31027->31029 31028->31037 31030 463824 GetSystemInfo 31029->31030 31031 42444f LoadLibraryA 31029->31031 31032 424460 GetProcAddress 31031->31032 31033 42449c GetSystemInfo 31031->31033 31032->31033 31036 424470 GetNativeSystemInfo 31032->31036 31034 424476 31033->31034 31038 424481 31034->31038 31039 42447a FreeLibrary 31034->31039 31035 4637df 31036->31034 31037->31027 31037->31035 31038->31019 31039->31038 31040 42dddc 31041 42b710 24 API calls 31040->31041 31042 42ddea 31041->31042 31043 422c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 31044 42dae6 31045 42daab 31044->31045 31047 42d997 31045->31047 31048 49359c 14 API calls 31045->31048 31048->31047 31049 422ea5 31050 422ead 31049->31050 31052 462cb0 31049->31052 31104 42a8c7 8 API calls 31050->31104 31118 423084 8 API calls 31052->31118 31053 422ec3 31105 426f88 8 API calls 31053->31105 31055 422ecf 31056 429cb3 8 API calls 31055->31056 31057 422edc 31056->31057 31106 42a81b 18 API calls 31057->31106 31059 422eec 31062 429cb3 8 API calls 31059->31062 31061 462d02 31119 423084 8 API calls 31061->31119 31064 422f12 31062->31064 31107 42a81b 18 API calls 31064->31107 31065 462d1e 31067 423a5a 10 API calls 31065->31067 31068 462d44 31067->31068 31120 423084 8 API calls 31068->31120 31069 422f21 31072 42a961 8 API calls 31069->31072 31071 462d50 31121 42a8c7 8 API calls 31071->31121 31074 422f3f 31072->31074 31108 423084 8 API calls 31074->31108 31075 462d5e 31122 423084 8 API calls 31075->31122 31077 422f4b 31077->31052 31080 422f63 31077->31080 31079 462d6d 31123 42a8c7 8 API calls 31079->31123 31080->31061 31084 422f78 31080->31084 31082 462d83 31124 423084 8 API calls 31082->31124 31084->31065 31086 422f8d 31084->31086 31085 462d90 31087 422fdc 31086->31087 31109 423084 8 API calls 31086->31109 31087->31079 31088 422fe8 31087->31088 31088->31085 31112 4263eb 8 API calls 31088->31112 31090 422fbf 31110 42a8c7 8 API calls 31090->31110 31093 422ff8 31113 426a50 8 API calls 31093->31113 31094 422fcd 31111 423084 8 API calls 31094->31111 31097 423006 31114 4270b0 9 API calls 31097->31114 31101 423021 31102 423065 31101->31102 31115 426f88 8 API calls 31101->31115 31116 4270b0 9 API calls 31101->31116 31117 423084 8 API calls 31101->31117 31104->31053 31105->31055 31106->31059 31107->31069 31108->31077 31109->31090 31110->31094 31111->31087 31112->31093 31113->31097 31114->31101 31115->31101 31116->31101 31117->31101 31118->31061 31119->31065 31120->31071 31121->31075 31122->31079 31123->31082 31124->31085 31125 422da5 31126 461f50 31125->31126 31127 422db2 GetLongPathNameW 31126->31127 31128 426b57 8 API calls 31127->31128 31129 422dda 31128->31129 31130 1fb23d0 31144 1fb0000 31130->31144 31132 1fb246a 31147 1fb22c0 31132->31147 31134 1fb2493 CreateFileW 31136 1fb24e2 31134->31136 31137 1fb24e7 31134->31137 31137->31136 31138 1fb24fe VirtualAlloc 31137->31138 31138->31136 31139 1fb251f ReadFile 31138->31139 31139->31136 31140 1fb253a 31139->31140 31141 1fb1070 12 API calls 31140->31141 31142 1fb2554 31141->31142 31143 1fb2070 GetPEB 31142->31143 31143->31136 31150 1fb34b0 GetPEB 31144->31150 31146 1fb068b 31146->31132 31148 1fb22c9 Sleep 31147->31148 31149 1fb22d7 31148->31149 31151 1fb34da 31150->31151 31151->31146 31152 44e5eb 31155 44e52a 31152->31155 31154 44e5fd 31156 44e536 CallCatchBlock 31155->31156 31158 44e544 __dosmaperr _abort 31156->31158 31161 458061 31156->31161 31158->31154 31159 44e58f 31159->31158 31169 44e5d4 RtlLeaveCriticalSection 31159->31169 31162 45806d CallCatchBlock 31161->31162 31170 452f5e RtlEnterCriticalSection 31162->31170 31164 45807b 31171 4580fb 31164->31171 31168 4580ac _abort 31168->31159 31169->31158 31170->31164 31174 45811e 31171->31174 31173 458177 31179 458088 31173->31179 31185 453405 6 API calls _ValidateLocalCookies 31173->31185 31174->31173 31174->31174 31174->31179 31183 44918d RtlEnterCriticalSection 31174->31183 31184 4491a1 RtlLeaveCriticalSection 31174->31184 31176 4581a8 31186 44918d RtlEnterCriticalSection 31176->31186 31180 4580b7 31179->31180 31187 452fa6 RtlLeaveCriticalSection 31180->31187 31182 4580be 31182->31168 31183->31174 31184->31174 31185->31176 31186->31179 31187->31182 31188 421cad SystemParametersInfoW 31189 42fe73 31196 43ceb1 31189->31196 31191 42fe89 31205 43cf92 31191->31205 31193 42feb3 31217 49359c 14 API calls 31193->31217 31195 474ab8 31197 43ced2 31196->31197 31198 43cebf 31196->31198 31200 43ced7 31197->31200 31201 43cf05 31197->31201 31218 42aceb 9 API calls 31198->31218 31203 43fddb 8 API calls 31200->31203 31219 42aceb 9 API calls 31201->31219 31204 43cec9 31203->31204 31204->31191 31206 426270 8 API calls 31205->31206 31207 43cfc9 31206->31207 31208 429cb3 8 API calls 31207->31208 31211 43cffa 31207->31211 31209 47d166 31208->31209 31220 426350 8 API calls 31209->31220 31211->31193 31212 47d171 31221 43d2f0 17 API calls 31212->31221 31214 47d184 31216 47d188 31214->31216 31222 42aceb 9 API calls 31214->31222 31216->31216 31217->31195 31218->31204 31219->31204 31220->31212 31221->31214 31222->31216 31223 423af0 31226 423b1c 31223->31226 31227 423b0f 31226->31227 31228 423b29 31226->31228 31228->31227 31229 423b30 RegOpenKeyExW 31228->31229 31229->31227 31230 423b4a RegQueryValueExW 31229->31230 31231 423b80 RegCloseKey 31230->31231 31232 423b6b 31230->31232 31231->31227 31232->31231 31233 43fc70 31234 43fc85 31233->31234 31235 43fd1d VirtualAlloc 31234->31235 31236 43fceb 31234->31236 31235->31236 31237 44dbb3 31238 44dbc1 31237->31238 31239 44dbcd __dosmaperr 31237->31239 31238->31239 31241 44d9cc 31238->31241 31244 44d97b 31241->31244 31243 44d9f0 31243->31239 31245 44d987 CallCatchBlock 31244->31245 31252 44918d RtlEnterCriticalSection 31245->31252 31247 44d995 31253 44d9f4 31247->31253 31249 44d9a2 31256 44d9c0 RtlLeaveCriticalSection 31249->31256 31251 44d9b3 _abort 31251->31243 31252->31247 31257 4549a1 31253->31257 31255 44da09 31255->31249 31256->31251 31258 4549b0 31257->31258 31260 4549bc 31258->31260 31261 453820 31258->31261 31260->31255 31262 45382e 31261->31262 31264 45385c __dosmaperr 31261->31264 31263 453849 RtlAllocateHeap 31262->31263 31262->31264 31266 444ead 7 API calls _ValidateLocalCookies 31262->31266 31263->31262 31263->31264 31264->31260 31266->31262 31267 42db38 31269 42db40 31267->31269 31270 471cbe TranslateAcceleratorW 31269->31270 31271 42db73 TranslateMessage DispatchMessageW 31269->31271 31272 42db8f PeekMessageW 31269->31272 31274 42d815 31269->31274 31289 43edf6 IsDialogMessageW GetClassLongW 31269->31289 31270->31269 31271->31272 31272->31269 31272->31274 31273 472cb4 31273->31273 31274->31273 31275 42da04 timeGetTime 31274->31275 31276 471dda timeGetTime 31274->31276 31279 42d888 31274->31279 31291 493a2a 9 API calls 31274->31291 31275->31274 31290 43e300 9 API calls 31276->31290 31281 42d997 31279->31281 31282 42dd50 31279->31282 31283 42dd83 31282->31283 31284 42dd6f 31282->31284 31293 49359c 14 API calls 31283->31293 31292 42d260 24 API calls 31284->31292 31286 42dd7a 31286->31281 31288 472f75 31288->31288 31289->31269 31290->31274 31291->31274 31292->31286 31293->31288 31294 5a97a0 31295 5a97b0 31294->31295 31296 5a98ca LoadLibraryA 31295->31296 31298 5a990f VirtualProtect VirtualProtect 31295->31298 31297 5a98e1 31296->31297 31297->31295 31300 5a98f3 GetProcAddress 31297->31300 31301 5a9974 31298->31301 31300->31297 31302 5a9909 ExitProcess 31300->31302 31301->31301 31303 42f7bf 31304 42f7d3 31303->31304 31305 42fcb6 31303->31305 31307 42fcc2 31304->31307 31308 43fddb 8 API calls 31304->31308 31331 42aceb 9 API calls 31305->31331 31332 42aceb 9 API calls 31307->31332 31310 42f7e5 31308->31310 31310->31307 31311 42fd3d 31310->31311 31328 42ec76 31310->31328 31333 491155 8 API calls 31311->31333 31315 43fddb 8 API calls 31315->31328 31316 474b0b 31335 49359c 14 API calls 31316->31335 31319 42a8c7 8 API calls 31319->31328 31320 440242 RtlEnterCriticalSection RtlLeaveCriticalSection RtlLeaveCriticalSection WaitForSingleObjectEx RtlEnterCriticalSection 31320->31328 31321 42fbe3 31322 42ed9d 31321->31322 31324 474bdc 31321->31324 31329 42f3ae 31321->31329 31323 42a961 8 API calls 31323->31328 31336 49359c 14 API calls 31324->31336 31326 474beb 31337 49359c 14 API calls 31326->31337 31327 4401f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 31327->31328 31328->31315 31328->31316 31328->31319 31328->31320 31328->31321 31328->31322 31328->31323 31328->31326 31328->31327 31328->31329 31330 4306a0 8 API calls 31328->31330 31329->31322 31334 49359c 14 API calls 31329->31334 31330->31328 31331->31307 31332->31311 31333->31322 31334->31322 31335->31322 31336->31326 31337->31322 31338 422b3d 31339 423837 15 API calls 31338->31339 31340 422b44 31339->31340 31341 422b5f 31340->31341 31345 4230f2 Shell_NotifyIconW ___scrt_fastfail 31340->31345 31343 422b66 SetCurrentDirectoryW 31341->31343 31344 422b7a 31343->31344 31345->31341 31346 4403fb 31347 440407 CallCatchBlock 31346->31347 31377 43feb1 31347->31377 31349 44040e 31350 440561 31349->31350 31353 440438 31349->31353 31404 44083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 31350->31404 31352 440568 31405 444e52 15 API calls _abort 31352->31405 31366 440477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 31353->31366 31388 45247d 31353->31388 31355 44056e 31406 444e04 15 API calls _abort 31355->31406 31359 440576 31407 440aea GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 31359->31407 31360 440457 31363 44057c __scrt_common_main_seh 31364 4404d8 31396 440959 31364->31396 31366->31364 31400 444e1a 19 API calls 2 library calls 31366->31400 31368 4404de 31369 4404f3 31368->31369 31401 440992 GetModuleHandleW 31369->31401 31371 4404fa 31371->31352 31372 4404fe 31371->31372 31373 440507 31372->31373 31402 444df5 15 API calls _abort 31372->31402 31403 440040 13 API calls 2 library calls 31373->31403 31376 44050f 31376->31360 31378 43feba 31377->31378 31408 440698 IsProcessorFeaturePresent 31378->31408 31380 43fec6 31409 442c94 10 API calls 3 library calls 31380->31409 31382 43fecb 31383 43fecf 31382->31383 31410 452317 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 31382->31410 31383->31349 31385 43fed8 31386 43fee6 31385->31386 31411 442cbd 8 API calls 3 library calls 31385->31411 31386->31349 31389 452494 31388->31389 31412 440a8c 31389->31412 31391 440451 31391->31360 31392 452421 31391->31392 31393 452450 31392->31393 31394 440a8c _ValidateLocalCookies 5 API calls 31393->31394 31395 452479 31394->31395 31395->31366 31420 442340 31396->31420 31399 44097f 31399->31368 31400->31364 31401->31371 31402->31373 31403->31376 31404->31352 31405->31355 31406->31359 31407->31363 31408->31380 31409->31382 31410->31385 31411->31383 31413 440a95 31412->31413 31414 440a97 IsProcessorFeaturePresent 31412->31414 31413->31391 31416 440c5d 31414->31416 31419 440c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 31416->31419 31418 440d40 31418->31391 31419->31418 31421 44096c GetStartupInfoW 31420->31421 31421->31399

                      Executed Functions

                      Function 004242DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 4242de-42434d call 42a961 GetVersionExW call 426b57 5 463617-46362a 0->5 6 424353 0->6 7 46362b-46362f 5->7 8 424355-424357 6->8 9 463632-46363e 7->9 10 463631 7->10 11 463656 8->11 12 42435d-4243bc call 4293b2 call 4237a0 8->12 9->7 13 463640-463642 9->13 10->9 16 46365d-463660 11->16 27 4243c2-4243c4 12->27 28 4637df-4637e6 12->28 13->8 15 463648-46364f 13->15 15->5 18 463651 15->18 19 463666-4636a8 16->19 20 42441b-424435 GetCurrentProcess IsWow64Process 16->20 18->11 19->20 24 4636ae-4636b1 19->24 22 424437 20->22 23 424494-42449a 20->23 26 42443d-424449 22->26 23->26 29 4636b3-4636bd 24->29 30 4636db-4636e5 24->30 36 463824-463828 GetSystemInfo 26->36 37 42444f-42445e LoadLibraryA 26->37 27->16 31 4243ca-4243dd 27->31 32 463806-463809 28->32 33 4637e8 28->33 38 4636bf-4636c5 29->38 39 4636ca-4636d6 29->39 34 4636e7-4636f3 30->34 35 4636f8-463702 30->35 40 463726-46372f 31->40 41 4243e3-4243e5 31->41 45 4637f4-4637fc 32->45 46 46380b-46381a 32->46 42 4637ee 33->42 34->20 43 463704-463710 35->43 44 463715-463721 35->44 47 424460-42446e GetProcAddress 37->47 48 42449c-4244a6 GetSystemInfo 37->48 38->20 39->20 52 463731-463737 40->52 53 46373c-463748 40->53 50 4243eb-4243ee 41->50 51 46374d-463762 41->51 42->45 43->20 44->20 45->32 46->42 54 46381c-463822 46->54 47->48 55 424470-424474 GetNativeSystemInfo 47->55 49 424476-424478 48->49 60 424481-424493 49->60 61 42447a-42447b FreeLibrary 49->61 56 4243f4-42440f 50->56 57 463791-463794 50->57 58 463764-46376a 51->58 59 46376f-46377b 51->59 52->20 53->20 54->45 55->49 62 463780-46378c 56->62 63 424415 56->63 57->20 64 46379a-4637c1 57->64 58->20 59->20 61->60 62->20 63->20 65 4637c3-4637c9 64->65 66 4637ce-4637da 64->66 65->20 66->20
                      APIs
                      • GetVersionExW.KERNEL32(?), ref: 0042430D
                        • Part of subcall function 00426B57: _wcslen.LIBCMT ref: 00426B6A
                      • GetCurrentProcess.KERNEL32(?,004BCB64,00000000,?,?), ref: 00424422
                      • IsWow64Process.KERNEL32(00000000,?,?), ref: 00424429
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00424454
                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00424466
                      • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00424474
                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 0042447B
                      • GetSystemInfo.KERNEL32(?,?,?), ref: 004244A0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                      • String ID: GetNativeSystemInfo$kernel32.dll$|O
                      • API String ID: 3290436268-3101561225
                      • Opcode ID: a95b6e454c8ae62c8012d56f71c86aa9a4b5a1a962f7eaee2aa6bcd7392feb2a
                      • Instruction ID: 3de2e28995b5ddc61e6d45c616de20de9d65b5a3f7b958fc382e97fa8e077077
                      • Opcode Fuzzy Hash: a95b6e454c8ae62c8012d56f71c86aa9a4b5a1a962f7eaee2aa6bcd7392feb2a
                      • Instruction Fuzzy Hash: 28A1A465A0A2E4DFE711DB6DBC815B57FE4AB76301B0848BADC4193B31D2284535CB2F
                      Function 00423170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145timewindowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 347 423170-423185 348 423187-42318a 347->348 349 4231e5-4231e7 347->349 350 4231eb 348->350 351 42318c-423193 348->351 349->348 352 4231e9 349->352 354 4231f1-4231f6 350->354 355 462dfb-462e23 call 4218e2 call 43e499 350->355 356 423265-42326d PostQuitMessage 351->356 357 423199-42319e 351->357 353 4231d0-4231d8 NtdllDefWindowProc_W 352->353 363 4231de-4231e4 353->363 358 4231f8-4231fb 354->358 359 42321d-423244 SetTimer RegisterClipboardFormatW 354->359 393 462e28-462e2f 355->393 364 423219-42321b 356->364 361 4231a4-4231a8 357->361 362 462e7c-462e90 call 48bf30 357->362 365 423201-423214 KillTimer call 4230f2 call 423c50 358->365 366 462d9c-462d9f 358->366 359->364 368 423246-423251 CreatePopupMenu 359->368 369 4231ae-4231b3 361->369 370 462e68-462e77 call 48c161 361->370 362->364 388 462e96 362->388 364->363 365->364 378 462dd7-462df6 MoveWindow 366->378 379 462da1-462da5 366->379 368->364 375 462e4d-462e54 369->375 376 4231b9-4231be 369->376 370->364 375->353 382 462e5a-462e63 call 480ad7 375->382 386 423253-423263 call 42326f 376->386 387 4231c4-4231ca 376->387 378->364 380 462dc6-462dd2 SetFocus 379->380 381 462da7-462daa 379->381 380->364 381->387 389 462db0-462dc1 call 4218e2 381->389 382->353 386->364 387->353 387->393 388->353 389->364 393->353 397 462e35-462e48 call 4230f2 call 423837 393->397 397->353
                      APIs
                      • NtdllDefWindowProc_W.NTDLL(?,?,?,?,?,?,?,?,?,0042316A,?,?), ref: 004231D8
                      • KillTimer.USER32(?,00000001,?,?,?,?,?,0042316A,?,?), ref: 00423204
                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00423227
                      • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00423232
                      • CreatePopupMenu.USER32 ref: 00423246
                      • PostQuitMessage.USER32(00000000), ref: 00423267
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                      • String ID: TaskbarCreated
                      • API String ID: 157504867-2362178303
                      • Opcode ID: 1554d142e32187122cce6e0af4517fcd4ba2d81600ba9f73513fa9b43c30c10c
                      • Instruction ID: b5bf3577d50e712d7c1b09b3173e0d7c14adfe9df3b4e7fe4f0086a865f911fc
                      • Opcode Fuzzy Hash: 1554d142e32187122cce6e0af4517fcd4ba2d81600ba9f73513fa9b43c30c10c
                      • Instruction Fuzzy Hash: 10411631300224E7DB141F78AD89B7A3639E705346F84413BF941962B2DBAD9E11D7BE
                      Function 004242A2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 561 4242a2-4242b0 562 4242b8-4242ba 561->562 563 4242da-4242dd 562->563 564 4242bc-4242d3 FindResourceExW 562->564 565 4242d9 564->565 566 4635ba-4635c9 LoadResource 564->566 565->563 566->565 567 4635cf-4635dd SizeofResource 566->567 567->565 568 4635e3-4635ee LockResource 567->568 568->565 569 4635f4-463612 568->569 569->565
                      APIs
                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 004242C9
                      • LoadResource.KERNEL32(?,00000000), ref: 004635BE
                      • SizeofResource.KERNEL32(?,00000000), ref: 004635D3
                      • LockResource.KERNEL32(?), ref: 004635E6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Resource$FindLoadLockSizeof
                      • String ID: SCRIPT
                      • API String ID: 3473537107-3967369404
                      • Opcode ID: a678ed6dff95c0d9c6eb1882b43f8f1a41d101383510d81ad79eca3237af637a
                      • Instruction ID: 94f1c92815b075e053f9af3fd2fd472b47897e648cd82c56c948f2755e3398fd
                      • Opcode Fuzzy Hash: a678ed6dff95c0d9c6eb1882b43f8f1a41d101383510d81ad79eca3237af637a
                      • Instruction Fuzzy Hash: 89117C70600700FFDB258B66EC88F677BB9EBC5B91F2042AAF402D6290DB71DC008675
                      Function 0048DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?,00465222), ref: 0048DBCE
                      • GetFileAttributesW.KERNELBASE(?), ref: 0048DBDD
                      • FindFirstFileW.KERNELBASE(?,?), ref: 0048DBEE
                      • FindClose.KERNEL32(00000000), ref: 0048DBFA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: FileFind$AttributesCloseFirstlstrlen
                      • String ID:
                      • API String ID: 2695905019-0
                      • Opcode ID: 67cbd6b170b83c1b90c900eb95f04bed05fe84a7b30a71f9032cb977c691b835
                      • Instruction ID: 3685a062fef8758494a037bbf568e43e9f6b36108a2c53bd2ee10fbb7db7f5a5
                      • Opcode Fuzzy Hash: 67cbd6b170b83c1b90c900eb95f04bed05fe84a7b30a71f9032cb977c691b835
                      • Instruction Fuzzy Hash: 78F0A030C11910578224BB7CAC8D8AF376C9E01334B144B53F836C21E0EBB45D55869E
                      Function 0042344D Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00423A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,0042351C,?,?,?,?,0042106A,-004F0FC4), ref: 00423A78
                        • Part of subcall function 00423357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00423527,?,?,?,?,0042106A,-004F0FC4), ref: 00423379
                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\,?,?,?,?,0042106A,-004F0FC4), ref: 0042356A
                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,?,?,?,0042106A,-004F0FC4), ref: 0046318D
                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,?,?,0042106A,-004F0FC4), ref: 004631CE
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,0042106A,-004F0FC4), ref: 00463210
                      • _wcslen.LIBCMT ref: 00463277
                      • _wcslen.LIBCMT ref: 00463286
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                      • String ID: >H$Include$Software\AutoIt v3\AutoIt$\$\Include\
                      • API String ID: 98802146-1979093278
                      • Opcode ID: f758d358c77da27e0db1650522027a24d79bfdf5a11a9879804d4db8e06849c6
                      • Instruction ID: ed7ecbb2a4865e4e0eaa313f1cc5d4003cd7be7579cfea7ba49ae1ff93982f93
                      • Opcode Fuzzy Hash: f758d358c77da27e0db1650522027a24d79bfdf5a11a9879804d4db8e06849c6
                      • Instruction Fuzzy Hash: 17717DB15043119EC314EF66ED819ABBBE8FF85744F80443FF94583160EB789A58CB6A
                      Function 00422B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 00422B8E
                      • LoadCursorW.USER32(00000000,00007F00), ref: 00422B9D
                      • LoadIconW.USER32(00000063), ref: 00422BB3
                      • LoadIconW.USER32(000000A4), ref: 00422BC5
                      • LoadIconW.USER32(000000A2), ref: 00422BD7
                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00422BEF
                      • RegisterClassExW.USER32(?), ref: 00422C40
                        • Part of subcall function 00422CD4: GetSysColorBrush.USER32(0000000F), ref: 00422D07
                        • Part of subcall function 00422CD4: RegisterClassExW.USER32(00000030), ref: 00422D31
                        • Part of subcall function 00422CD4: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00422D42
                        • Part of subcall function 00422CD4: LoadIconW.USER32(000000A9), ref: 00422D85
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                      • String ID: #$0$AutoIt v3
                      • API String ID: 2880975755-4155596026
                      • Opcode ID: 68ecc2bea1061f35c844a936841f1d03641097bd74eff8e5910f759af85fbdf7
                      • Instruction ID: 6c324d1a6f39673728b25eb3aec47784f27b695f3dddd519dae9d5073f064b73
                      • Opcode Fuzzy Hash: 68ecc2bea1061f35c844a936841f1d03641097bd74eff8e5910f759af85fbdf7
                      • Instruction Fuzzy Hash: 84212C70E00315EBEB109FA6ECD5AA97FB4FB48B50F00413AF901A66B0D7B50564CF98
                      Function 0042B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                      Download Yara Rule
                      APIs
                      • __Init_thread_footer.LIBCMT ref: 0042BB4E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Init_thread_footer
                      • String ID: p#O$p#O$p#O$p#O$p%O$p%O$x#O$x#O
                      • API String ID: 1385522511-1124879494
                      • Opcode ID: 9f55c776bf6069ef3589203e385d9c75978226adb8b66e6e5a08e70a6becdd05
                      • Instruction ID: dc640f0cab32f7d9b7b8cf98325381bc6541d1a6944a12b6b29497ed9d9c91f1
                      • Opcode Fuzzy Hash: 9f55c776bf6069ef3589203e385d9c75978226adb8b66e6e5a08e70a6becdd05
                      • Instruction Fuzzy Hash: 1832AB71A00219DFDB20CF64D994ABAB7B5EF44304F94805BED09AB351C77CAD82CB99
                      Function 00422CD4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53registrywindowclipboardCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 00422D07
                      • RegisterClassExW.USER32(00000030), ref: 00422D31
                      • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00422D42
                      • LoadIconW.USER32(000000A9), ref: 00422D85
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Register$BrushClassClipboardColorFormatIconLoad
                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                      • API String ID: 975902462-1005189915
                      • Opcode ID: 4bf44ac124f782a76b09704c5e6ee578f422c4fa2562c502710a5249ba1d12fd
                      • Instruction ID: 35220f15b2e166be6623c5724dc4cf5d47c8941d8be85d7a5fae8c010f324e15
                      • Opcode Fuzzy Hash: 4bf44ac124f782a76b09704c5e6ee578f422c4fa2562c502710a5249ba1d12fd
                      • Instruction Fuzzy Hash: 0D21C5B5911219EFDB00DFA4E889BEDBBB4FB08700F10822AF551A62A0D7B54554CF99
                      Function 0042D7D7 Relevance: 12.2, APIs: 8, Instructions: 245windowtimeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 407 42d7d7-42d7e9 408 42db11-42db30 PeekMessageW 407->408 409 42d7ef-42d7f6 407->409 410 42db36 408->410 411 42d815-42d81c 408->411 409->408 412 42d7fc-42d801 409->412 413 42db40-42db48 410->413 415 42d822-42d829 411->415 416 472cb4-472cc2 411->416 412->408 414 42d807-42d80f GetInputState 412->414 418 471ceb-471cfc 413->418 419 42db4e-42db57 413->419 414->408 414->411 417 472ccc-472ce1 call 421a05 415->417 420 42d82f-42d850 415->420 416->417 427 472ce6 417->427 418->411 422 471ca1-471ca7 419->422 423 42db5d-42db71 call 43edf6 419->423 432 42d852-42d859 420->432 433 42d8b4-42d985 420->433 425 471cdc 422->425 426 471ca9-471cb5 422->426 436 42db73-42db89 TranslateMessage DispatchMessageW 423->436 437 42db8f-42dba7 PeekMessageW 423->437 425->418 426->425 430 471cb7-471cbc 426->430 427->427 430->425 434 471cbe-471cd1 TranslateAcceleratorW 430->434 432->433 438 42d85b-42d87a 432->438 482 42d98b-42d992 call 42dd50 433->482 434->423 439 471cd7 434->439 436->437 437->411 441 42dbad 437->441 442 42d880-42d882 438->442 439->437 441->413 443 42d888-42d88c 442->443 444 42d9fc-42da02 442->444 446 42d890-42d892 443->446 448 42da04-42da19 timeGetTime 444->448 449 42da3d-42da40 444->449 450 42d894-42d89a 446->450 452 42da1f-42da25 448->452 453 471dc9-471dcf 448->453 449->442 454 42d8a0-42d8ae 450->454 455 42da45-42da4b 450->455 457 42da28-42da2c 452->457 459 42da27 452->459 456 471dd5 453->456 453->457 454->433 461 42d9c8-42d9f9 454->461 462 471e15-471e21 call 493cb6 455->462 463 42da51-42da56 455->463 467 471dda-471e10 timeGetTime call 43e300 call 493a2a 456->467 457->449 460 42da2e 457->460 459->457 466 42da34-42da37 460->466 460->467 462->446 463->450 466->449 466->467 467->449 484 42d997-42d9c0 482->484 484->461
                      APIs
                      • GetInputState.USER32 ref: 0042D807
                      • timeGetTime.WINMM ref: 0042DA07
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0042DB28
                      • TranslateMessage.USER32(?), ref: 0042DB7B
                      • DispatchMessageW.USER32(?), ref: 0042DB89
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0042DB9F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Message$Peek$DispatchInputStateTimeTranslatetime
                      • String ID:
                      • API String ID: 3249950245-0
                      • Opcode ID: 81aa1d9ccf0326c7d654d66277724fd26aa11aadb727d934455f3db25837f7cc
                      • Instruction ID: ee5347f9bafcad7df17a04eb390322095a56953a645155ab91ae9c91ca3d077d
                      • Opcode Fuzzy Hash: 81aa1d9ccf0326c7d654d66277724fd26aa11aadb727d934455f3db25837f7cc
                      • Instruction Fuzzy Hash: E2A1AF70A04251DFDB29CF25D894BA6BBE0BB45304F54862FE459873A0D778E884CF9A
                      Function 01FB0920 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 487 1fb0920-1fb0972 call 1fb0820 CreateFileW 490 1fb097b-1fb0988 487->490 491 1fb0974-1fb0976 487->491 494 1fb099b-1fb09b2 VirtualAlloc 490->494 495 1fb098a-1fb0996 490->495 492 1fb0ad4-1fb0ad8 491->492 496 1fb09bb-1fb09e1 CreateFileW 494->496 497 1fb09b4-1fb09b6 494->497 495->492 499 1fb09e3-1fb0a00 496->499 500 1fb0a05-1fb0a1f ReadFile 496->500 497->492 499->492 501 1fb0a43-1fb0a47 500->501 502 1fb0a21-1fb0a3e 500->502 503 1fb0a49-1fb0a66 501->503 504 1fb0a68-1fb0a7f WriteFile 501->504 502->492 503->492 507 1fb0aaa-1fb0acf FindCloseChangeNotification VirtualFree 504->507 508 1fb0a81-1fb0aa8 504->508 507->492 508->492
                      APIs
                      • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01FB0965
                      Memory Dump Source
                      • Source File: 00000000.00000002.1249317897.0000000001FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1fb0000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                      • Instruction ID: 4c6415db3f1176ec01db368734a21abf0e6a12fafbe9c02d670d90847bb04eae
                      • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                      • Instruction Fuzzy Hash: CB51F976A50208FBEF20DFA5CC89FDF7778EF48700F108A54F60AEA180DA7596458B60
                      Function 00422C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 517 422c63-422cd3 CreateWindowExW * 2 ShowWindow * 2
                      APIs
                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00422C91
                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00422CB2
                      • ShowWindow.USER32(00000000,?,?,00422B2F), ref: 00422CC6
                      • ShowWindow.USER32(00000000,?,?,00422B2F), ref: 00422CCF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Window$CreateShow
                      • String ID: AutoIt v3$edit
                      • API String ID: 1584632944-3779509399
                      • Opcode ID: fb8821accbad38180795caaa23ad60e6a77885c3aa559b4646b608266a83ec6d
                      • Instruction ID: 763197fd68ca63fcf98364d5b4d45d239e8bae0ace312dae0b55dc10112b11a8
                      • Opcode Fuzzy Hash: fb8821accbad38180795caaa23ad60e6a77885c3aa559b4646b608266a83ec6d
                      • Instruction Fuzzy Hash: 64F0DA76540290BAFB311717AC88EB72EBDD7C7F60B10406AFD00A65B0C6651861DAB8
                      Function 004210F3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 153comCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00421BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00421BF4
                        • Part of subcall function 00421BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00421BFC
                        • Part of subcall function 00421BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00421C07
                        • Part of subcall function 00421BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00421C12
                        • Part of subcall function 00421BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00421C1A
                        • Part of subcall function 00421BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00421C22
                        • Part of subcall function 00421B4A: RegisterClipboardFormatW.USER32(00000004), ref: 00421BA2
                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0042136A
                      • OleInitialize.OLE32 ref: 00421388
                      • CloseHandle.KERNEL32(00000000,00000000), ref: 004624AB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                      • String ID: >H$dMH
                      • API String ID: 3094916012-1501311176
                      • Opcode ID: 8157e1a58abd6271df51e940a936e800a5e03c4311e5c9cdf40d970b86c3e94f
                      • Instruction ID: 8a84dad1dc15270cb9fcbb4dd439c21c439b30c590317de0cd5074949c31bdfe
                      • Opcode Fuzzy Hash: 8157e1a58abd6271df51e940a936e800a5e03c4311e5c9cdf40d970b86c3e94f
                      • Instruction Fuzzy Hash: 2C71CCB4901244EFD384EF7AA9856753AE0FB98388754A23FD40AC7271EB394464CF5D
                      Function 005A97A0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 676 5a97a0-5a97ad 677 5a97ba-5a97bf 676->677 678 5a97c1 677->678 679 5a97c3 678->679 680 5a97b0-5a97b5 678->680 682 5a97c8-5a97ca 679->682 681 5a97b6-5a97b8 680->681 681->677 681->678 683 5a97cc-5a97d1 682->683 684 5a97d3-5a97d7 682->684 683->684 685 5a97d9 684->685 686 5a97e4-5a97e7 684->686 687 5a97db-5a97e2 685->687 688 5a9803-5a9808 685->688 689 5a97e9-5a97ee 686->689 690 5a97f0-5a97f2 686->690 687->686 687->688 691 5a980a-5a9813 688->691 692 5a981b-5a981d 688->692 689->690 690->682 693 5a988a-5a988d 691->693 694 5a9815-5a9819 691->694 695 5a981f-5a9824 692->695 696 5a9826 692->696 697 5a9892-5a9895 693->697 694->696 695->696 698 5a9828-5a982b 696->698 699 5a97f4-5a97f6 696->699 702 5a9897-5a9899 697->702 703 5a982d-5a9832 698->703 704 5a9834 698->704 700 5a97f8-5a97fd 699->700 701 5a97ff-5a9801 699->701 700->701 705 5a9855-5a9864 701->705 702->697 706 5a989b-5a989e 702->706 703->704 704->699 707 5a9836-5a9838 704->707 708 5a9866-5a986d 705->708 709 5a9874-5a9881 705->709 706->697 710 5a98a0-5a98bc 706->710 711 5a983a-5a983f 707->711 712 5a9841-5a9845 707->712 708->708 714 5a986f 708->714 709->709 715 5a9883-5a9885 709->715 710->702 716 5a98be 710->716 711->712 712->707 713 5a9847 712->713 717 5a9849-5a9850 713->717 718 5a9852 713->718 714->681 715->681 719 5a98c4-5a98c8 716->719 717->707 717->718 718->705 720 5a98ca-5a98e0 LoadLibraryA 719->720 721 5a990f-5a9912 719->721 722 5a98e1-5a98e6 720->722 723 5a9915-5a991c 721->723 722->719 724 5a98e8-5a98ea 722->724 725 5a991e-5a9920 723->725 726 5a9940-5a9970 VirtualProtect * 2 723->726 727 5a98ec-5a98f2 724->727 728 5a98f3-5a9900 GetProcAddress 724->728 729 5a9922-5a9931 725->729 730 5a9933-5a993e 725->730 731 5a9974-5a9978 726->731 727->728 732 5a9909 ExitProcess 728->732 733 5a9902-5a9907 728->733 729->723 730->729 731->731 734 5a997a 731->734 733->722
                      APIs
                      • LoadLibraryA.KERNEL32(?), ref: 005A98DA
                      • GetProcAddress.KERNEL32(?,005A2FF9), ref: 005A98F8
                      • ExitProcess.KERNEL32(?,005A2FF9), ref: 005A9909
                      • VirtualProtect.KERNELBASE(00420000,00001000,00000004,?,00000000), ref: 005A9957
                      • VirtualProtect.KERNELBASE(00420000,00001000), ref: 005A996C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                      • String ID:
                      • API String ID: 1996367037-0
                      • Opcode ID: d0d9805f08d91bb0a99eb87036c7f9579705dee315bfa026281e28290111a2d8
                      • Instruction ID: 6eb7cac6f287d260b964a496d6bf0c5d6ace6f8463104db3dee83c4ba1cfd090
                      • Opcode Fuzzy Hash: d0d9805f08d91bb0a99eb87036c7f9579705dee315bfa026281e28290111a2d8
                      • Instruction Fuzzy Hash: 5C51E971A542735BD7209EBC9CC0669BF94FB533247280739C5E6C73C6EBA85806C7A0
                      Function 01FB23D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 802 1fb23d0-1fb24e0 call 1fb0000 call 1fb22c0 CreateFileW 809 1fb24e2 802->809 810 1fb24e7-1fb24f7 802->810 811 1fb25b2-1fb25b7 809->811 813 1fb24f9 810->813 814 1fb24fe-1fb2518 VirtualAlloc 810->814 813->811 815 1fb251a 814->815 816 1fb251f-1fb2536 ReadFile 814->816 815->811 817 1fb253a-1fb254f call 1fb1070 816->817 818 1fb2538 816->818 820 1fb2554-1fb258c call 1fb2300 call 1fb2070 817->820 818->811 825 1fb25a8-1fb25b0 820->825 826 1fb258e-1fb25a3 call 1fb2350 820->826 825->811 826->825
                      APIs
                        • Part of subcall function 01FB22C0: Sleep.KERNELBASE(000001F4), ref: 01FB22D1
                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01FB24D6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1249317897.0000000001FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1fb0000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: CreateFileSleep
                      • String ID: 5FQCT1OGNKCU4IPL
                      • API String ID: 2694422964-4036242590
                      • Opcode ID: ac46bef636165db3fd79e225decb54ad8fadf376ba4cf62b30dae10da0e3e599
                      • Instruction ID: 3f38f4b79a1f8f844df92e243ac1a5bab84ba72d8962793f3c4b6b5dffe61bbf
                      • Opcode Fuzzy Hash: ac46bef636165db3fd79e225decb54ad8fadf376ba4cf62b30dae10da0e3e599
                      • Instruction Fuzzy Hash: 9D518071D14249DAEF21DBA4C858BEFBBB9AF54300F004199E609BB2C0D77A1B45CBA5
                      Function 00423B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 829 423b1c-423b27 830 423b99-423b9b 829->830 831 423b29-423b2e 829->831 832 423b8c-423b8f 830->832 831->830 833 423b30-423b48 RegOpenKeyExW 831->833 833->830 834 423b4a-423b69 RegQueryValueExW 833->834 835 423b80-423b8b RegCloseKey 834->835 836 423b6b-423b76 834->836 835->832 837 423b90-423b97 836->837 838 423b78-423b7a 836->838 839 423b7e 837->839 838->839 839->835
                      APIs
                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00423B0F,SwapMouseButtons,00000004,?), ref: 00423B40
                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00423B0F,SwapMouseButtons,00000004,?,?,?,?,00424D9C), ref: 00423B61
                      • RegCloseKey.KERNELBASE(00000000,?,?,00423B0F,SwapMouseButtons,00000004,?,?,?,?,00424D9C), ref: 00423B83
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID: Control Panel\Mouse
                      • API String ID: 3677997916-824357125
                      • Opcode ID: 5b5d38998aad72c90ca6c78732cef5600b4decb922609dc9dcde06ef79677261
                      • Instruction ID: 6b3ab801be73cd765c695abc2907f59fb6325a42a5dc6a12abfbc2c184dc41cf
                      • Opcode Fuzzy Hash: 5b5d38998aad72c90ca6c78732cef5600b4decb922609dc9dcde06ef79677261
                      • Instruction Fuzzy Hash: 82113CB5611218FFDB20CFA5EC84EAFBBB8EF04745B50456AF805D7211D239AF409B68
                      Function 00423923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004633A2
                        • Part of subcall function 00426B57: _wcslen.LIBCMT ref: 00426B6A
                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00423A04
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: IconLoadNotifyShell_String_wcslen
                      • String ID: Line:
                      • API String ID: 2289894680-1585850449
                      • Opcode ID: 6e8954772836231e8bb79bbef449846193bfd578b7424e86b49c2c54a02e0909
                      • Instruction ID: ebb99fba5756e28e251eae01de81f043587e8dafefcbb3b7bb7e9557796a0929
                      • Opcode Fuzzy Hash: 6e8954772836231e8bb79bbef449846193bfd578b7424e86b49c2c54a02e0909
                      • Instruction Fuzzy Hash: 0C31F671608314AAD320EF11EC45BEB73E8AF41719F40052FF98982191DB7C9A54C7CE
                      Function 0043FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                      Download Yara Rule
                      APIs
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00440668
                        • Part of subcall function 004432A4: RaiseException.KERNEL32(?,?,?,0044068A,?,004F13F0,?,?,?,?,?,?,0044068A,?,004E8738), ref: 00443304
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00440685
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Exception@8Throw$ExceptionRaise
                      • String ID: Unknown exception
                      • API String ID: 3476068407-410509341
                      • Opcode ID: d848324a1a2d669bd44cc44ae25f1a405311b01f42aed3d4018726ef30d81cf0
                      • Instruction ID: 60bb333461ae0e0cdd2ce15d551837d54e6ddc591adcc0d24c7fa6f5af2bba69
                      • Opcode Fuzzy Hash: d848324a1a2d669bd44cc44ae25f1a405311b01f42aed3d4018726ef30d81cf0
                      • Instruction Fuzzy Hash: C2F0283490020C739F00BA66DC4AD9E776C6E40304B70407BB91991591EF78DA29C58C
                      Function 01FB1000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessW.KERNELBASE(?,00000000), ref: 01FB1045
                      • ExitProcess.KERNEL32(00000000), ref: 01FB1064
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1249317897.0000000001FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1fb0000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Process$CreateExit
                      • String ID: D
                      • API String ID: 126409537-2746444292
                      • Opcode ID: 9ec10d9bb68332e7bcdb3756cd9d8bc900757a5150bae08cbb91c2426b35d2e1
                      • Instruction ID: 3e008ba31ebe64d42fe0f0e776af62a2fe969514d1cfc85aee8cf4e0c344b5dd
                      • Opcode Fuzzy Hash: 9ec10d9bb68332e7bcdb3756cd9d8bc900757a5150bae08cbb91c2426b35d2e1
                      • Instruction Fuzzy Hash: D8F0F47254424CABDB60DFE5CC89FEE777CBF44701F008508FB0A9A144EA7996088761
                      Function 004254C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 0042556D
                      • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 0042557D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: FilePointer
                      • String ID:
                      • API String ID: 973152223-0
                      • Opcode ID: d23b9876e8730a7dd64569d27adb31e2bac77d78a88e22dd722206771e36e3c3
                      • Instruction ID: d95549e47d83b78028dd91d7f06580330f552aa371be72155bbc867e13146838
                      • Opcode Fuzzy Hash: d23b9876e8730a7dd64569d27adb31e2bac77d78a88e22dd722206771e36e3c3
                      • Instruction Fuzzy Hash: 39317C71A00629FFDB14CF28D880B99B7B6FB08314F54822AE81597344D774FE94CB98
                      Function 00423837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                      Download Yara Rule
                      APIs
                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00423908
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: IconNotifyShell_
                      • String ID:
                      • API String ID: 1144537725-0
                      • Opcode ID: c5ff2c00bc71f66ae18a46f47ad2cdbdc7ed85ee3611d2d91d312495dc81cfb0
                      • Instruction ID: 12474fccbb12d41935d5a2894e1b7164208d6afc0d82a9e6af953114804a4e59
                      • Opcode Fuzzy Hash: c5ff2c00bc71f66ae18a46f47ad2cdbdc7ed85ee3611d2d91d312495dc81cfb0
                      • Instruction Fuzzy Hash: 53317CB0604311DFE320EF65D8847A7BBF4FB49309F00092EF99987250E779AA44CB5A
                      Function 00425745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0042949C,?,00008000), ref: 00425773
                      • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0042949C,?,00008000), ref: 00464052
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: 77a932e4812dcead551375fb8191dd6c31de525d2152fbdc8544e830ee5bd347
                      • Instruction ID: 16548c963b144a2f89eed3d7dfb2d8cd2ae45ded94859d4887415cd238cd6580
                      • Opcode Fuzzy Hash: 77a932e4812dcead551375fb8191dd6c31de525d2152fbdc8544e830ee5bd347
                      • Instruction Fuzzy Hash: A1019230285235B7E7301A2ADC4EF977F98EF427B0F108311BA9C6A1E0C7B85855CB99
                      Function 01FB1070 Relevance: 1.7, APIs: 1, Instructions: 165COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 01FB08E0: GetFileAttributesW.KERNELBASE(?), ref: 01FB08EB
                      • CreateDirectoryW.KERNELBASE(?,00000000), ref: 01FB11C3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1249317897.0000000001FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1fb0000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: AttributesCreateDirectoryFile
                      • String ID:
                      • API String ID: 3401506121-0
                      • Opcode ID: abd9809dec993c0742bffc2603e96fd3cdbe627d4a31d6c15d659214a87f1571
                      • Instruction ID: 127974180d26220a42890240f903210641e8ea8290f0a23f04c2f1516e7cd99a
                      • Opcode Fuzzy Hash: abd9809dec993c0742bffc2603e96fd3cdbe627d4a31d6c15d659214a87f1571
                      • Instruction Fuzzy Hash: 33519471A1020996EF14EFA0D854BEF737AEF58300F108568A609F7280EB7A9B44C765
                      Function 00429A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                      Download Yara Rule
                      APIs
                      • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,0042543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00429A9C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: FileRead
                      • String ID:
                      • API String ID: 2738559852-0
                      • Opcode ID: c6fea580f750c4470ceec22ee0653725250946c247a0d7229258ce1fab631ae7
                      • Instruction ID: 0edfb6fc0aeeef1de4724a8e78b48e7f60e2eea96bf45202907c961bf72e61ce
                      • Opcode Fuzzy Hash: c6fea580f750c4470ceec22ee0653725250946c247a0d7229258ce1fab631ae7
                      • Instruction Fuzzy Hash: FC118C312007519FEB20CF06D880B67B7F8EF44354F50C42EE59B86A51C774AC45CB68
                      Function 00429CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: _wcslen
                      • String ID:
                      • API String ID: 176396367-0
                      • Opcode ID: f5e5fc6610e6fb7e5ac836a5b0206eaaee763c473f07ee69d83fcf49947cee70
                      • Instruction ID: 2786061294974add557cefee91c7fe101d224770868963f8a61238707a927ef4
                      • Opcode Fuzzy Hash: f5e5fc6610e6fb7e5ac836a5b0206eaaee763c473f07ee69d83fcf49947cee70
                      • Instruction Fuzzy Hash: 71F028B36006006ED7109F2AD806B67BB94EF44764F50852FFA19CB2D1DB35E41487A8
                      Function 00453820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,?,00000004), ref: 00453852
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: AllocateHeap
                      • String ID:
                      • API String ID: 1279760036-0
                      • Opcode ID: 5fbc8ac2a33425e75cb438752d753e32784dcc553f22323219bdc8d913d81027
                      • Instruction ID: e5e5c1f21f83ce294fd8c9bc2a19598f1639f898f00c20c063c4cf0ad39d019e
                      • Opcode Fuzzy Hash: 5fbc8ac2a33425e75cb438752d753e32784dcc553f22323219bdc8d913d81027
                      • Instruction Fuzzy Hash: 61E0E531100224A7E6353E679C00B9B36C8AB827F7F150137BC14A36D2CB59DD0981ED
                      Function 00422DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                      Download Yara Rule
                      APIs
                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00422DC4
                        • Part of subcall function 00426B57: _wcslen.LIBCMT ref: 00426B6A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: LongNamePath_wcslen
                      • String ID:
                      • API String ID: 541455249-0
                      • Opcode ID: d5d16ea56beff3d8304a29eeba16ab832dbc3b203c03e4cc9a0a9a748c65c148
                      • Instruction ID: b60865c0752d0ff8e1092dc66ddb791e1d3d38b621f34e9633c930d60e492ba3
                      • Opcode Fuzzy Hash: d5d16ea56beff3d8304a29eeba16ab832dbc3b203c03e4cc9a0a9a748c65c148
                      • Instruction Fuzzy Hash: 2BE0CD72A001345BC72092599C05FDA77DDDFC87D4F0501B6FD09D7258D964AD808555
                      Function 00422B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00423837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00423908
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00422B6B
                        • Part of subcall function 004230F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0042314E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: IconNotifyShell_$CurrentDirectory
                      • String ID:
                      • API String ID: 2619246295-0
                      • Opcode ID: 9668109e9a4fb2e2c5f8aafee33602a1e0e772acd1e2afbd4729389efe5c7f46
                      • Instruction ID: a5a3a48cb93eb36db720c684fb3c559634152c7efc6a3f36f428460eae8fb2ca
                      • Opcode Fuzzy Hash: 9668109e9a4fb2e2c5f8aafee33602a1e0e772acd1e2afbd4729389efe5c7f46
                      • Instruction Fuzzy Hash: CCE0262130022803C604BF36B85247DB7A99BD135AFC0153FF14243163CF6C4945826D
                      Function 01FB08E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesW.KERNELBASE(?), ref: 01FB08EB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1249317897.0000000001FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1fb0000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                      • Instruction ID: fac10362c9697e97ad667173ed67cee842893c274b9c61ee00a674cf262c10b8
                      • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                      • Instruction Fuzzy Hash: FBE0867190520CDBE714CBBD88446EA77B4D704310F004655F526C3280E932CA409758
                      Function 01FB08B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesW.KERNELBASE(?), ref: 01FB08BB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1249317897.0000000001FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1fb0000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                      • Instruction ID: 86b50ee88d31cbfbcc87681edf58162808978a7f381f1467332f66c9087a1bd4
                      • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                      • Instruction Fuzzy Hash: 01D05E3190620CEBCB20CAA99804ADA73B89B04320F004754F91593281DA32DA449790
                      Function 00421CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                      Download Yara Rule
                      APIs
                      • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00421CBC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: InfoParametersSystem
                      • String ID:
                      • API String ID: 3098949447-0
                      • Opcode ID: 247002d9abeb558270ab09098577cf8524147bef5c1936e42c025f894631b273
                      • Instruction ID: e36c16404f214b695054047973694315762920508fac619b69e177cb6a86da25
                      • Opcode Fuzzy Hash: 247002d9abeb558270ab09098577cf8524147bef5c1936e42c025f894631b273
                      • Instruction Fuzzy Hash: DAC09B36280315FFF2144780BD8AF207754A348B00F044011F609555F3C3E11430D658
                      Function 0043FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                      • Instruction ID: 2a04c6bf268382e854056b0929ffe650b060a098162a13e6db4ae2ba2fee505f
                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                      • Instruction Fuzzy Hash: 38310274A001099BD718CF59D48496AFBB1FF49300F24A2A6E80ACB756D739EDC5CBC5
                      Function 01FB22C0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNELBASE(000001F4), ref: 01FB22D1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1249317897.0000000001FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1fb0000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                      • Instruction ID: 9ff7bdbcca9ec4f873ef1beaaf3e0b2ec4685c7225d10721a3f9d1347c275611
                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                      • Instruction Fuzzy Hash: FCE0E67494010DDFDB00EFF4D9496EE7FB4EF04301F100265FD01D2281D6319D509A62

                      Non-executed Functions

                      Function 004B9576 Relevance: 68.9, APIs: 36, Strings: 3, Instructions: 625windowkeyboardnativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00439BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00439BB2
                      • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 004B961A
                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004B965B
                      • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 004B969F
                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004B96C9
                      • SendMessageW.USER32 ref: 004B96F2
                      • GetKeyState.USER32(00000011), ref: 004B978B
                      • GetKeyState.USER32(00000009), ref: 004B9798
                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004B97AE
                      • GetKeyState.USER32(00000010), ref: 004B97B8
                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004B97E9
                      • SendMessageW.USER32 ref: 004B9810
                      • SendMessageW.USER32(?,00001030,?,004B7E95), ref: 004B9918
                      • SetCapture.USER32(?), ref: 004B994A
                      • ClientToScreen.USER32(?,?), ref: 004B99AF
                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004B99D6
                      • ReleaseCapture.USER32 ref: 004B99E1
                      • GetCursorPos.USER32(?), ref: 004B9A19
                      • ScreenToClient.USER32(?,?), ref: 004B9A26
                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 004B9A80
                      • SendMessageW.USER32 ref: 004B9AAE
                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 004B9AEB
                      • SendMessageW.USER32 ref: 004B9B1A
                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 004B9B3B
                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 004B9B4A
                      • GetCursorPos.USER32(?), ref: 004B9B68
                      • ScreenToClient.USER32(?,?), ref: 004B9B75
                      • GetParent.USER32(?), ref: 004B9B93
                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 004B9BFA
                      • SendMessageW.USER32 ref: 004B9C2B
                      • ClientToScreen.USER32(?,?), ref: 004B9C84
                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 004B9CB4
                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 004B9CDE
                      • SendMessageW.USER32 ref: 004B9D01
                      • ClientToScreen.USER32(?,?), ref: 004B9D4E
                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 004B9D82
                        • Part of subcall function 00439944: GetWindowLongW.USER32(?,000000EB), ref: 00439952
                      • GetWindowLongW.USER32(?,000000F0), ref: 004B9E05
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease
                      • String ID: @GUI_DRAGID$F$p#O
                      • API String ID: 1312020300-225106316
                      • Opcode ID: 5cd9141c7a92125a98c6afa14eaf31f70f2756ff6310c9582c81860729629da5
                      • Instruction ID: 5684679088ade2d5b7450ad8e6af3d68f2ca10b73936ac102b10081efdaadf42
                      • Opcode Fuzzy Hash: 5cd9141c7a92125a98c6afa14eaf31f70f2756ff6310c9582c81860729629da5
                      • Instruction Fuzzy Hash: E0428C70204251AFDB24CF24CC84EAABBE5FF49314F14462EF695872A1D775EC60CB69
                      Function 004B4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004B48F3
                      • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 004B4908
                      • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 004B4927
                      • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 004B494B
                      • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 004B495C
                      • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 004B497B
                      • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004B49AE
                      • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004B49D4
                      • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 004B4A0F
                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004B4A56
                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004B4A7E
                      • IsMenu.USER32(?), ref: 004B4A97
                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004B4AF2
                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004B4B20
                      • GetWindowLongW.USER32(?,000000F0), ref: 004B4B94
                      • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 004B4BE3
                      • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 004B4C82
                      • wsprintfW.USER32 ref: 004B4CAE
                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004B4CC9
                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 004B4CF1
                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004B4D13
                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004B4D33
                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 004B4D5A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                      • String ID: %d/%02d/%02d
                      • API String ID: 4054740463-328681919
                      • Opcode ID: 307d57ae531100d47382f6816dc36924cc4ddec529ab1e57b93f5c9a29db25e0
                      • Instruction ID: eb27939e8bc6b04cfb0dd6557a4e0a17b062a0bc6119930195f8f16d0280390b
                      • Opcode Fuzzy Hash: 307d57ae531100d47382f6816dc36924cc4ddec529ab1e57b93f5c9a29db25e0
                      • Instruction Fuzzy Hash: 5C12C271500214ABEB258F25CC89FEF7BB8EF89714F10422AF515DB292DB789941CB68
                      Function 0043F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0043F998
                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0047F474
                      • IsIconic.USER32(00000000), ref: 0047F47D
                      • ShowWindow.USER32(00000000,00000009), ref: 0047F48A
                      • SetForegroundWindow.USER32(00000000), ref: 0047F494
                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0047F4AA
                      • GetCurrentThreadId.KERNEL32 ref: 0047F4B1
                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0047F4BD
                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0047F4CE
                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0047F4D6
                      • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0047F4DE
                      • SetForegroundWindow.USER32(00000000), ref: 0047F4E1
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0047F4F6
                      • keybd_event.USER32(00000012,00000000), ref: 0047F501
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0047F50B
                      • keybd_event.USER32(00000012,00000000), ref: 0047F510
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0047F519
                      • keybd_event.USER32(00000012,00000000), ref: 0047F51E
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0047F528
                      • keybd_event.USER32(00000012,00000000), ref: 0047F52D
                      • SetForegroundWindow.USER32(00000000), ref: 0047F530
                      • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0047F557
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                      • String ID: Shell_TrayWnd
                      • API String ID: 4125248594-2988720461
                      • Opcode ID: 50c8deb3083ce9ac5e5db42ec381570f19a66cbd8d7f8892a3610311932af92e
                      • Instruction ID: 1b935c8058fadde6814b059732ae9f1d70d7814d6da5d9ea6e865a7551a698ab
                      • Opcode Fuzzy Hash: 50c8deb3083ce9ac5e5db42ec381570f19a66cbd8d7f8892a3610311932af92e
                      • Instruction Fuzzy Hash: BC319671A40218BBEB206BB58C89FBF7E6CEB44B50F104536FA04E61D1C6B45D00AAA9
                      Function 004B911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfilenativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00439BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00439BB2
                      • DragQueryPoint.SHELL32(?,?), ref: 004B9147
                        • Part of subcall function 004B7674: ClientToScreen.USER32(?,?), ref: 004B769A
                        • Part of subcall function 004B7674: GetWindowRect.USER32(?,?), ref: 004B7710
                        • Part of subcall function 004B7674: PtInRect.USER32(?,?,004B8B89), ref: 004B7720
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 004B91B0
                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004B91BB
                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004B91DE
                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 004B9225
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 004B923E
                      • SendMessageW.USER32(?,000000B1,?,?), ref: 004B9255
                      • SendMessageW.USER32(?,000000B1,?,?), ref: 004B9277
                      • DragFinish.SHELL32(?), ref: 004B927E
                      • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 004B9371
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen
                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#O
                      • API String ID: 4085959399-2519363676
                      • Opcode ID: 29d9ab1db8856da7265fa607a98c35d2ed69c4c50ca7880b699cc07a8cfa07cd
                      • Instruction ID: 40fa824bdef83bda593f1870300ed7f5299a95d450a06643056b6eb5c672b39f
                      • Opcode Fuzzy Hash: 29d9ab1db8856da7265fa607a98c35d2ed69c4c50ca7880b699cc07a8cfa07cd
                      • Instruction Fuzzy Hash: D3618D71108301AFC701DF61DC85DAFBBE8EF99354F400A2EF591931A0DB749A49CB6A
                      Function 004B8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windownativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00439BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00439BB2
                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004B8D5A
                      • GetFocus.USER32 ref: 004B8D6A
                      • GetDlgCtrlID.USER32(00000000), ref: 004B8D75
                      • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 004B8E1D
                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 004B8ECF
                      • GetMenuItemCount.USER32(?), ref: 004B8EEC
                      • GetMenuItemID.USER32(?,00000000), ref: 004B8EFC
                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 004B8F2E
                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 004B8F70
                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004B8FA1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow
                      • String ID: 0
                      • API String ID: 1669892757-4108050209
                      • Opcode ID: f9bc99d621c4c9db55ccb8ccc320690b23a892b77518fffd8d4eb7001e0166c7
                      • Instruction ID: c84954fc4cbd1f57973e8b0a4a183cdc4c3aed03af693174087998497e1d3c7c
                      • Opcode Fuzzy Hash: f9bc99d621c4c9db55ccb8ccc320690b23a892b77518fffd8d4eb7001e0166c7
                      • Instruction Fuzzy Hash: 14817E71504311ABDB10CF24C884AABB7EDFB88354F140A2EF985D7291DB78D901CB79
                      Function 0043AFAC Relevance: 18.4, Strings: 14, Instructions: 881COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID:
                      • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                      • API String ID: 0-4052911093
                      • Opcode ID: 24eaaa034b17d787b5bbc6d039889ebf4c81fcbc05358094b714ea8bdcb4e6f4
                      • Instruction ID: adea9aac7a491a2e09abe54438dc85fedaf0f1138f5322c422ec5ed8fc5b9887
                      • Opcode Fuzzy Hash: 24eaaa034b17d787b5bbc6d039889ebf4c81fcbc05358094b714ea8bdcb4e6f4
                      • Instruction Fuzzy Hash: F0729071E002199BDB14CF59C8847EEB7B5EF48310F14816FE909EB381EB789D818B99
                      Function 004B8B02 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 149nativewindowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00439BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00439BB2
                        • Part of subcall function 0043912D: GetCursorPos.USER32(?), ref: 00439141
                        • Part of subcall function 0043912D: ScreenToClient.USER32(00000000,?), ref: 0043915E
                        • Part of subcall function 0043912D: GetAsyncKeyState.USER32(00000001), ref: 00439183
                        • Part of subcall function 0043912D: GetAsyncKeyState.USER32(00000002), ref: 0043919D
                      • ReleaseCapture.USER32 ref: 004B8B77
                      • SetWindowTextW.USER32(?,00000000), ref: 004B8C12
                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 004B8C25
                      • NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 004B8CFF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
                      • String ID: @GUI_DRAGFILE$@GUI_DROPID$p#O
                      • API String ID: 973565025-2598662188
                      • Opcode ID: ef75138637c13dbb01d5af1abde78db4b70a461095d1f11525b6480046746f3e
                      • Instruction ID: c8dba007dde681a94c968a701429484be5760089fd939bf6b6a0657addd1593d
                      • Opcode Fuzzy Hash: ef75138637c13dbb01d5af1abde78db4b70a461095d1f11525b6480046746f3e
                      • Instruction Fuzzy Hash: 2A518EB1204214AFD700EF25DC95FAA77E4FB88714F400A2EF952572E1CB75AD14CB6A
                      Function 004B9F86 Relevance: 12.3, APIs: 8, Instructions: 260windownativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00439BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00439BB2
                      • GetSystemMetrics.USER32(0000000F), ref: 004B9FC7
                      • GetSystemMetrics.USER32(0000000F), ref: 004B9FE7
                      • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 004BA224
                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 004BA242
                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 004BA263
                      • ShowWindow.USER32(00000003,00000000), ref: 004BA282
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 004BA2A7
                      • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 004BA2CA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
                      • String ID:
                      • API String ID: 830902736-0
                      • Opcode ID: a75adb802d49c5d1443479f64620757c96dce9b7ee75a122ce7e79562ebe6342
                      • Instruction ID: 18496367460269219f65602780a4130260a9e8cbba6c62b2aa2003c02e3ba83b
                      • Opcode Fuzzy Hash: a75adb802d49c5d1443479f64620757c96dce9b7ee75a122ce7e79562ebe6342
                      • Instruction Fuzzy Hash: 82B18B31600215DBDF18CF68C9C57EA7BB2BF44701F0880AAEC459B395D735A960CB66
                      Function 0043997D Relevance: 7.9, APIs: 5, Instructions: 375nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00439BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00439BB2
                      • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00439A4E
                      • GetSysColor.USER32(0000000F), ref: 00439B23
                      • SetBkColor.GDI32(?,00000000), ref: 00439B36
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Color$DialogLongNtdllProc_Window
                      • String ID:
                      • API String ID: 1958858920-0
                      • Opcode ID: c7c79252c5b20b574bda705289ef9a24d9be6d6dc57a61e3ee54533d98ffbf12
                      • Instruction ID: e9abe703cd2c8b8ee6ead937e3458fe22d514fe760cb1cea4fd12120a43b34f6
                      • Opcode Fuzzy Hash: c7c79252c5b20b574bda705289ef9a24d9be6d6dc57a61e3ee54533d98ffbf12
                      • Instruction Fuzzy Hash: 96A13971108444FEE728BA3D8C98EBB265DDB4A354F14921BF102C67D5CAAD9D02C27E
                      Function 0043912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetCursorPos.USER32(?), ref: 00439141
                      • ScreenToClient.USER32(00000000,?), ref: 0043915E
                      • GetAsyncKeyState.USER32(00000001), ref: 00439183
                      • GetAsyncKeyState.USER32(00000002), ref: 0043919D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: AsyncState$ClientCursorScreen
                      • String ID:
                      • API String ID: 4210589936-0
                      • Opcode ID: 238695e87decc54b6bd157083b614fac2c0ad6663180adaf62778986147b5758
                      • Instruction ID: 18277a81020ec66eddff568756557cb5ca3d821dcf4c86763dce37a79d15c231
                      • Opcode Fuzzy Hash: 238695e87decc54b6bd157083b614fac2c0ad6663180adaf62778986147b5758
                      • Instruction Fuzzy Hash: 42414031A0851ABBDF159F64C884BEEB774FB09324F60822AE429A73D0C7785D50CF95
                      Function 0044E1E0 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 848COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID:
                      • String ID: pow
                      • API String ID: 0-2276729525
                      • Opcode ID: 3d0126a94d96ac66593064e9c06397ea5f71f7a3d5b8d0e10e182a477ce37a96
                      • Instruction ID: 41abbbe54870a82178b96a837f84fa3b6882844aa53d8b4fe0c14fde43e56e10
                      • Opcode Fuzzy Hash: 3d0126a94d96ac66593064e9c06397ea5f71f7a3d5b8d0e10e182a477ce37a96
                      • Instruction Fuzzy Hash: AE524621D29F014ED7239635D9223366798AFB23C6F14C737EC16B5AA6EF6CC8874109
                      Function 0048D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0048D501
                      • Process32FirstW.KERNEL32(00000000,?), ref: 0048D50F
                      • Process32NextW.KERNEL32(00000000,?), ref: 0048D52F
                      • CloseHandle.KERNEL32(00000000), ref: 0048D5DC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                      • String ID:
                      • API String ID: 420147892-0
                      • Opcode ID: 151159297ebbeff8c43976e72b3611dab1c385db40fd985f516093620d6fda26
                      • Instruction ID: a0de815822e9480619cea1a073aa7c8eddbfb123211e31eb7355c880155afbd4
                      • Opcode Fuzzy Hash: 151159297ebbeff8c43976e72b3611dab1c385db40fd985f516093620d6fda26
                      • Instruction Fuzzy Hash: 2831C471508300AFD300EF55D8C1AAFBBF8EF99348F54092EF581921A1EB759948CB96
                      Function 004B8FC9 Relevance: 6.1, APIs: 4, Instructions: 78nativewindowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00439BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00439BB2
                      • GetCursorPos.USER32(?), ref: 004B9001
                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00477711,?,?,?,?,?), ref: 004B9016
                      • GetCursorPos.USER32(?), ref: 004B905E
                      • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00477711,?,?,?), ref: 004B9094
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                      • String ID:
                      • API String ID: 1423138444-0
                      • Opcode ID: 2042b122bee4bedd48dfa86b67cda9ba5bdd2a320e7ca808fcba453ebec5cacd
                      • Instruction ID: 6613b867b8a4de51f150d749f9c6bf061b01b5b977dabcd9ab291559f9ea9f78
                      • Opcode Fuzzy Hash: 2042b122bee4bedd48dfa86b67cda9ba5bdd2a320e7ca808fcba453ebec5cacd
                      • Instruction Fuzzy Hash: 28218D35600018FFCB259F94C898EFB7BB9EB4A350F14416AFA0547261C3799D60DB64
                      Function 004B9EF3 Relevance: 6.1, APIs: 4, Instructions: 55nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00439BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00439BB2
                      • GetClientRect.USER32(?,?), ref: 004B9F31
                      • GetCursorPos.USER32(?), ref: 004B9F3B
                      • ScreenToClient.USER32(?,?), ref: 004B9F46
                      • NtdllDialogWndProc_W.NTDLL(?,00000020,?,00000000,?,?,?), ref: 004B9F7A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                      • String ID:
                      • API String ID: 1010295502-0
                      • Opcode ID: efd47e317a90c13da5007bed49fa5dda7f2589d4df79083c5fc3cd4009209b18
                      • Instruction ID: c77203dec6bdd5dcdf5cbb824bf7e5d906ef2f7cb96bcdb3a5d89c6643c8eb26
                      • Opcode Fuzzy Hash: efd47e317a90c13da5007bed49fa5dda7f2589d4df79083c5fc3cd4009209b18
                      • Instruction Fuzzy Hash: 0611283190011AABDB10DFA9C8859FE77B8EB45325F000566FA01E3150D738BE91CBB9
                      Function 00452622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0045271A
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00452724
                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00452731
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                      • String ID:
                      • API String ID: 3906539128-0
                      • Opcode ID: 25356957b584d5a52cd75d0ac2886a95bc3415d1d34a07e66dd4373b5c57942c
                      • Instruction ID: a4f106a7cc713a54532e8b71338c3b160974b4881df8318535504d7ca93e5082
                      • Opcode Fuzzy Hash: 25356957b584d5a52cd75d0ac2886a95bc3415d1d34a07e66dd4373b5c57942c
                      • Instruction Fuzzy Hash: 9C31D67491121C9BCB21DF65DD89BDDB7B8AF08310F5042EAE80CA7261E7749F858F49
                      Function 00481663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                      Download Yara Rule
                      APIs
                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0048168C
                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004816A1
                      • FreeSid.ADVAPI32(?), ref: 004816B1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: AllocateCheckFreeInitializeMembershipToken
                      • String ID:
                      • API String ID: 3429775523-0
                      • Opcode ID: 848a935e622a891b740f3c2dfcf4738cfae07cb05a02266ea1c28589cfed6dc4
                      • Instruction ID: e9f1cfb6161598db11b8598fda47b92598bd090739bbd50e87ee6afb831f67f2
                      • Opcode Fuzzy Hash: 848a935e622a891b740f3c2dfcf4738cfae07cb05a02266ea1c28589cfed6dc4
                      • Instruction Fuzzy Hash: 9AF0F471950309FBDB00EFE49CC9EAEBBBCFB08604F504965E501E2191E774AA448B64
                      Function 00444CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(?,?,00444CBE,?,004E88B8,0000000C,00444E63,?,00000000,00000000,?,0044056E,?,00000007,004E86C8,00000014), ref: 00444D09
                      • TerminateProcess.KERNEL32(00000000,?,00444CBE,?,004E88B8,0000000C,00444E63,?,00000000,00000000,?,0044056E,?,00000007,004E86C8,00000014), ref: 00444D10
                      • ExitProcess.KERNEL32 ref: 00444D22
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Process$CurrentExitTerminate
                      • String ID:
                      • API String ID: 1703294689-0
                      • Opcode ID: 669a2dabecfdffc85fe31152555ac48abe64dcab85f2678090c8b13e5d54e2f6
                      • Instruction ID: b6faeedb7122e34fbc16673e205d8488dba1216127ea3b8c737f6ce999922a09
                      • Opcode Fuzzy Hash: 669a2dabecfdffc85fe31152555ac48abe64dcab85f2678090c8b13e5d54e2f6
                      • Instruction Fuzzy Hash: 2EE0B671400148ABDF21AF55DD89A593BA9EB81786B504529FC059A222CB39DD42CA88
                      Function 0042CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID:
                      • String ID: Variable is not of type 'Object'.$p#O
                      • API String ID: 0-3081825068
                      • Opcode ID: 9aa0c3e73d5a7072711ab14e18fe11961312fe9bad05dd0680bc570a461646b4
                      • Instruction ID: 36339e60bb485b0840227dc8bb6dea1e6f0bc25481800bec192988a91ad14e68
                      • Opcode Fuzzy Hash: 9aa0c3e73d5a7072711ab14e18fe11961312fe9bad05dd0680bc570a461646b4
                      • Instruction Fuzzy Hash: E2328370A00228DBCF14DF91E981AEEB7B5FF05308F54805BE8066B391D779AD46CB59
                      Function 004397C0 Relevance: 3.1, APIs: 2, Instructions: 80nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00439BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00439BB2
                        • Part of subcall function 00439944: GetWindowLongW.USER32(?,000000EB), ref: 00439952
                      • GetParent.USER32(?), ref: 004773A3
                      • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?), ref: 0047742D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: LongWindow$DialogNtdllParentProc_
                      • String ID:
                      • API String ID: 314495775-0
                      • Opcode ID: a63cebd8a0dcfafdc4b8405b999159ac69fc53884ac74a276978333965681f56
                      • Instruction ID: 13d8126caed71aa7dec850ec6b2f84f22c591409713cbb2b7a0e2d08a27bcda4
                      • Opcode Fuzzy Hash: a63cebd8a0dcfafdc4b8405b999159ac69fc53884ac74a276978333965681f56
                      • Instruction Fuzzy Hash: 39219134600104AFCB29AF29C849DFA3B95EF4A370F145257F9594B3F1C3B59D11D658
                      Function 004B90A1 Relevance: 3.0, APIs: 2, Instructions: 44nativewindowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00439BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00439BB2
                      • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0047769C,?,?,?), ref: 004B9111
                        • Part of subcall function 00439944: GetWindowLongW.USER32(?,000000EB), ref: 00439952
                      • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 004B90F7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: LongWindow$DialogMessageNtdllProc_Send
                      • String ID:
                      • API String ID: 1273190321-0
                      • Opcode ID: 8dbcd1e6722ddcdcd834c4409ae75511d1202aaf1c68e655e3310ab9c3b0f4ea
                      • Instruction ID: f05399049e359c719f25f69d0deacbe9836eda5fcede9c0097fb35cd6992e758
                      • Opcode Fuzzy Hash: 8dbcd1e6722ddcdcd834c4409ae75511d1202aaf1c68e655e3310ab9c3b0f4ea
                      • Instruction Fuzzy Hash: B101B130100214FBEB21AF18DC89FA63BA6FF85365F10412AFA511A2F1C7766C11DB78
                      Function 004937B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,004A4891,?,?,?), ref: 004937E4
                      • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,004A4891,?,?,?), ref: 004937F4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: ErrorFormatLastMessage
                      • String ID:
                      • API String ID: 3479602957-0
                      • Opcode ID: 82ac3394344a9404b13da8a3cc9934bbf55bc980e253c10737c9220ead002731
                      • Instruction ID: 0b5197c5c5e5666e49808a3972677f22a3acb5bc771abd229895879527842c1b
                      • Opcode Fuzzy Hash: 82ac3394344a9404b13da8a3cc9934bbf55bc980e253c10737c9220ead002731
                      • Instruction Fuzzy Hash: 74F0EC707042242BDB2017A65C8DFDB7A9DDFC5765F000276F505D2291D5605D04C6B5
                      Function 004B9400 Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON
                      Download Yara Rule
                      APIs
                      • ClientToScreen.USER32(?,?), ref: 004B9423
                      • NtdllDialogWndProc_W.NTDLL(?,00000200,?,00000000,?,?,00000000,00000000,?,0047776C,?,?,?,?,?), ref: 004B944C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: ClientDialogNtdllProc_Screen
                      • String ID:
                      • API String ID: 3420055661-0
                      • Opcode ID: 3c0b22c67e00a027930bed73ed37c41c6bd6232fbfb42847d8bc27da9355e056
                      • Instruction ID: 5bb5fb53013dd40fda02e18e90fdc8591fbdbbed191f6fdbdb63a2b01ded3c40
                      • Opcode Fuzzy Hash: 3c0b22c67e00a027930bed73ed37c41c6bd6232fbfb42847d8bc27da9355e056
                      • Instruction Fuzzy Hash: 1FF03A72400228FFEF058F91DC89EEE7BB8EB44351F00416AF905A2160D375AA51DBA8
                      Function 004B953A Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON
                      Download Yara Rule
                      APIs
                      • GetWindowLongW.USER32(?,000000EC), ref: 004B9542
                      • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,004776FB,?,?,?,?), ref: 004B956C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: DialogLongNtdllProc_Window
                      • String ID:
                      • API String ID: 2065330234-0
                      • Opcode ID: ce69db1138b596c0f890aa9bb53340646b17937436fba70052ab16557191070e
                      • Instruction ID: b2d40f90d5ca21de6fe3a3d082bfd2bd9e8a575c93c9d4e9f0d0d02798e4d155
                      • Opcode Fuzzy Hash: ce69db1138b596c0f890aa9bb53340646b17937436fba70052ab16557191070e
                      • Instruction Fuzzy Hash: 05E0CD31144218B7FB250F19DC4AFF93B14E700B91F104226FA57980E1D7B599D0D378
                      Function 00427969 Relevance: 3.0, Strings: 2, Instructions: 462COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID:
                      • String ID: /$/
                      • API String ID: 0-4033170267
                      • Opcode ID: 2d83253df1a41d90276f4e52f949edc13249a57b5106cc850b87f25cbed7ab88
                      • Instruction ID: c1c0d9a956cc29db3abf8773ed323af34bd0f3a227f87a5f22f9e2ff080cd2c6
                      • Opcode Fuzzy Hash: 2d83253df1a41d90276f4e52f949edc13249a57b5106cc850b87f25cbed7ab88
                      • Instruction Fuzzy Hash: 8902D2B0E00616DFDF04CF65D981AAEB7B1FF08304F10416AE816EB391E73AA955CB59
                      Function 004BA2D7 Relevance: 1.6, APIs: 1, Instructions: 68nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00439BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00439BB2
                      • NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 004BA38F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: DialogLongNtdllProc_Window
                      • String ID:
                      • API String ID: 2065330234-0
                      • Opcode ID: 99bb477bcc33f9e621900337840c5b03881250e40b4fc11715866fed58861e11
                      • Instruction ID: 0747b7d59f36cb9df67726de0e192df2dd3456ab2a481a4220cd0c2ae984cfc8
                      • Opcode Fuzzy Hash: 99bb477bcc33f9e621900337840c5b03881250e40b4fc11715866fed58861e11
                      • Instruction Fuzzy Hash: DA11E4302042246AEB265A288D19FFE3A949781764F14422BFD110A2E1C7AD5D61D27F
                      Function 004B9E74 Relevance: 1.5, APIs: 1, Instructions: 45nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00439944: GetWindowLongW.USER32(?,000000EB), ref: 00439952
                      • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,004776B8,?,?,?,?,00000000,?), ref: 004B9EE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: DialogLongNtdllProc_Window
                      • String ID:
                      • API String ID: 2065330234-0
                      • Opcode ID: f3f803d1d1b7f12fb90d5cfdb152774dce49febd76482d6c98956d3588ec169e
                      • Instruction ID: e2eb83c70bcd5ddc426062ea75d151ae0b1da0d07e67b141173fc4130bf0ed81
                      • Opcode Fuzzy Hash: f3f803d1d1b7f12fb90d5cfdb152774dce49febd76482d6c98956d3588ec169e
                      • Instruction Fuzzy Hash: D901D431600154ABDF14DF29C849AFB3B61EF81325F14056AF6591B2E1C339EC50D7B8
                      Function 004B8AAA Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00439BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00439BB2
                        • Part of subcall function 0043912D: GetCursorPos.USER32(?), ref: 00439141
                        • Part of subcall function 0043912D: ScreenToClient.USER32(00000000,?), ref: 0043915E
                        • Part of subcall function 0043912D: GetAsyncKeyState.USER32(00000001), ref: 00439183
                        • Part of subcall function 0043912D: GetAsyncKeyState.USER32(00000002), ref: 0043919D
                      • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00477818,?,?,?,?,?,00000001,?), ref: 004B8AF8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                      • String ID:
                      • API String ID: 2356834413-0
                      • Opcode ID: 880ca2cddde8fa1a597ebc5e15d318f02f451eef86db718fa0e0c3423725456d
                      • Instruction ID: 0fdb3438d35650c5672024f504703730f873041a7e377c9ce36a737b3fcbe1ba
                      • Opcode Fuzzy Hash: 880ca2cddde8fa1a597ebc5e15d318f02f451eef86db718fa0e0c3423725456d
                      • Instruction Fuzzy Hash: 8EF08970100119A7DB146F15D809DFA3F55EB04790F004016F9151A191CBB699A0DBE8
                      Function 00439052 Relevance: 1.5, APIs: 1, Instructions: 27nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00439BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00439BB2
                      • NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?), ref: 00439096
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: DialogLongNtdllProc_Window
                      • String ID:
                      • API String ID: 2065330234-0
                      • Opcode ID: 155c201f355d61354ce21f407fe7720513ab8e666e31914a8db5d59d972d4993
                      • Instruction ID: 500b684e26a37a7da670aeca0b1899581806bf707c2b8281b329993918e33443
                      • Opcode Fuzzy Hash: 155c201f355d61354ce21f407fe7720513ab8e666e31914a8db5d59d972d4993
                      • Instruction Fuzzy Hash: 1AF05430500218DBDB189F15D851A763772FB453A0F20412EE8120A3A0C7775DA1D768
                      Function 004B9380 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 004B93C0
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: DialogNtdllProc_
                      • String ID:
                      • API String ID: 3239928679-0
                      • Opcode ID: 8a4f1f8f8548f3ebf1ad5cfbc94b5727968e0a42d467c3b15d0f77ad5ce489dc
                      • Instruction ID: cfe8fae09ba1f88a8a1c881fbf0a01a675ab164e19f9ab6f1744f1b78664aad1
                      • Opcode Fuzzy Hash: 8a4f1f8f8548f3ebf1ad5cfbc94b5727968e0a42d467c3b15d0f77ad5ce489dc
                      • Instruction Fuzzy Hash: 21F06D31240258BFDB21DF58DD45FD63BA5EB09360F04411ABA25272E1CBB67960D7A8
                      Function 004390A7 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00439BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00439BB2
                      • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 004390D5
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: DialogLongNtdllProc_Window
                      • String ID:
                      • API String ID: 2065330234-0
                      • Opcode ID: 41cf76af19f3ed3a93cbd38a5dfc79e6fb36af8e059f9973e96f6912e6bf819d
                      • Instruction ID: 42f9176ca062dd70ff54e1aaa50cf20aec1c4ccbbf0d570fe45bf2f135fc6bbd
                      • Opcode Fuzzy Hash: 41cf76af19f3ed3a93cbd38a5dfc79e6fb36af8e059f9973e96f6912e6bf819d
                      • Instruction Fuzzy Hash: 6EE0C230100208FBCF15AF90DC51E643B36FB48394F108019FA051A2B1CB77A961DB58
                      Function 004B93CB Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00477723,?,?,?,?,?,?), ref: 004B93F6
                        • Part of subcall function 004B8172: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004F3018,004F305C), ref: 004B81BF
                        • Part of subcall function 004B8172: CloseHandle.KERNEL32 ref: 004B81D1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: CloseCreateDialogHandleNtdllProc_Process
                      • String ID:
                      • API String ID: 4178364262-0
                      • Opcode ID: 9e4f54b5e63bc500b059054a09cd1b98d73a1978a8152a0996ec34476aba8cf8
                      • Instruction ID: 28b9b85628fe04aca6f76149d6f6ff3be7dd46597ac8835a7a2ff2fcf4d43234
                      • Opcode Fuzzy Hash: 9e4f54b5e63bc500b059054a09cd1b98d73a1978a8152a0996ec34476aba8cf8
                      • Instruction Fuzzy Hash: F5E04671100209EFCB02AF18DC90ED63BB6FB08351F00401AFA11172B2CB36ADA1EF68
                      Function 00438BA4 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00439BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00439BB2
                        • Part of subcall function 00438BCD: DestroyWindow.USER32(?), ref: 00438C81
                        • Part of subcall function 00438BCD: KillTimer.USER32(00000000,?,?,?,?,00438BBA,00000000,?), ref: 00438D1B
                      • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?), ref: 00438BC3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                      • String ID:
                      • API String ID: 2797419724-0
                      • Opcode ID: 59e5c4287c592bc00bc7f3ae7447ff1f76518e2e85c79fe2be33d02ff4dad651
                      • Instruction ID: 5fef69c8d5f3ea0259caf29364302c30988ce2643b1d49ce5d599a0fc046ed57
                      • Opcode Fuzzy Hash: 59e5c4287c592bc00bc7f3ae7447ff1f76518e2e85c79fe2be33d02ff4dad651
                      • Instruction Fuzzy Hash: DFD0127018030CB7EA113B61DC47F99BA2D9B147E4F008026F704391E1CAB77850556C
                      Function 004409D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(004409E1,004403EE), ref: 004409DA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: 671fdd2081abd1e0239d4519d06feb7dfeb0bdbc8f84be04f4e9f3172aaede69
                      • Instruction ID: 7f445876195f0e9900efb1818c3d8bb43cbc712fa3ca0ae5048facd3ef73d00c
                      • Opcode Fuzzy Hash: 671fdd2081abd1e0239d4519d06feb7dfeb0bdbc8f84be04f4e9f3172aaede69
                      • Instruction Fuzzy Hash:
                      Function 0044781B Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0
                      • API String ID: 0-4108050209
                      • Opcode ID: d982238468b4304146f892ead76334e5164c16c7b6bdb10d454b5b952a6a12e3
                      • Instruction ID: 6c69651bbb5e89cfce828a789c09e71da5471b5de35c41b18e7f88b4a6c0e4aa
                      • Opcode Fuzzy Hash: d982238468b4304146f892ead76334e5164c16c7b6bdb10d454b5b952a6a12e3
                      • Instruction Fuzzy Hash: 085158B164C7055BFB349A68885ABEF67999B12344F08090FD88297382C71DEE07D35E
                      Function 004291C0 Relevance: .5, Instructions: 475COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0a3307e6c9fee639e1d8e2c1f0a2d0e94b2e5fd53c639d57ddb997ae50742d2a
                      • Instruction ID: c8cba8efb9624fa2fff1a3672b08394bd2d1668e8ab4d243572b15e581d5def9
                      • Opcode Fuzzy Hash: 0a3307e6c9fee639e1d8e2c1f0a2d0e94b2e5fd53c639d57ddb997ae50742d2a
                      • Instruction Fuzzy Hash: F602D7B0E00215EBDB04DF55D881AAEB7F1FF44304F50816AE8069B391F739AE25CB99
                      Function 00441C77 Relevance: .3, Instructions: 254COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                      • Instruction ID: 8d9784f3b6ce13ceb10b824f4bb96b1214125c8e1069b207d8a54b151cb90113
                      • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                      • Instruction Fuzzy Hash: E69188B26080E349FB294639857403FFFE15A523A131A079FD4F2CB2E1FE289995D624
                      Function 00441F32 Relevance: .2, Instructions: 244COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                      • Instruction ID: 5a61d511efac5e5ea49d1b79a957aa2e004c4727665d0b16a42216c22a666b74
                      • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                      • Instruction Fuzzy Hash: 2F9188722080E349FB694239857403FFFE15A923A135A079FE4F2CB2D5EE68C599D624
                      Function 004419B0 Relevance: .2, Instructions: 240COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                      • Instruction ID: f5bffa161788b60d25944ff201e67ed38a22c53ec3fe7cc11e355d4db0434cb9
                      • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                      • Instruction Fuzzy Hash: 4C9167722090E34AFB2D467A857403FFFE19A923A1319079FD4F2CA2E1FD28D595D624
                      Function 00441706 Relevance: .2, Instructions: 232COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                      • Instruction ID: 0a038017cfb9468c7ea5115b0e029d50610cb4a7fb4b944722cd5ecc32d84351
                      • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                      • Instruction Fuzzy Hash: F38186726080E349FB6D423A857443FFFE15A923A131A079FD4F2CB2E1EE28C594D624
                      Function 01FB3620 Relevance: .1, Instructions: 92COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1249317897.0000000001FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1fb0000_SALKI098765R400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                      • Instruction ID: 7a20b31e90cff1168f0c89d919c6ef84c21aaea38a09bc057ac715281901742b
                      • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                      • Instruction Fuzzy Hash: 5941D5B1D1051CDBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40
                      Function 01FB34B0 Relevance: .0, Instructions: 35COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1249317897.0000000001FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1fb0000_SALKI098765R400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                      • Instruction ID: 52522502c5d80b85640284d90ddd850bf3bfb2f24eec0ec7979698300d8b3b56
                      • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                      • Instruction Fuzzy Hash: 43019278E01109EFCB45DF99C5909AEF7B5FB48310F208599D809A7701D735AE41DB80
                      Function 01FB3510 Relevance: .0, Instructions: 35COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1249317897.0000000001FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1fb0000_SALKI098765R400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                      • Instruction ID: 907e2f6af8550f74fef8a916955865f22bfe771c6bf8fb313ba6c42e5ddee9fc
                      • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                      • Instruction Fuzzy Hash: 68019D78E11209EFCB44DF99C5909AEF7B5FB88310F208699E819A7701E731AE41DB80
                      Function 01FB1E7E Relevance: .0, Instructions: 17COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1249317897.0000000001FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1fb0000_SALKI098765R400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 39883051ad0acd5fc3a9b65a285c220fc8651299cfdca9718842298b505bee9e
                      • Instruction ID: 12cbbee2ad97ca28ebd479973cedbf0f86dc4bb29c9604106d163cb5d8cfbbc3
                      • Opcode Fuzzy Hash: 39883051ad0acd5fc3a9b65a285c220fc8651299cfdca9718842298b505bee9e
                      • Instruction Fuzzy Hash: F6C08C300453C89ADB028759E08C7407BEDAB0AA18F1400E4D8080BA02C3A96A048A45
                      Function 01FB1E90 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1249317897.0000000001FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1fb0000_SALKI098765R400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                      • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                      • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                      • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                      Function 004B70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                      Download Yara Rule
                      APIs
                      • SetTextColor.GDI32(?,00000000), ref: 004B712F
                      • GetSysColorBrush.USER32(0000000F), ref: 004B7160
                      • GetSysColor.USER32(0000000F), ref: 004B716C
                      • SetBkColor.GDI32(?,000000FF), ref: 004B7186
                      • SelectObject.GDI32(?,?), ref: 004B7195
                      • InflateRect.USER32(?,000000FF,000000FF), ref: 004B71C0
                      • GetSysColor.USER32(00000010), ref: 004B71C8
                      • CreateSolidBrush.GDI32(00000000), ref: 004B71CF
                      • FrameRect.USER32(?,?,00000000), ref: 004B71DE
                      • DeleteObject.GDI32(00000000), ref: 004B71E5
                      • InflateRect.USER32(?,000000FE,000000FE), ref: 004B7230
                      • FillRect.USER32(?,?,?), ref: 004B7262
                      • GetWindowLongW.USER32(?,000000F0), ref: 004B7284
                        • Part of subcall function 004B73E8: GetSysColor.USER32(00000012), ref: 004B7421
                        • Part of subcall function 004B73E8: SetTextColor.GDI32(?,?), ref: 004B7425
                        • Part of subcall function 004B73E8: GetSysColorBrush.USER32(0000000F), ref: 004B743B
                        • Part of subcall function 004B73E8: GetSysColor.USER32(0000000F), ref: 004B7446
                        • Part of subcall function 004B73E8: GetSysColor.USER32(00000011), ref: 004B7463
                        • Part of subcall function 004B73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 004B7471
                        • Part of subcall function 004B73E8: SelectObject.GDI32(?,00000000), ref: 004B7482
                        • Part of subcall function 004B73E8: SetBkColor.GDI32(?,00000000), ref: 004B748B
                        • Part of subcall function 004B73E8: SelectObject.GDI32(?,?), ref: 004B7498
                        • Part of subcall function 004B73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004B74B7
                        • Part of subcall function 004B73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004B74CE
                        • Part of subcall function 004B73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004B74DB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                      • String ID:
                      • API String ID: 4124339563-0
                      • Opcode ID: 077dcb8c2aac98961b4b5de83a748c4c6c3821ebfb63e6c4472bf6626f60c486
                      • Instruction ID: 6572af3b34d631ae0e149745b2048eedf46d3d0955675ad82e320e9b57e59f2d
                      • Opcode Fuzzy Hash: 077dcb8c2aac98961b4b5de83a748c4c6c3821ebfb63e6c4472bf6626f60c486
                      • Instruction Fuzzy Hash: C5A19472008311BFDB109F64DC88E9B7BA9FB89320F100B29F9A2961E1D775E945CF65
                      Function 00438D85 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 480windowCOMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(?,?), ref: 00438E14
                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 00476AC5
                      • 6FDC0200.COMCTL32(?,000000FF,?), ref: 00476AFE
                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00476F43
                        • Part of subcall function 00438F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00438BE8,?,00000000,?,?,?,?,00438BBA,00000000,?), ref: 00438FC5
                      • SendMessageW.USER32(?,00001053), ref: 00476F7F
                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00476F96
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: MessageSend$Window$C0200DestroyInvalidateMoveRect
                      • String ID: 0
                      • API String ID: 2124390451-4108050209
                      • Opcode ID: d02bf2d9d2bff92027c56f9fc0850c12086e326f14504380c06b741095b34067
                      • Instruction ID: 0dd34ef2ed4898154d5e6559c851f38f0f81e7ede99757ad7a732ae17919eeac
                      • Opcode Fuzzy Hash: d02bf2d9d2bff92027c56f9fc0850c12086e326f14504380c06b741095b34067
                      • Instruction Fuzzy Hash: B2129D30200611EFD725CF24C885BA6BBA6FB49300F15856EF499CB261CB79EC52CF99
                      Function 004B73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetSysColor.USER32(00000012), ref: 004B7421
                      • SetTextColor.GDI32(?,?), ref: 004B7425
                      • GetSysColorBrush.USER32(0000000F), ref: 004B743B
                      • GetSysColor.USER32(0000000F), ref: 004B7446
                      • CreateSolidBrush.GDI32(?), ref: 004B744B
                      • GetSysColor.USER32(00000011), ref: 004B7463
                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 004B7471
                      • SelectObject.GDI32(?,00000000), ref: 004B7482
                      • SetBkColor.GDI32(?,00000000), ref: 004B748B
                      • SelectObject.GDI32(?,?), ref: 004B7498
                      • InflateRect.USER32(?,000000FF,000000FF), ref: 004B74B7
                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004B74CE
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 004B74DB
                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004B752A
                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 004B7554
                      • InflateRect.USER32(?,000000FD,000000FD), ref: 004B7572
                      • DrawFocusRect.USER32(?,?), ref: 004B757D
                      • GetSysColor.USER32(00000011), ref: 004B758E
                      • SetTextColor.GDI32(?,00000000), ref: 004B7596
                      • DrawTextW.USER32(?,004B70F5,000000FF,?,00000000), ref: 004B75A8
                      • SelectObject.GDI32(?,?), ref: 004B75BF
                      • DeleteObject.GDI32(?), ref: 004B75CA
                      • SelectObject.GDI32(?,?), ref: 004B75D0
                      • DeleteObject.GDI32(?), ref: 004B75D5
                      • SetTextColor.GDI32(?,?), ref: 004B75DB
                      • SetBkColor.GDI32(?,?), ref: 004B75E5
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                      • String ID:
                      • API String ID: 1996641542-0
                      • Opcode ID: 3c381e2ba35d3c3d313fb0115941e7f438c174e21d992c965a12d5cbce047eea
                      • Instruction ID: 74fc0b6bdd237aa981051aebf6f5dc048ee0a6bcd570852a7972c740bf6a41c4
                      • Opcode Fuzzy Hash: 3c381e2ba35d3c3d313fb0115941e7f438c174e21d992c965a12d5cbce047eea
                      • Instruction Fuzzy Hash: 81613F72904218BFDF119FA8DC89EEE7B79EB48320F114225F915BB2A1D67499408FA4
                      Function 00438891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00438968
                      • GetSystemMetrics.USER32(00000007), ref: 00438970
                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0043899B
                      • GetSystemMetrics.USER32(00000008), ref: 004389A3
                      • GetSystemMetrics.USER32(00000004), ref: 004389C8
                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004389E5
                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004389F5
                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00438A28
                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00438A3C
                      • GetClientRect.USER32(00000000,000000FF), ref: 00438A5A
                      • GetStockObject.GDI32(00000011), ref: 00438A76
                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00438A81
                        • Part of subcall function 0043912D: GetCursorPos.USER32(?), ref: 00439141
                        • Part of subcall function 0043912D: ScreenToClient.USER32(00000000,?), ref: 0043915E
                        • Part of subcall function 0043912D: GetAsyncKeyState.USER32(00000001), ref: 00439183
                        • Part of subcall function 0043912D: GetAsyncKeyState.USER32(00000002), ref: 0043919D
                      • SetTimer.USER32(00000000,00000000,00000028,004390FC), ref: 00438AA8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                      • String ID: AutoIt v3 GUI
                      • API String ID: 1458621304-248962490
                      • Opcode ID: 2124167d0611b609b000f1a093b626eb4eef81bacb17c3bcdb27a95a3798bad7
                      • Instruction ID: f65a77e88e7cd0eb0baa52998076cacd152eeeee719a6aba037b04c01f268344
                      • Opcode Fuzzy Hash: 2124167d0611b609b000f1a093b626eb4eef81bacb17c3bcdb27a95a3798bad7
                      • Instruction Fuzzy Hash: CBB16F71A00209EFDB14DF68CD85BEE7BB5FB48314F11422AFA15A7290DB78A841CF59
                      Function 00427778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID:
                      • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                      • API String ID: 0-1645009161
                      • Opcode ID: 837e8754c77b09136a0e73bec9d0392c9d7ca8a6e6673ff9a970cdfb6f8f37a1
                      • Instruction ID: c2f803d8f3adfb8565e28567489a8e4b90af71f628b535c857780b886b66bdbc
                      • Opcode Fuzzy Hash: 837e8754c77b09136a0e73bec9d0392c9d7ca8a6e6673ff9a970cdfb6f8f37a1
                      • Instruction Fuzzy Hash: AC81F771B04215ABDB10AF62EC42FAF3764AF55304F54402BF904AA292EB7CD905C7AE
                      Function 0042326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenuItemCount.USER32(004F1990), ref: 00462F8D
                      • GetMenuItemCount.USER32(004F1990), ref: 0046303D
                      • GetCursorPos.USER32(?), ref: 00463081
                      • SetForegroundWindow.USER32(00000000), ref: 0046308A
                      • TrackPopupMenuEx.USER32(004F1990,00000000,?,00000000,00000000,00000000), ref: 0046309D
                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004630A9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                      • String ID: 0
                      • API String ID: 36266755-4108050209
                      • Opcode ID: 70443034bfefa1ac94e5a01d4d6e0bd309f2c5c9e9722c78b93e2bbaecd3c7ab
                      • Instruction ID: 3fcee39a24a7f0b58746034d41d19c11c5f0d9e72640ed5bd6fb21ba01f7634b
                      • Opcode Fuzzy Hash: 70443034bfefa1ac94e5a01d4d6e0bd309f2c5c9e9722c78b93e2bbaecd3c7ab
                      • Instruction Fuzzy Hash: 63711630640615BEEB258F24DD89FAABF79FF04324F204217F514662E0D7B9A910D79A
                      Function 0048BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenuItemInfoW.USER32(004F1990,000000FF,00000000,00000030), ref: 0048BFAC
                      • SetMenuItemInfoW.USER32(004F1990,00000004,00000000,00000030), ref: 0048BFE1
                      • Sleep.KERNEL32(000001F4), ref: 0048BFF3
                      • GetMenuItemCount.USER32(?), ref: 0048C039
                      • GetMenuItemID.USER32(?,00000000), ref: 0048C056
                      • GetMenuItemID.USER32(?,-00000001), ref: 0048C082
                      • GetMenuItemID.USER32(?,?), ref: 0048C0C9
                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0048C10F
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0048C124
                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0048C145
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: ItemMenu$Info$CheckCountRadioSleep
                      • String ID: 0
                      • API String ID: 1460738036-4108050209
                      • Opcode ID: 0ee4fc81521745822c6d0748956e22706d3cbcc89e8cdd3cfddcfe38eb8152d3
                      • Instruction ID: 6479376f7cb4c1be040a3543b0763b7b0742b2ad7753c9bcbf4b173f2958249f
                      • Opcode Fuzzy Hash: 0ee4fc81521745822c6d0748956e22706d3cbcc89e8cdd3cfddcfe38eb8152d3
                      • Instruction Fuzzy Hash: 07619FB0900256AFDF11EF64DCC8EAF7BA9EB05348F00491AE951A3292C739AD05DB75
                      Function 00439838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00439944: GetWindowLongW.USER32(?,000000EB), ref: 00439952
                      • GetSysColor.USER32(0000000F), ref: 00439862
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: ColorLongWindow
                      • String ID:
                      • API String ID: 259745315-0
                      • Opcode ID: 166a1691689bc708c48f6bc7d704aaf2c409c85708f40625e2007a09e20ecf00
                      • Instruction ID: d856e25f8f0da12e4dd97e1e23d7488aa8c9b6b8d89ae7c452337e298399bdb5
                      • Opcode Fuzzy Hash: 166a1691689bc708c48f6bc7d704aaf2c409c85708f40625e2007a09e20ecf00
                      • Instruction Fuzzy Hash: 5641D531104640AFDB246F3C9CC4BBA3B65EB4A330F145616F9A6972E2C7B99C42DF19
                      Function 00429F09 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 228COMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?,-00000032), ref: 0042A0E1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: BuffCharUpper
                      • String ID: $$0$9$=$A$Z$_$a$z
                      • API String ID: 3964851224-1136989504
                      • Opcode ID: 3ecef34cbfdb6419bedcb4133e81ada19f87b7610035492c8e75b3aaf5942aaa
                      • Instruction ID: 7a599b78b2327b0a2c1b24a80bb55f36a49453a6066a3387a4920131c4fa85ac
                      • Opcode Fuzzy Hash: 3ecef34cbfdb6419bedcb4133e81ada19f87b7610035492c8e75b3aaf5942aaa
                      • Instruction Fuzzy Hash: 5D81C771E0022A9BCF14EF94E8809EEB374FF18314F944527E851A7291E73C9966C75B
                      Function 004896E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,?,?,?,?,00463B9D,?,0000138A), ref: 00489717
                      • LoadStringW.USER32(00000000,?,?,00463B9D), ref: 00489720
                        • Part of subcall function 00429CB3: _wcslen.LIBCMT ref: 00429CBD
                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,00463B9D,?,0000138A), ref: 00489742
                      • LoadStringW.USER32(00000000,?,?,00463B9D), ref: 00489745
                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00489866
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: HandleLoadModuleString$Message_wcslen
                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                      • API String ID: 747408836-2268648507
                      • Opcode ID: b87b0031235fdf542a7bab01bcabd41ee0ba24ce770a6742de6ae110682e8565
                      • Instruction ID: 315f42e0503af1636a761416fa021e98f0badf8db14939f61a1af596cf0b0a27
                      • Opcode Fuzzy Hash: b87b0031235fdf542a7bab01bcabd41ee0ba24ce770a6742de6ae110682e8565
                      • Instruction Fuzzy Hash: 28416172900219ABCB04FBE2DD86EEE7778AF14745F54042AF50172091EB3D6F48CB69
                      Function 0047FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                      Download Yara Rule
                      APIs
                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0047FAAF
                      • SafeArrayAllocData.OLEAUT32(?), ref: 0047FB08
                      • VariantInit.OLEAUT32(?), ref: 0047FB1A
                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 0047FB3A
                      • VariantCopy.OLEAUT32(?,?), ref: 0047FB8D
                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 0047FBA1
                      • VariantClear.OLEAUT32(?), ref: 0047FBB6
                      • SafeArrayDestroyData.OLEAUT32(?), ref: 0047FBC3
                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0047FBCC
                      • VariantClear.OLEAUT32(?), ref: 0047FBDE
                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0047FBE9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                      • String ID:
                      • API String ID: 2706829360-0
                      • Opcode ID: 5cb9b7969e6a2d1b9168d1b01fab314c147141c2c2ddcbd6af838e5db2c43fdc
                      • Instruction ID: 12f8588b67f0d5eb0c23d31db24640b0a29012802ef8d9ce2514bc301b8d20b5
                      • Opcode Fuzzy Hash: 5cb9b7969e6a2d1b9168d1b01fab314c147141c2c2ddcbd6af838e5db2c43fdc
                      • Instruction Fuzzy Hash: D3415435A00219DFCF00DF65D8949EEBBB9EF48344F00807AE955A7261D734AA45CFA4
                      Function 00421410 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 332comCOMMON
                      Download Yara Rule
                      APIs
                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00421459
                      • OleUninitialize.OLE32(?,00000000), ref: 004214F8
                      • UnregisterHotKey.USER32(?), ref: 004216DD
                      • DestroyWindow.USER32(?), ref: 004624B9
                      • FreeLibrary.KERNEL32(?), ref: 0046251E
                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0046254B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                      • String ID: >H$close all
                      • API String ID: 469580280-1282672471
                      • Opcode ID: 68ce77a8ebf770db5323752f66c0e52c5f89b0a8704384d98089dfc13eb92603
                      • Instruction ID: 852f70d196d7dd665ae9d2db4bb7c3070d10db517da492d242c17ec88131df72
                      • Opcode Fuzzy Hash: 68ce77a8ebf770db5323752f66c0e52c5f89b0a8704384d98089dfc13eb92603
                      • Instruction Fuzzy Hash: 0BD1BF31701222EFCB29EF15D595A29F7A0BF15304F5442AFE44A6B361DB38AC12CF5A
                      Function 00493388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                      Download Yara Rule
                      APIs
                      • LoadStringW.USER32(00000066,?,00000FFF), ref: 004933CF
                        • Part of subcall function 00429CB3: _wcslen.LIBCMT ref: 00429CBD
                      • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004933F0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: LoadString$_wcslen
                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                      • API String ID: 4099089115-3080491070
                      • Opcode ID: 11ae55be8fb33ab1d4782d2229026b8c1cd0552ac1d8a4aa514f5f3cb19027bb
                      • Instruction ID: 206525998a5395c8800700a879c6b29409dd401b671ec45590a38d9b386f1bdb
                      • Opcode Fuzzy Hash: 11ae55be8fb33ab1d4782d2229026b8c1cd0552ac1d8a4aa514f5f3cb19027bb
                      • Instruction Fuzzy Hash: 7951D071900219AADF14EBE2DD42EEEB778AF14349F64446AF40572061EB392F58CB68
                      Function 00425BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                      Download Yara Rule
                      APIs
                      • SetWindowLongW.USER32(?,000000EB), ref: 00425C7A
                        • Part of subcall function 00425D0A: GetClientRect.USER32(?,?), ref: 00425D30
                        • Part of subcall function 00425D0A: GetWindowRect.USER32(?,?), ref: 00425D71
                        • Part of subcall function 00425D0A: ScreenToClient.USER32(?,000000FF), ref: 00425D99
                      • GetDC.USER32 ref: 004646F5
                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00464708
                      • SelectObject.GDI32(00000000,00000000), ref: 00464716
                      • SelectObject.GDI32(00000000,00000000), ref: 0046472B
                      • ReleaseDC.USER32(?,00000000), ref: 00464733
                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004647C4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                      • String ID: U
                      • API String ID: 4009187628-3372436214
                      • Opcode ID: 8ae6b882c052409502db85ecccaa44ed7e3d0fe246cff2a1433078041a9c0b4e
                      • Instruction ID: 302fdee9e09b0e2762ac7deca875f5178239081158cfcaaeec4ff95320d264e3
                      • Opcode Fuzzy Hash: 8ae6b882c052409502db85ecccaa44ed7e3d0fe246cff2a1433078041a9c0b4e
                      • Instruction Fuzzy Hash: 17711230500205DFCF218F64C984ABB7BB5FF8A325F14426BED515A2A6E3389841DF6A
                      Function 0045AF88 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlDecodePointer.NTDLL(?), ref: 0045AFAB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: DecodePointer
                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                      • API String ID: 3527080286-3064271455
                      • Opcode ID: 441e7ef3d4a46c0b12d4bfc9c238cb28d058fa4d834e3d9f30478fe85c9d9e14
                      • Instruction ID: 2a38bde9804c1b0fbd404391f429c0b88d18ecdc8ce1850921e1d661d52a2e55
                      • Opcode Fuzzy Hash: 441e7ef3d4a46c0b12d4bfc9c238cb28d058fa4d834e3d9f30478fe85c9d9e14
                      • Instruction Fuzzy Hash: B2519375900909DBCF149F68DA485AEBBB0FB09306F10419BE841A7366C7BD8D298B9D
                      Function 0049359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                      Download Yara Rule
                      APIs
                      • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004935E4
                        • Part of subcall function 00429CB3: _wcslen.LIBCMT ref: 00429CBD
                      • LoadStringW.USER32(?,?,00000FFF,?), ref: 0049360A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: LoadString$_wcslen
                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                      • API String ID: 4099089115-2391861430
                      • Opcode ID: c6a71e140f1097cc794bcd4e0181cf741a2428f19f4ff2e4ae57450476fc70f2
                      • Instruction ID: 527e782805d85e0e51c77088e0fe1b70afb222000313e3be558e5f02d001a6e1
                      • Opcode Fuzzy Hash: c6a71e140f1097cc794bcd4e0181cf741a2428f19f4ff2e4ae57450476fc70f2
                      • Instruction Fuzzy Hash: 81518E71900219AADF14EFE2DC82EEEBB34AF14349F54412AF505721A1DB381F98CF69
                      Function 0048989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00463AAF,?,?,Bad directive syntax error,004BCC08,00000000,00000010,?,?), ref: 004898BC
                      • LoadStringW.USER32(00000000,?,00463AAF,?), ref: 004898C3
                        • Part of subcall function 00429CB3: _wcslen.LIBCMT ref: 00429CBD
                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00489987
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: HandleLoadMessageModuleString_wcslen
                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                      • API String ID: 858772685-4153970271
                      • Opcode ID: 59eb233fc1ef9d540952fd10b73d053f0e134999707dd043249fc064c16d198d
                      • Instruction ID: f637df02af12420a45f69c2377614a99c3bb43b72ac4807c869ad515684fd28c
                      • Opcode Fuzzy Hash: 59eb233fc1ef9d540952fd10b73d053f0e134999707dd043249fc064c16d198d
                      • Instruction Fuzzy Hash: FF219131D0021AABCF15EF91DC46EEE7735BF18749F08482BF515610A1EB399A28CB19
                      Function 00438BCD Relevance: 13.7, APIs: 9, Instructions: 168timeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00438F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00438BE8,?,00000000,?,?,?,?,00438BBA,00000000,?), ref: 00438FC5
                      • DestroyWindow.USER32(?), ref: 00438C81
                      • KillTimer.USER32(00000000,?,?,?,?,00438BBA,00000000,?), ref: 00438D1B
                      • DestroyAcceleratorTable.USER32(00000000), ref: 00476973
                      • DeleteObject.GDI32(00000000), ref: 004769E6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                      • String ID:
                      • API String ID: 2402799130-0
                      • Opcode ID: ad012e679e6fe8cfe916e999ec19e5ae42c2481a949ffac4e04b0b55d1fbd15b
                      • Instruction ID: 4073c1240ef3383d6fd55069c77054874bed5b941f43f2c39adcce04d666bbb2
                      • Opcode Fuzzy Hash: ad012e679e6fe8cfe916e999ec19e5ae42c2481a949ffac4e04b0b55d1fbd15b
                      • Instruction Fuzzy Hash: 9061AD70102B00DFDB259F25C988B66B7F2FB48316F14A52EE04696670CB79AC91CF9D
                      Function 004B50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 004B5186
                      • ShowWindow.USER32(?,00000000), ref: 004B51C7
                      • ShowWindow.USER32(?,00000005,?,00000000), ref: 004B51CD
                      • SetFocus.USER32(?,?,00000005,?,00000000), ref: 004B51D1
                        • Part of subcall function 004B6FBA: DeleteObject.GDI32(?), ref: 004B6FE6
                      • GetWindowLongW.USER32(?,000000F0), ref: 004B520D
                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004B521A
                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004B524D
                      • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 004B5287
                      • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 004B5296
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                      • String ID:
                      • API String ID: 3210457359-0
                      • Opcode ID: 97e110f17ce751f38cbc5d3797589cf198a61aa379607187e3ca6822129945d5
                      • Instruction ID: d8919038550f65d7ea8a33273f070f9847e76653ba0b4c5643bf8c399284a1ec
                      • Opcode Fuzzy Hash: 97e110f17ce751f38cbc5d3797589cf198a61aa379607187e3ca6822129945d5
                      • Instruction Fuzzy Hash: 8E51E230A42A08FFEF249F29DC46BD9BB61EB04324F144157F614963E0C3B9A991DF69
                      Function 00438B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00476890
                      • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004768A9
                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004768B9
                      • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004768D1
                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004768F2
                      • DestroyCursor.USER32(00000000), ref: 00476901
                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0047691E
                      • DestroyCursor.USER32(00000000), ref: 0047692D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: CursorDestroyExtractIconImageLoadMessageSend
                      • String ID:
                      • API String ID: 3992029641-0
                      • Opcode ID: 7864f2abce3b61067ebd2121a329dd7bd086e720d83ed878ed063a63824a4d73
                      • Instruction ID: 30ac4504e7e308912e206b7875339f4eaef5d5e6437eb66e81e5188214416d69
                      • Opcode Fuzzy Hash: 7864f2abce3b61067ebd2121a329dd7bd086e720d83ed878ed063a63824a4d73
                      • Instruction Fuzzy Hash: 68519DB0600706EFDB20CF25CC91FAABBB6EB48350F10452EF946972A0DB74E951CB58
                      Function 0048BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0048BCFD
                      • IsMenu.USER32(00000000), ref: 0048BD1D
                      • CreatePopupMenu.USER32 ref: 0048BD53
                      • GetMenuItemCount.USER32(00F42DE0), ref: 0048BDA4
                      • InsertMenuItemW.USER32(00F42DE0,?,00000001,00000030), ref: 0048BDCC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Menu$Item$CountCreateInfoInsertPopup
                      • String ID: 0$2
                      • API String ID: 93392585-3793063076
                      • Opcode ID: 003b329cf8b73d7a6eaa2c6a52119c8016899b38128d2594240cfa7a8c664115
                      • Instruction ID: cd84db14afbd3b5894fd28a9e3f47e533da171e5c950e98dd3c9c747690188a9
                      • Opcode Fuzzy Hash: 003b329cf8b73d7a6eaa2c6a52119c8016899b38128d2594240cfa7a8c664115
                      • Instruction Fuzzy Hash: 2951D270A00205FFDB11EFA9D8C4BAEBBF5EF45314F144A1AE84197390D7789941CBA9
                      Function 00442D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                      Download Yara Rule
                      APIs
                      • _ValidateLocalCookies.LIBCMT ref: 00442D4B
                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00442D53
                      • _ValidateLocalCookies.LIBCMT ref: 00442DE1
                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00442E0C
                      • _ValidateLocalCookies.LIBCMT ref: 00442E61
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                      • String ID: &HD$csm
                      • API String ID: 1170836740-3754641800
                      • Opcode ID: c1ec314a482447e61c1304621720e007ad1c9b7c1ac6aee0eca966bb62e9e232
                      • Instruction ID: 7da2b9e0d3ac9f83241b0665dfdac3b2bf4e020d0c22d8e36a8c6220d4c17f15
                      • Opcode Fuzzy Hash: c1ec314a482447e61c1304621720e007ad1c9b7c1ac6aee0eca966bb62e9e232
                      • Instruction Fuzzy Hash: BF41E674E00208DBDF10DF69C985A9FBBB4BF44328F54815BF814AB352D7799A01CB98
                      Function 0048C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadIconW.USER32(00000000,00007F03), ref: 0048C913
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: IconLoad
                      • String ID: blank$info$question$stop$warning
                      • API String ID: 2457776203-404129466
                      • Opcode ID: 11a4f61980e68457f101be4dc65139d081451d8719cc16975e437a540367b0f9
                      • Instruction ID: bf5c668435d66832e1e5914eb625815cb74039cc67716dd9f940ee0ef2283cd1
                      • Opcode Fuzzy Hash: 11a4f61980e68457f101be4dc65139d081451d8719cc16975e437a540367b0f9
                      • Instruction Fuzzy Hash: A3112B71789706BAA7007B159CC2EAF679CDF15369B21046FF500A6382E77C5E0153BD
                      Function 0043F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                      Download Yara Rule
                      APIs
                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0047682C,00000004,00000000,00000000), ref: 0043F953
                      • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0047682C,00000004,00000000,00000000), ref: 0047F3D1
                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0047682C,00000004,00000000,00000000), ref: 0047F454
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: ShowWindow
                      • String ID:
                      • API String ID: 1268545403-0
                      • Opcode ID: 025238e3778da7027c2fb1bb9da6655355319097dc7431e8073c85d1c0539a81
                      • Instruction ID: 64f2f4c6696daead36053a6a2c596add8b04f1a9be89c804e325fc8955552b97
                      • Opcode Fuzzy Hash: 025238e3778da7027c2fb1bb9da6655355319097dc7431e8073c85d1c0539a81
                      • Instruction Fuzzy Hash: E8412BB1904640BBD7388B2988C876B7B91AF5E324F14A13FE04B56760C67DA88DCB1D
                      Function 004B2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteObject.GDI32(00000000), ref: 004B2D1B
                      • GetDC.USER32(00000000), ref: 004B2D23
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004B2D2E
                      • ReleaseDC.USER32(00000000,00000000), ref: 004B2D3A
                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 004B2D76
                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004B2D87
                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,?,?,?,004646DB,?,?,?,?), ref: 004B2DC2
                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004B2DE1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                      • String ID:
                      • API String ID: 3864802216-0
                      • Opcode ID: 377cfecfad634d4513653543476019f0c75898fe0fa3a71237bbf9dd1981995c
                      • Instruction ID: 2a5cc7eb944f02e6a3524c952499a8e715fe81207836acc5dc3da49e210000c3
                      • Opcode Fuzzy Hash: 377cfecfad634d4513653543476019f0c75898fe0fa3a71237bbf9dd1981995c
                      • Instruction Fuzzy Hash: 13316D72201214BBEB114F54CC89FEB3BADEF49755F044166FE089A291C6B99C51CBB8
                      Function 004A4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Variant$ClearInit
                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                      • API String ID: 2610073882-625585964
                      • Opcode ID: 7e57bf506d02aea39327620e35a7ae9296243ef0e89e41a53823e743addebb61
                      • Instruction ID: 2e98ec154a30a25a9474fd1a45db99cf22e8c5b377ce64b1aa993c8930b742f2
                      • Opcode Fuzzy Hash: 7e57bf506d02aea39327620e35a7ae9296243ef0e89e41a53823e743addebb61
                      • Instruction Fuzzy Hash: 4391B334A00215ABDF20CFA5C884FAFB7B8EFD6714F10855AF505AB281D7B89941CFA4
                      Function 0043948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: ObjectSelect$BeginCreatePath
                      • String ID:
                      • API String ID: 3225163088-0
                      • Opcode ID: a3abd98fb66e18bc0455fafe22fd54477256492348e6caf04fac0825479edea0
                      • Instruction ID: 9db8cdb216f5efeaee49454a45a1c2bd6b28a9a08adadbd8b8e0ab16d02c4f0e
                      • Opcode Fuzzy Hash: a3abd98fb66e18bc0455fafe22fd54477256492348e6caf04fac0825479edea0
                      • Instruction Fuzzy Hash: 71911771D04219EFCB10CFA9C884AEEBBB8FF49320F14955AE515B7251D378AD82CB64
                      Function 004B7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                      Download Yara Rule
                      APIs
                      • IsWindow.USER32(00F43088), ref: 004B7F37
                      • IsWindowEnabled.USER32(00F43088), ref: 004B7F43
                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 004B801E
                      • SendMessageW.USER32(00F43088,000000B0,?,?), ref: 004B8051
                      • IsDlgButtonChecked.USER32(?,?), ref: 004B8089
                      • GetWindowLongW.USER32(00F43088,000000EC), ref: 004B80AB
                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 004B80C3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                      • String ID:
                      • API String ID: 4072528602-0
                      • Opcode ID: 0c9130aadc412386f25710505c80c2eede6a55d974ea9434d92c8322612ed0d6
                      • Instruction ID: 87d4e52721d5cfea1afcfdf74593c72019b498466791478de2d8f632b6702610
                      • Opcode Fuzzy Hash: 0c9130aadc412386f25710505c80c2eede6a55d974ea9434d92c8322612ed0d6
                      • Instruction Fuzzy Hash: D7719D34609204AFEB209F54C8C4FFBBBB9EF59340F14445AE945973A1CB39A855CB2C
                      Function 0048DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100), ref: 0048DA74
                      • LoadStringW.USER32(00000000), ref: 0048DA7B
                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0048DA91
                      • LoadStringW.USER32(00000000), ref: 0048DA98
                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0048DADC
                      Strings
                      • %s (%d) : ==> %s: %s %s, xrefs: 0048DAB9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: HandleLoadModuleString$Message
                      • String ID: %s (%d) : ==> %s: %s %s
                      • API String ID: 4072794657-3128320259
                      • Opcode ID: 3b7a08e7f41ed61fa118177a237b8c36642f22fdec3b05ea74f122df57ce531f
                      • Instruction ID: 8394a59882f0aec3ed402bef922e7f39affd9d41ebd827bd3191f98361928728
                      • Opcode Fuzzy Hash: 3b7a08e7f41ed61fa118177a237b8c36642f22fdec3b05ea74f122df57ce531f
                      • Instruction Fuzzy Hash: 15018BF29002087FE711A7A49DC9EFB376CE708301F444966B705E2041E6749D844F7C
                      Function 0049096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedExchange.KERNEL32(?,?), ref: 0049097B
                      • RtlEnterCriticalSection.NTDLL(?), ref: 0049098D
                      • TerminateThread.KERNEL32(00000000,000001F6,?,?,?,?,?,?,?,?,?,?,?,?,004626DC), ref: 0049099B
                      • WaitForSingleObject.KERNEL32(00000000,000003E8,?,?,?,?,?,?,?,?,?,?,?,?,004626DC), ref: 004909A9
                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,004626DC), ref: 004909B8
                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 004909C8
                      • RtlLeaveCriticalSection.NTDLL(?), ref: 004909CF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                      • String ID:
                      • API String ID: 3495660284-0
                      • Opcode ID: 263ad72b44c6f5e2cdebd56c776ce216e01e2eb32a3df0d7edbf50ba13c4061f
                      • Instruction ID: 39bbb044e70190a3077d21fc97cb3f7e94cd35b26a462ed050e6a45f9ce8176b
                      • Opcode Fuzzy Hash: 263ad72b44c6f5e2cdebd56c776ce216e01e2eb32a3df0d7edbf50ba13c4061f
                      • Instruction Fuzzy Hash: D3F01D71442512ABDB455F94EEC8AD67A25BF01702F402136F101508A0C7749865CF98
                      Function 00425D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                      Download Yara Rule
                      APIs
                      • GetClientRect.USER32(?,?), ref: 00425D30
                      • GetWindowRect.USER32(?,?), ref: 00425D71
                      • ScreenToClient.USER32(?,000000FF), ref: 00425D99
                      • GetClientRect.USER32(?,?), ref: 00425ED7
                      • GetWindowRect.USER32(?,?), ref: 00425EF8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Rect$Client$Window$Screen
                      • String ID:
                      • API String ID: 1296646539-0
                      • Opcode ID: 8361f4efd6a044ec2349a7a98675ff2f524c9427a8456ace4c7383762fe15516
                      • Instruction ID: c26a7c2ae5925e12eb3a4a98b3e87570540af974ab8fce6b8541e9ba10607644
                      • Opcode Fuzzy Hash: 8361f4efd6a044ec2349a7a98675ff2f524c9427a8456ace4c7383762fe15516
                      • Instruction Fuzzy Hash: D8B17B78A0064ADBDB10DFB8D4807EEB7F1FF54310F14851AE8A9D7250EB38AA51CB59
                      Function 004561FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,0045644F,00000001,00000001,?), ref: 00456258
                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,?,?,?,0045644F,00000001,00000001,?), ref: 004562DE
                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004563D8
                      • __freea.LIBCMT ref: 004563E5
                        • Part of subcall function 00453820: RtlAllocateHeap.NTDLL(00000000,?,00000004), ref: 00453852
                      • __freea.LIBCMT ref: 004563EE
                      • __freea.LIBCMT ref: 00456413
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                      • String ID:
                      • API String ID: 1414292761-0
                      • Opcode ID: 150692d8f739e88bfa16b493723d104e24931a3d42f3887aa31e3aece999c8b7
                      • Instruction ID: 609a4fa9ac82a154296dc9237437ce9f36fc3cad8341b55943872cdd9d82cdb4
                      • Opcode Fuzzy Hash: 150692d8f739e88bfa16b493723d104e24931a3d42f3887aa31e3aece999c8b7
                      • Instruction Fuzzy Hash: FA512772600216ABDB259F64CC81EBF77A9EF44752F56422AFC05D7242EB38DC48C668
                      Function 0047F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 0047F7B9
                      • SysAllocString.OLEAUT32(?), ref: 0047F860
                      • VariantCopy.OLEAUT32(?,00000000), ref: 0047F889
                      • VariantClear.OLEAUT32(?), ref: 0047F8AD
                      • VariantCopy.OLEAUT32(?,00000000), ref: 0047F8B1
                      • VariantClear.OLEAUT32(?), ref: 0047F8BB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Variant$ClearCopy$AllocInitString
                      • String ID:
                      • API String ID: 3859894641-0
                      • Opcode ID: 4f7e1c4f41a7f0110527104e5d189159728a57e8f66c98f3a7913a44110b91d6
                      • Instruction ID: d95c8da53cece258f558205d4a36e978a6d0fdaa50631603717000ccf66c0058
                      • Opcode Fuzzy Hash: 4f7e1c4f41a7f0110527104e5d189159728a57e8f66c98f3a7913a44110b91d6
                      • Instruction Fuzzy Hash: 4A51D9B1600310BACF20AB66D4957A9B3A4EF45314F14D46BE909EF291D7788C45C7AF
                      Function 0043920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00439BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00439BB2
                      • BeginPaint.USER32(?,?,?), ref: 00439241
                      • GetWindowRect.USER32(?,?), ref: 004392A5
                      • ScreenToClient.USER32(?,?), ref: 004392C2
                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004392D3
                      • EndPaint.USER32(?,?,?,?,?), ref: 00439321
                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004771EA
                        • Part of subcall function 00439339: BeginPath.GDI32(00000000), ref: 00439357
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                      • String ID:
                      • API String ID: 3050599898-0
                      • Opcode ID: bd3b406c11ed6788bc805e61fca317a4bd77c258fdada7f4f0cbaab4919037ae
                      • Instruction ID: a052bafbaabb3243e4b2ca14dab2ae75c95ecfe0de31980b51631c2ab50d17ce
                      • Opcode Fuzzy Hash: bd3b406c11ed6788bc805e61fca317a4bd77c258fdada7f4f0cbaab4919037ae
                      • Instruction Fuzzy Hash: 4B41BC70104200AFD720DF25C8C4FBB7BA8EB49324F04066AF9A4872B1C7B59C45CBAA
                      Function 004B81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                      Download Yara Rule
                      APIs
                      • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0047F3AB,00000000,?,?,00000000,?,0047682C,00000004,00000000,00000000), ref: 004B824C
                      • EnableWindow.USER32(00000000,00000000), ref: 004B8272
                      • ShowWindow.USER32(FFFFFFFF,00000000), ref: 004B82D1
                      • ShowWindow.USER32(00000000,00000004), ref: 004B82E5
                      • EnableWindow.USER32(00000000,00000001), ref: 004B830B
                      • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 004B832F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Window$Show$Enable$MessageSend
                      • String ID:
                      • API String ID: 642888154-0
                      • Opcode ID: 1c2dda91cbecc5ce709a4c3bf2a7df5c759171c2b1326be84cb9ae823227aa57
                      • Instruction ID: 963522e95a701a7e52bbb12b9393839bb6cd1db03a16ee78f48389ca045d3f4e
                      • Opcode Fuzzy Hash: 1c2dda91cbecc5ce709a4c3bf2a7df5c759171c2b1326be84cb9ae823227aa57
                      • Instruction Fuzzy Hash: 7C41A034601644EFDB15CF15C899FE57BE4FB0A714F1812BEE9084B272CB76A851CB68
                      Function 00443382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,00443379,00442FE5), ref: 00443390
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0044339E
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004433B7
                      • SetLastError.KERNEL32(00000000,?,00443379,00442FE5), ref: 00443409
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: c5b8fc3a70f2712d8779d7f19047d8e83cd85cb5aebc6abe09c37df394b0898c
                      • Instruction ID: dd18933cf4287b7b00d4be7af2c0977fee4b0049e3697695e8be95994c39331c
                      • Opcode Fuzzy Hash: c5b8fc3a70f2712d8779d7f19047d8e83cd85cb5aebc6abe09c37df394b0898c
                      • Instruction Fuzzy Hash: 5C01B533609712AFB6292FB56CC56572A94EB05F7B720023FF820852F3EF194E12554C
                      Function 004B8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00439639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00439693
                        • Part of subcall function 00439639: SelectObject.GDI32(?,00000000), ref: 004396A2
                        • Part of subcall function 00439639: BeginPath.GDI32(?), ref: 004396B9
                        • Part of subcall function 00439639: SelectObject.GDI32(?,00000000), ref: 004396E2
                      • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 004B8A4E
                      • LineTo.GDI32(?,00000003,00000000), ref: 004B8A62
                      • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 004B8A70
                      • LineTo.GDI32(?,00000000,00000003), ref: 004B8A80
                      • EndPath.GDI32(?), ref: 004B8A90
                      • StrokePath.GDI32(?), ref: 004B8AA0
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                      • String ID:
                      • API String ID: 43455801-0
                      • Opcode ID: 89c87c682785509f4b5c63dd9a876a6b279aacb30d20a9af0cb896223f30c3c8
                      • Instruction ID: 023927b94f1a1aa63a5d690f656a135f3f775b83a35901e6f78d69a93d31bde7
                      • Opcode Fuzzy Hash: 89c87c682785509f4b5c63dd9a876a6b279aacb30d20a9af0cb896223f30c3c8
                      • Instruction Fuzzy Hash: 63110576400109FFEB129F94DC88EAA7F6CEB08354F008126BA199A1A1C7719D55DFA4
                      Function 00421BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00421BF4
                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00421BFC
                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00421C07
                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00421C12
                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00421C1A
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00421C22
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Virtual
                      • String ID:
                      • API String ID: 4278518827-0
                      • Opcode ID: 6617e602e44aeee31bd09277525d3aff926be396c2926abe7a052b06bdfa4026
                      • Instruction ID: f57bb350fa915c8d6b9f2a984555eae65bbcd05260944d52ec595473fd2ec07c
                      • Opcode Fuzzy Hash: 6617e602e44aeee31bd09277525d3aff926be396c2926abe7a052b06bdfa4026
                      • Instruction Fuzzy Hash: E10167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5
                      Function 0042BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                      Download Yara Rule
                      APIs
                      • __Init_thread_footer.LIBCMT ref: 0042BEB3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Init_thread_footer
                      • String ID: D%O$D%O$D%O$D%OD%O
                      • API String ID: 1385522511-2668399839
                      • Opcode ID: 387ad5192af8ddf15787d0e5bcf20404a8563ee14d17f0ad2b088d069e0cf0fa
                      • Instruction ID: aa5a16b601e756f8891619615369944f3bf371238661e00f2df35c2f94952a3c
                      • Opcode Fuzzy Hash: 387ad5192af8ddf15787d0e5bcf20404a8563ee14d17f0ad2b088d069e0cf0fa
                      • Instruction Fuzzy Hash: EB917B75A0022ADFCB18CF59D0906AAB7F1FF58310BA4816ED941AB350D779AD81CBD8
                      Function 00444D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00444D1E,?,?,00444CBE,?,004E88B8,0000000C,00444E63,?,00000000), ref: 00444D8D
                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00444DA0
                      • FreeLibrary.KERNEL32(00000000,?,?,?,00444D1E,?,?,00444CBE,?,004E88B8,0000000C,00444E63,?,00000000,00000000), ref: 00444DC3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: AddressFreeHandleLibraryModuleProc
                      • String ID: CorExitProcess$mscoree.dll
                      • API String ID: 4061214504-1276376045
                      • Opcode ID: 770c98dfd75bd365cbec7ae5476aa4869855e4ceb42fa576dc3f527ed88c497c
                      • Instruction ID: fa30650c301d593e74ca500009bc75446bcdc9f291db641ad70cceae225fb82d
                      • Opcode Fuzzy Hash: 770c98dfd75bd365cbec7ae5476aa4869855e4ceb42fa576dc3f527ed88c497c
                      • Instruction Fuzzy Hash: 2BF06835940208FBEB555F94DC89B9EBFF5EF54751F000169F905A2250CB745D41CF98
                      Function 00424E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00424EDD,?,004F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00424E9C
                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00424EAE
                      • FreeLibrary.KERNEL32(00000000,?,?,00424EDD,?,004F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00424EC0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Library$AddressFreeLoadProc
                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                      • API String ID: 145871493-3689287502
                      • Opcode ID: 203a069dfd6bb676703e8673033adcafabe9c71b2032b7f1e0c2e0ca87e9b39e
                      • Instruction ID: a7ac8e758baee5ad8d0333e97795404a1bf8f33eb23ab2e2bb9d644efc0db623
                      • Opcode Fuzzy Hash: 203a069dfd6bb676703e8673033adcafabe9c71b2032b7f1e0c2e0ca87e9b39e
                      • Instruction Fuzzy Hash: 7BE08635B016329BA2321B29BC98B5F6558EFC1F637060226FC00E2304DBA8CD0245BC
                      Function 00424E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00424E62
                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00424E74
                      • FreeLibrary.KERNEL32(00000000), ref: 00424E87
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Library$AddressFreeLoadProc
                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                      • API String ID: 145871493-1355242751
                      • Opcode ID: 2eb3e7558627c1f8a3a7b4cb612749afefd106928358c56ed9482860911f9451
                      • Instruction ID: 8406569b2fbf4ea97cac0c29366a44cafc92623dd726abaa6f29c0303cd906d4
                      • Opcode Fuzzy Hash: 2eb3e7558627c1f8a3a7b4cb612749afefd106928358c56ed9482860911f9451
                      • Instruction Fuzzy Hash: 70D01D356016315755221B197C9CE8F6518EFC5B653560726F905B6224CF58CD02C5EC
                      Function 00439639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                      Download Yara Rule
                      APIs
                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00439693
                      • SelectObject.GDI32(?,00000000), ref: 004396A2
                      • BeginPath.GDI32(?), ref: 004396B9
                      • SelectObject.GDI32(?,00000000), ref: 004396E2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: ObjectSelect$BeginCreatePath
                      • String ID:
                      • API String ID: 3225163088-0
                      • Opcode ID: 688cd9b79ff68580e38bc10cfbf2b170a568731e0da3cf86a8f5206efad26559
                      • Instruction ID: 1cce26d8e3724cbc38c2882189e9a370e405898c0bc9db57da13c752c78295b9
                      • Opcode Fuzzy Hash: 688cd9b79ff68580e38bc10cfbf2b170a568731e0da3cf86a8f5206efad26559
                      • Instruction Fuzzy Hash: FD217FB0802305EBDB119F69DC55BBA3BA8BB14315F104226F810A62B0D3F85CA1CFDC
                      Function 0048E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                      Download Yara Rule
                      APIs
                      • QueryPerformanceCounter.KERNEL32(?,00000000), ref: 0048E997
                      • QueryPerformanceFrequency.KERNEL32(?), ref: 0048E9A5
                      • Sleep.KERNEL32(00000000), ref: 0048E9AD
                      • QueryPerformanceCounter.KERNEL32(?), ref: 0048E9B7
                      • Sleep.KERNEL32(?,00000000), ref: 0048E9F3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: PerformanceQuery$CounterSleep$Frequency
                      • String ID:
                      • API String ID: 2833360925-0
                      • Opcode ID: 38e9b1c3a815adf0334238628422aa24672ecd963336a622d49eb4704b9d04e3
                      • Instruction ID: e31743c856f076a3248661529ae506dbe943dafa0f09f2640884f846d3c2f599
                      • Opcode Fuzzy Hash: 38e9b1c3a815adf0334238628422aa24672ecd963336a622d49eb4704b9d04e3
                      • Instruction Fuzzy Hash: DB016D71C01529DBCF00AFEADD896DDBB78FF09301F000A57E942B2240CB789551CBAA
                      Function 0049030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNEL32(?,?,?,?,0049017D,?,004932FC,?,00000001,00462592,?), ref: 00490324
                      • CloseHandle.KERNEL32(?,?,?,?,0049017D,?,004932FC,?,00000001,00462592,?), ref: 00490331
                      • CloseHandle.KERNEL32(?,?,?,?,0049017D,?,004932FC,?,00000001,00462592,?), ref: 0049033E
                      • CloseHandle.KERNEL32(?,?,?,?,0049017D,?,004932FC,?,00000001,00462592,?), ref: 0049034B
                      • CloseHandle.KERNEL32(?,?,?,?,0049017D,?,004932FC,?,00000001,00462592,?), ref: 00490358
                      • CloseHandle.KERNEL32(?,?,?,?,0049017D,?,004932FC,?,00000001,00462592,?), ref: 00490365
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID:
                      • API String ID: 2962429428-0
                      • Opcode ID: 4a76357199183cb86dea2916cb5250c22fb095a08fe14fe5e356c72c89e91214
                      • Instruction ID: ed570704167c4625fbdd6ac4fb9fec6c048d36119dd0c1c114731c2716f9d6ca
                      • Opcode Fuzzy Hash: 4a76357199183cb86dea2916cb5250c22fb095a08fe14fe5e356c72c89e91214
                      • Instruction Fuzzy Hash: 2801AA72800B159FCB30AF6AD880813FBF9BF603153158A3FD59652A31C3B5A998DF84
                      Function 004395C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      • EndPath.GDI32(?), ref: 004395D4
                      • StrokeAndFillPath.GDI32(?,?,004771F7,00000000,?,?,?), ref: 004395F0
                      • SelectObject.GDI32(?,00000000), ref: 00439603
                      • DeleteObject.GDI32 ref: 00439616
                      • StrokePath.GDI32(?), ref: 00439631
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Path$ObjectStroke$DeleteFillSelect
                      • String ID:
                      • API String ID: 2625713937-0
                      • Opcode ID: b8e094ef599b38223ed017283183c3e81c52f771f088a9ee7625484d63ba14e7
                      • Instruction ID: 0098941d5436ee94867e0b73aab18bb8645177949b71046b5e65b0b33d233bd7
                      • Opcode Fuzzy Hash: b8e094ef599b38223ed017283183c3e81c52f771f088a9ee7625484d63ba14e7
                      • Instruction Fuzzy Hash: 98F03C71006204EBDB166F69ED9CB793B65AB14322F048335F465551F0C7B489A1DFAC
                      Function 004A61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00440242: RtlEnterCriticalSection.NTDLL(004F070C), ref: 0044024D
                        • Part of subcall function 00440242: RtlLeaveCriticalSection.NTDLL(004F070C), ref: 0044028A
                      • __Init_thread_footer.LIBCMT ref: 004A6238
                        • Part of subcall function 004401F8: RtlEnterCriticalSection.NTDLL(004F070C), ref: 00440202
                        • Part of subcall function 004401F8: RtlLeaveCriticalSection.NTDLL(004F070C), ref: 00440235
                        • Part of subcall function 0049359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004935E4
                        • Part of subcall function 0049359C: LoadStringW.USER32(?,?,00000FFF,?), ref: 0049360A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer
                      • String ID: x#O$x#O$x#O
                      • API String ID: 831270504-1585387102
                      • Opcode ID: 5148effac39f37a56f409a0bedf1e429d3da675d582fd153399ab23b8bf46d77
                      • Instruction ID: 4787d067b239ab745dc6c827bfd9894440a0f23e5039edcf9f5bbd66865290ba
                      • Opcode Fuzzy Hash: 5148effac39f37a56f409a0bedf1e429d3da675d582fd153399ab23b8bf46d77
                      • Instruction Fuzzy Hash: BFC1BF71A00105AFCB14EF68D890EBEB7B9EF59304F15806EF9059B281DB78ED41CB98
                      Function 004A7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00440242: RtlEnterCriticalSection.NTDLL(004F070C), ref: 0044024D
                        • Part of subcall function 00440242: RtlLeaveCriticalSection.NTDLL(004F070C), ref: 0044028A
                        • Part of subcall function 00429CB3: _wcslen.LIBCMT ref: 00429CBD
                      • __Init_thread_footer.LIBCMT ref: 004A7BFB
                        • Part of subcall function 004401F8: RtlEnterCriticalSection.NTDLL(004F070C), ref: 00440202
                        • Part of subcall function 004401F8: RtlLeaveCriticalSection.NTDLL(004F070C), ref: 00440235
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer_wcslen
                      • String ID: 5$G$Variable must be of type 'Object'.
                      • API String ID: 2919631681-3733170431
                      • Opcode ID: ac20301445e93c54bd3e8827533e613ae7220141e49c2a058c4e244485c39c73
                      • Instruction ID: 9b15b032ea6dcef501bf0ed2737f1c01530fbf72e31ba169647124b915c358d8
                      • Opcode Fuzzy Hash: ac20301445e93c54bd3e8827533e613ae7220141e49c2a058c4e244485c39c73
                      • Instruction Fuzzy Hash: 1A91AE70A04208EFCB24EF55D9809BEB7B1BF5A304F10805EF8065B392DB79AE45CB59
                      Function 0048C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0048C306
                      • DeleteMenu.USER32(?,00000007,00000000), ref: 0048C34C
                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004F1990,00F42DE0), ref: 0048C395
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Menu$Delete$InfoItem
                      • String ID: 0
                      • API String ID: 135850232-4108050209
                      • Opcode ID: 3cd06125631ab5b22e413d03be100133dcc71bc6ee7250fbafebd8ab95a6fb48
                      • Instruction ID: 6bf9573f0b25be86350bfd945495980d7889344203c72767b02a203235e56a2b
                      • Opcode Fuzzy Hash: 3cd06125631ab5b22e413d03be100133dcc71bc6ee7250fbafebd8ab95a6fb48
                      • Instruction Fuzzy Hash: B8419F31204301AFD720EF25D884B1FBBE4EB85314F048A2EFCA597391D738A905CB6A
                      Function 004895AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: _wcslen
                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                      • API String ID: 176396367-2734436370
                      • Opcode ID: 2de4f0e3c003871a63c400b291136f077115ea5e3e066e36fa187930c508e0d3
                      • Instruction ID: 8b665dd323efb9f2dba6666a9c507dfa533ed268a469f9ccfb59864a218d5ee9
                      • Opcode Fuzzy Hash: 2de4f0e3c003871a63c400b291136f077115ea5e3e066e36fa187930c508e0d3
                      • Instruction Fuzzy Hash: 7821387220492066D331BA259C02FBF73D89FA5314F58482FF949A7241FB5DAD46C3AD
                      Function 0045D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000004,00000000,00000000,?,00000012,00000000,?,00000001,00000004,?,00000001,?,?), ref: 0045D910
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0045D999
                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0045D9AB
                      • __freea.LIBCMT ref: 0045D9B4
                        • Part of subcall function 00453820: RtlAllocateHeap.NTDLL(00000000,?,00000004), ref: 00453852
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                      • String ID:
                      • API String ID: 2652629310-0
                      • Opcode ID: 5c0b7bf8cf3c1df50d6b3d3dfb2ad0d63902f621e7fb7e4dc556c90f9aa99003
                      • Instruction ID: f8d308ad01f2f33b2b8a5df883c787780ab5ba330c8c03114524331aca9c03d4
                      • Opcode Fuzzy Hash: 5c0b7bf8cf3c1df50d6b3d3dfb2ad0d63902f621e7fb7e4dc556c90f9aa99003
                      • Instruction Fuzzy Hash: 0731A2B2A0020AABDF24DF65DC81EAF7BA5EF41311F05416AFC04D6252EB39CD58CB94
                      Function 004B52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 004B5352
                      • GetWindowLongW.USER32(?,000000F0), ref: 004B5375
                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004B5382
                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004B53A8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: LongWindow$InvalidateMessageRectSend
                      • String ID:
                      • API String ID: 3340791633-0
                      • Opcode ID: 0f454f416f88df9d84323463d26d872b30b10bd76ada223349f75db1ecc2772d
                      • Instruction ID: 0e6be3fb93005571dbf625096ca755da9f062133771ba449ee602e294daacbc5
                      • Opcode Fuzzy Hash: 0f454f416f88df9d84323463d26d872b30b10bd76ada223349f75db1ecc2772d
                      • Instruction Fuzzy Hash: 9D31E330A55A08EFEF309E14DC45FEAB7E1AB04390F586113BE00963E0C3BD9991D76A
                      Function 004B7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                      Download Yara Rule
                      APIs
                      • ClientToScreen.USER32(?,?), ref: 004B769A
                      • GetWindowRect.USER32(?,?), ref: 004B7710
                      • PtInRect.USER32(?,?,004B8B89), ref: 004B7720
                      • MessageBeep.USER32(00000000), ref: 004B778C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Rect$BeepClientMessageScreenWindow
                      • String ID:
                      • API String ID: 1352109105-0
                      • Opcode ID: c5cab7f38cb4b9fa88fbec202baf95c282a0d5e32bf9de60be190ba4343e86b1
                      • Instruction ID: e8618f4d2f749d5fe1c815d1b6152c9bcd229f3e0189e84d5168ab5000a5e89d
                      • Opcode Fuzzy Hash: c5cab7f38cb4b9fa88fbec202baf95c282a0d5e32bf9de60be190ba4343e86b1
                      • Instruction Fuzzy Hash: F5418D74609214DFCB11CF59C894EE977F4FB88314F1541AAE4159B361CB78B942CFA8
                      Function 0048DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00427620: _wcslen.LIBCMT ref: 00427625
                      • _wcslen.LIBCMT ref: 0048DFCB
                      • _wcslen.LIBCMT ref: 0048DFE2
                      • _wcslen.LIBCMT ref: 0048E00D
                      • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0048E018
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: _wcslen$ExtentPoint32Text
                      • String ID:
                      • API String ID: 3763101759-0
                      • Opcode ID: 9586b93b3511f0820c14f5b92c22caebab60b8f187ec74d5cf3fa2f8dbb12b71
                      • Instruction ID: 688a10d336600dd474d55ce6f52e9f1a780b5ee2c52b4c0a618fa0e213d74c56
                      • Opcode Fuzzy Hash: 9586b93b3511f0820c14f5b92c22caebab60b8f187ec74d5cf3fa2f8dbb12b71
                      • Instruction Fuzzy Hash: 6A21F671D00214AFDB10AFA5D881B6E77F8EF85314F10406AE905BB381D6789D01CBA9
                      Function 0042600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                      Download Yara Rule
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042604C
                      • GetStockObject.GDI32(00000011), ref: 00426060
                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 0042606A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: CreateMessageObjectSendStockWindow
                      • String ID:
                      • API String ID: 3970641297-0
                      • Opcode ID: 10673ed9f00e6fed51b8a31d7e4de800ef936a9aadb984801057af9a5bfd0b6f
                      • Instruction ID: fe575ca44266ba6ec63ba3cca17420b353a1b669c7c07ed729124ab5da811ebc
                      • Opcode Fuzzy Hash: 10673ed9f00e6fed51b8a31d7e4de800ef936a9aadb984801057af9a5bfd0b6f
                      • Instruction Fuzzy Hash: 4211A172201519FFEF128FA49C84EEB7B69EF19354F410216FA0452110D736DC60EBA5
                      Function 00443B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___BuildCatchObject.LIBVCRUNTIME ref: 00443B56
                        • Part of subcall function 00443AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00443AD2
                        • Part of subcall function 00443AA3: ___AdjustPointer.LIBCMT ref: 00443AED
                      • _UnwindNestedFrames.LIBCMT ref: 00443B6B
                      • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00443B7C
                      • CallCatchBlock.LIBVCRUNTIME ref: 00443BA4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                      • String ID:
                      • API String ID: 737400349-0
                      • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                      • Instruction ID: 206eb459b937fce6a28a039aa3506fed5dda4049bff876752660758f0b2f6f89
                      • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                      • Instruction Fuzzy Hash: F0014432100148BBEF115E96CC41EEB3F6DFF88B59F044019FE4856111C736E961DBA4
                      Function 004B7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(?,?), ref: 004B7E33
                      • ScreenToClient.USER32(?,?), ref: 004B7E4B
                      • ScreenToClient.USER32(?,?), ref: 004B7E6F
                      • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 004B7E8A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: ClientRectScreen$InvalidateWindow
                      • String ID:
                      • API String ID: 357397906-0
                      • Opcode ID: ca66bdd66dcc7384e8f484574edb3e6810f063d2ae15764b4d5a15b8aa814b5d
                      • Instruction ID: ea7898d8021990b676cb75894b4fe6073994c25a4a76a144b591302831a351b1
                      • Opcode Fuzzy Hash: ca66bdd66dcc7384e8f484574edb3e6810f063d2ae15764b4d5a15b8aa814b5d
                      • Instruction Fuzzy Hash: 6F1156B9D0020AAFDB41CF98C8849EEBBF5FF18310F505166E915E3210D735AA55CF64
                      Function 004B8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00439639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00439693
                        • Part of subcall function 00439639: SelectObject.GDI32(?,00000000), ref: 004396A2
                        • Part of subcall function 00439639: BeginPath.GDI32(?), ref: 004396B9
                        • Part of subcall function 00439639: SelectObject.GDI32(?,00000000), ref: 004396E2
                      • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 004B8887
                      • LineTo.GDI32(?,?,?), ref: 004B8894
                      • EndPath.GDI32(?), ref: 004B88A4
                      • StrokePath.GDI32(?), ref: 004B88B2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                      • String ID:
                      • API String ID: 1539411459-0
                      • Opcode ID: f9fc80daa7187f23315b88871c360af5c27d8fa16118747172ed28453fb9b726
                      • Instruction ID: 5eb27a4352b6de61ad9c23b333954d8197ee72f117333690417c05732d85534d
                      • Opcode Fuzzy Hash: f9fc80daa7187f23315b88871c360af5c27d8fa16118747172ed28453fb9b726
                      • Instruction Fuzzy Hash: ECF05E36042259FBDB126F94AC8AFDE3F59AF06310F048115FA11651E1C7B95521CFED
                      Function 004398B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                      Download Yara Rule
                      APIs
                      • GetSysColor.USER32(00000008), ref: 004398CC
                      • SetTextColor.GDI32(?,?), ref: 004398D6
                      • SetBkMode.GDI32(?,00000001), ref: 004398E9
                      • GetStockObject.GDI32(00000005), ref: 004398F1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Color$ModeObjectStockText
                      • String ID:
                      • API String ID: 4037423528-0
                      • Opcode ID: 40d7b848b5850b76976a4b610e4220acfa4ee3c2bcb40607897062a5d2673bb2
                      • Instruction ID: 098c4cd04a098d7eae85ce8b764ac150a3f0574c0d9237674d49ecb4cb5764ca
                      • Opcode Fuzzy Hash: 40d7b848b5850b76976a4b610e4220acfa4ee3c2bcb40607897062a5d2673bb2
                      • Instruction Fuzzy Hash: E1E06D31244280BBDB215B78AC89BE93F20AB12336F04C32AF6FA681E1C37546509F24
                      Function 004A7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?,?,004BCC08,?,?), ref: 004A78DD
                        • Part of subcall function 00426B57: _wcslen.LIBCMT ref: 00426B6A
                      • CharUpperBuffW.USER32(?,?,?,004BCC08,00000000,?,?), ref: 004A783B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: BuffCharUpper$_wcslen
                      • String ID: <sN
                      • API String ID: 3544283678-1195803460
                      • Opcode ID: 710e271b8b416be17d8616da74b3feec144df2bace067bd10a4176d77b1fcff4
                      • Instruction ID: bfb7160f030093b10e1312432d3d507ff0b3eecf7b7d8cdc80c962e03b333f0b
                      • Opcode Fuzzy Hash: 710e271b8b416be17d8616da74b3feec144df2bace067bd10a4176d77b1fcff4
                      • Instruction Fuzzy Hash: 35618371A14128ABCF14FBA5DC91DFEB378BF24304F84402BE54263151EB3C5A45CBA8
                      Function 0043E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID:
                      • String ID: #
                      • API String ID: 0-1885708031
                      • Opcode ID: de0e9b925884cd006c447eb9bac96b7447763f0bfc139f68367f924be947d208
                      • Instruction ID: 5d0063d1ee91fe7a48ca78b4491e3e04105434701f5a4d2751376aa415c7774d
                      • Opcode Fuzzy Hash: de0e9b925884cd006c447eb9bac96b7447763f0bfc139f68367f924be947d208
                      • Instruction Fuzzy Hash: 7E514431501206DFDB18DF2AD080AFB7BA8EF19310F24819BE8519B3D0D6389D43CB59
                      Function 0043F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(00000000), ref: 0043F2A2
                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 0043F2BB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: GlobalMemorySleepStatus
                      • String ID: @
                      • API String ID: 2783356886-2766056989
                      • Opcode ID: 9c1c87d9eaf62fea83816c8154d756d6fc0e8f817a6c624eab3af8fffb72e5d0
                      • Instruction ID: 24293c0fc56896a0c17fc01ec14f76f0ebf77e849ef1aa67b9eff314bc8757a7
                      • Opcode Fuzzy Hash: 9c1c87d9eaf62fea83816c8154d756d6fc0e8f817a6c624eab3af8fffb72e5d0
                      • Instruction Fuzzy Hash: CF5148715087449BD320AF51EC86BAFBBF8FF84304F81885EF1D9411A5EB348529CB6A
                      Function 004A5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: BuffCharUpper_wcslen
                      • String ID: CALLARGARRAY
                      • API String ID: 157775604-1150593374
                      • Opcode ID: f889b03cc80477818a1a61c2c7d896ef7edbe02cf2916814792a83729cecc316
                      • Instruction ID: 3a3f3b33b7eba67267eeaed76f1bcfdaff2b883447ccf224b8572cac2ddc9f89
                      • Opcode Fuzzy Hash: f889b03cc80477818a1a61c2c7d896ef7edbe02cf2916814792a83729cecc316
                      • Instruction Fuzzy Hash: 3041B071E001099FCB14EFAAC9819AEBBB5FF6A354F10402EE505A7351D73C9D81CBA8
                      Function 004B8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004F3018,004F305C), ref: 004B81BF
                      • CloseHandle.KERNEL32 ref: 004B81D1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: CloseCreateHandleProcess
                      • String ID: \0O
                      • API String ID: 3712363035-2747425844
                      • Opcode ID: 2134e1b077ea0957b6f229c9891f9dd2bb5a5a811497ac51c363b66cebf7219a
                      • Instruction ID: 9e388ae0e579585d00d1167caacdc7fc5adc08f44081a5f9308e7e6f62d5cc4d
                      • Opcode Fuzzy Hash: 2134e1b077ea0957b6f229c9891f9dd2bb5a5a811497ac51c363b66cebf7219a
                      • Instruction Fuzzy Hash: 3FF03AB2640304BFE2206F65AC86FB73A9CDB05756F404436BF08D51A6DA798E2092BC
                      Function 00440D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0043F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(004F0A88,00000000,004F0A74,00440D71,?,?,?,0042100A), ref: 0043F7CE
                      • IsDebuggerPresent.KERNEL32(?,?,?,0042100A), ref: 00440D75
                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0042100A), ref: 00440D84
                      Strings
                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00440D7F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                      • API String ID: 55579361-631824599
                      • Opcode ID: 44fb6bf6fd8308dc4c0f94f12175fb61b9fc2013d2bf6b9f62d1bfd8cc5b9799
                      • Instruction ID: 4d85261dab1750e24a7bbf4da3a69803500e5b18fc760208075486c7a188854e
                      • Opcode Fuzzy Hash: 44fb6bf6fd8308dc4c0f94f12175fb61b9fc2013d2bf6b9f62d1bfd8cc5b9799
                      • Instruction Fuzzy Hash: F1E06DB0A007118BE3309FBDE8447527BE0AF04744F008A7EE586C6651DBB9E4488BA9
                      Function 0043E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                      Download Yara Rule
                      APIs
                      • __Init_thread_footer.LIBCMT ref: 0043E3D5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1247344632.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                      • Associated: 00000000.00000002.1247331110.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000004EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247344632.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247654952.00000000005A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1247682417.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_420000_SALKI098765R400.jbxd
                      Similarity
                      • API ID: Init_thread_footer
                      • String ID: 0%O$8%O
                      • API String ID: 1385522511-3010797974
                      • Opcode ID: a6b2332fa0081381ba9ad3e40dc223a0100565831a9e07da145240f387df00ef
                      • Instruction ID: 0d151e98a5d2f19d873d3d509c09f44602e43b0439c0cad557f310aee3a42fe9
                      • Opcode Fuzzy Hash: a6b2332fa0081381ba9ad3e40dc223a0100565831a9e07da145240f387df00ef
                      • Instruction Fuzzy Hash: D0E02631402914EBC604971ABA55AAB3353AB0C324F9031BBEA028B2D19BBD6C41C64D

                      Execution Graph

                      Execution Coverage:5.1%
                      Dynamic/Decrypted Code Coverage:51.1%
                      Signature Coverage:1.8%
                      Total number of Nodes:1712
                      Total number of Limit Nodes:70
                      execution_graph 83143 415d41 83158 41b411 83143->83158 83145 415d4a 83169 4020f6 83145->83169 83150 4170c4 83193 401e8d 83150->83193 83154 401fd8 11 API calls 83155 4170d9 83154->83155 83156 401fd8 11 API calls 83155->83156 83157 4170e5 83156->83157 83199 4020df 83158->83199 83163 41b456 InternetReadFile 83167 41b479 83163->83167 83165 41b4a6 InternetCloseHandle InternetCloseHandle 83166 41b4b8 83165->83166 83166->83145 83167->83163 83167->83165 83168 401fd8 11 API calls 83167->83168 83210 4020b7 83167->83210 83168->83167 83170 40210c 83169->83170 83171 4023ce 11 API calls 83170->83171 83172 402126 83171->83172 83173 402569 28 API calls 83172->83173 83174 402134 83173->83174 83175 404aa1 83174->83175 83176 404ab4 83175->83176 83277 40520c 83176->83277 83178 404ac9 ctype 83179 404b40 WaitForSingleObject 83178->83179 83180 404b20 83178->83180 83182 404b56 83179->83182 83181 404b32 send 83180->83181 83183 404b7b 83181->83183 83283 4210cb 54 API calls 83182->83283 83186 401fd8 11 API calls 83183->83186 83185 404b69 SetEvent 83185->83183 83187 404b83 83186->83187 83188 401fd8 11 API calls 83187->83188 83189 404b8b 83188->83189 83189->83150 83190 401fd8 83189->83190 83191 4023ce 11 API calls 83190->83191 83192 401fe1 83191->83192 83192->83150 83194 402163 83193->83194 83198 40219f 83194->83198 83301 402730 11 API calls 83194->83301 83196 402184 83302 402712 11 API calls std::_Deallocate 83196->83302 83198->83154 83200 4020e7 83199->83200 83216 4023ce 83200->83216 83202 4020f2 83203 43bda0 83202->83203 83208 4461b8 __Getctype 83203->83208 83204 4461f6 83232 44062d 20 API calls _Atexit 83204->83232 83206 4461e1 RtlAllocateHeap 83207 41b42f InternetOpenW InternetOpenUrlW 83206->83207 83206->83208 83207->83163 83208->83204 83208->83206 83231 443001 7 API calls 2 library calls 83208->83231 83211 4020bf 83210->83211 83212 4023ce 11 API calls 83211->83212 83213 4020ca 83212->83213 83233 40250a 83213->83233 83215 4020d9 83215->83167 83217 402428 83216->83217 83218 4023d8 83216->83218 83217->83202 83218->83217 83220 4027a7 83218->83220 83221 402e21 83220->83221 83224 4016b4 83221->83224 83223 402e30 83223->83217 83225 4016c6 83224->83225 83226 4016cb 83224->83226 83230 43bd68 11 API calls _Atexit 83225->83230 83226->83225 83228 4016f3 83226->83228 83228->83223 83229 43bd67 83230->83229 83231->83208 83232->83207 83234 40251a 83233->83234 83235 402520 83234->83235 83236 402535 83234->83236 83240 402569 83235->83240 83250 4028e8 83236->83250 83239 402533 83239->83215 83261 402888 83240->83261 83242 40257d 83243 402592 83242->83243 83244 4025a7 83242->83244 83266 402a34 22 API calls 83243->83266 83245 4028e8 28 API calls 83244->83245 83249 4025a5 83245->83249 83247 40259b 83267 4029da 22 API calls 83247->83267 83249->83239 83251 4028f1 83250->83251 83252 402953 83251->83252 83253 4028fb 83251->83253 83275 4028a4 22 API calls 83252->83275 83256 402904 83253->83256 83259 402917 83253->83259 83269 402cae 83256->83269 83258 402915 83258->83239 83259->83258 83260 4023ce 11 API calls 83259->83260 83260->83258 83262 402890 83261->83262 83263 402898 83262->83263 83268 402ca3 22 API calls 83262->83268 83263->83242 83266->83247 83267->83249 83270 402cb8 __EH_prolog 83269->83270 83276 402e54 22 API calls 83270->83276 83272 4023ce 11 API calls 83274 402d92 83272->83274 83273 402d24 83273->83272 83274->83258 83276->83273 83278 405214 83277->83278 83279 4023ce 11 API calls 83278->83279 83280 40521f 83279->83280 83284 405234 83280->83284 83282 40522e 83282->83178 83283->83185 83285 405240 83284->83285 83286 40526e 83284->83286 83287 4028e8 28 API calls 83285->83287 83300 4028a4 22 API calls 83286->83300 83290 40524a 83287->83290 83290->83282 83301->83196 83302->83198 83303 51044 83306 510f3 83303->83306 83305 5104a 83342 51398 83306->83342 83310 5116a 83352 5a961 83310->83352 83313 5a961 8 API calls 83314 5117e 83313->83314 83315 5a961 8 API calls 83314->83315 83316 51188 83315->83316 83317 5a961 8 API calls 83316->83317 83318 511c6 83317->83318 83319 5a961 8 API calls 83318->83319 83320 51292 83319->83320 83357 5171c 83320->83357 83324 512c4 83325 5a961 8 API calls 83324->83325 83326 512ce 83325->83326 83378 61940 83326->83378 83328 512f9 83388 51aab 83328->83388 83330 51315 83331 51325 GetStdHandle 83330->83331 83332 92485 83331->83332 83333 5137a 83331->83333 83332->83333 83334 9248e 83332->83334 83336 51387 OleInitialize 83333->83336 83395 6fddb 83334->83395 83336->83305 83337 92495 83404 c011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 83337->83404 83339 9249e 83405 c0944 CreateThread 83339->83405 83341 924aa CloseHandle 83341->83333 83406 513f1 83342->83406 83345 513f1 8 API calls 83346 513d0 83345->83346 83347 5a961 8 API calls 83346->83347 83348 513dc 83347->83348 83413 56b57 83348->83413 83350 51129 83351 51bc3 6 API calls 83350->83351 83351->83310 83353 6fe0b 8 API calls 83352->83353 83354 5a976 83353->83354 83355 6fddb 8 API calls 83354->83355 83356 51174 83355->83356 83356->83313 83358 5a961 8 API calls 83357->83358 83359 5172c 83358->83359 83360 5a961 8 API calls 83359->83360 83361 51734 83360->83361 83362 5a961 8 API calls 83361->83362 83363 5174f 83362->83363 83364 6fddb 8 API calls 83363->83364 83365 5129c 83364->83365 83366 51b4a 83365->83366 83367 51b58 83366->83367 83368 5a961 8 API calls 83367->83368 83369 51b63 83368->83369 83370 5a961 8 API calls 83369->83370 83371 51b6e 83370->83371 83372 5a961 8 API calls 83371->83372 83373 51b79 83372->83373 83374 5a961 8 API calls 83373->83374 83375 51b84 83374->83375 83376 6fddb 8 API calls 83375->83376 83377 51b96 RegisterClipboardFormatW 83376->83377 83377->83324 83379 61981 83378->83379 83381 6195d 83378->83381 83443 70242 5 API calls __Init_thread_wait 83379->83443 83387 6196e 83381->83387 83445 70242 5 API calls __Init_thread_wait 83381->83445 83382 6198b 83382->83381 83444 701f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent 83382->83444 83384 68727 83384->83387 83446 701f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent 83384->83446 83387->83328 83389 9272d 83388->83389 83390 51abb 83388->83390 83447 c3209 9 API calls 83389->83447 83391 6fddb 8 API calls 83390->83391 83394 51ac3 83391->83394 83393 92738 83394->83330 83396 6fde0 ___std_exception_copy 83395->83396 83397 6fdfa 83396->83397 83400 6fdfc 83396->83400 83448 74ead 7 API calls CatchGuardHandler 83396->83448 83397->83337 83399 7066d 83450 732a4 RaiseException 83399->83450 83400->83399 83449 732a4 RaiseException 83400->83449 83403 7068a 83403->83337 83404->83339 83405->83341 83407 5a961 8 API calls 83406->83407 83408 513fc 83407->83408 83409 5a961 8 API calls 83408->83409 83410 51404 83409->83410 83411 5a961 8 API calls 83410->83411 83412 513c6 83411->83412 83412->83345 83414 56b67 _wcslen 83413->83414 83415 94ba1 83413->83415 83418 56ba2 83414->83418 83419 56b7d 83414->83419 83435 593b2 83415->83435 83417 94baa 83417->83417 83421 6fddb 8 API calls 83418->83421 83425 56f34 8 API calls 83419->83425 83423 56bae 83421->83423 83422 56b85 83422->83350 83426 6fe0b 83423->83426 83425->83422 83427 6fddb ___std_exception_copy 83426->83427 83428 6fdfa 83427->83428 83431 6fdfc 83427->83431 83439 74ead 7 API calls CatchGuardHandler 83427->83439 83428->83422 83430 7066d 83441 732a4 RaiseException 83430->83441 83431->83430 83440 732a4 RaiseException 83431->83440 83434 7068a 83434->83422 83436 593c0 83435->83436 83438 593c9 83435->83438 83436->83438 83442 5aec9 8 API calls 83436->83442 83438->83417 83439->83427 83440->83430 83441->83434 83442->83438 83443->83382 83444->83381 83445->83384 83446->83387 83447->83393 83448->83396 83449->83399 83450->83403 83451 61482 83455 61460 83451->83455 83452 6fe0b 8 API calls 83452->83455 83453 6fddb 8 API calls 83453->83455 83455->83451 83455->83452 83455->83453 83456 6152f 83455->83456 83457 a63b2 83455->83457 83465 61647 83455->83465 83468 5ec40 83455->83468 83459 61940 9 API calls 83456->83459 83539 c359c 14 API calls 83457->83539 83460 61549 83459->83460 83461 61940 9 API calls 83460->83461 83462 61563 83461->83462 83463 61940 9 API calls 83462->83463 83464 61629 83463->83464 83464->83465 83486 6effa 83464->83486 83536 bd4ce 83464->83536 83482 5ec76 83468->83482 83469 70242 RtlEnterCriticalSection RtlLeaveCriticalSection RtlLeaveCriticalSection WaitForSingleObjectEx RtlEnterCriticalSection 83469->83482 83470 701f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 83470->83482 83472 6fddb 8 API calls 83472->83482 83474 a4b0b 83542 c359c 14 API calls 83474->83542 83475 5a8c7 8 API calls 83475->83482 83478 5fbe3 83479 5ed9d 83478->83479 83481 a4bdc 83478->83481 83485 5f3ae 83478->83485 83479->83455 83480 5a961 8 API calls 83480->83482 83543 c359c 14 API calls 83481->83543 83482->83469 83482->83470 83482->83472 83482->83474 83482->83475 83482->83478 83482->83479 83482->83480 83484 a4beb 83482->83484 83482->83485 83540 606a0 8 API calls 83482->83540 83544 c359c 14 API calls 83484->83544 83485->83479 83541 c359c 14 API calls 83485->83541 83545 59c6e 83486->83545 83489 6fddb 8 API calls 83490 6f02b 83489->83490 83491 6fe0b 8 API calls 83490->83491 83492 6f03c 83491->83492 83607 56246 CloseHandle 83492->83607 83493 6f0b1 83504 6f0b8 83493->83504 83583 6fa5b 83493->83583 83495 6f047 83496 5a961 8 API calls 83495->83496 83497 6f04f 83496->83497 83608 56246 CloseHandle 83497->83608 83500 6f056 83559 57510 8 API calls 83500->83559 83502 6f062 83609 56246 CloseHandle 83502->83609 83506 6f0d3 83504->83506 83507 af127 83504->83507 83505 6f06c 83560 55745 83505->83560 83588 56270 83506->83588 83510 6fe0b 8 API calls 83507->83510 83516 af12c 83510->83516 83513 af0a0 83615 56216 CloseHandle 83513->83615 83515 af140 83525 af144 83515->83525 83617 c0e85 8 API calls ___scrt_fastfail 83515->83617 83516->83515 83616 6f866 ReadFile SetFilePointerEx 83516->83616 83519 6f085 83568 553de 83519->83568 83520 6f0ea 83520->83525 83611 562b5 8 API calls 83520->83611 83524 6f093 83610 553c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 83524->83610 83527 6f0fe 83529 6f125 83527->83529 83530 6f138 83527->83530 83528 6f0a4 83528->83493 83612 56246 CloseHandle 83529->83612 83530->83465 83531 6f09a 83531->83528 83614 bccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 83531->83614 83533 6f12c 83533->83530 83613 56216 CloseHandle 83533->83613 83676 bdbbe lstrlenW 83536->83676 83539->83465 83540->83482 83541->83479 83542->83479 83543->83484 83544->83479 83546 59c7e 83545->83546 83547 9f545 83545->83547 83552 6fddb 8 API calls 83546->83552 83548 9f556 83547->83548 83549 56b57 8 API calls 83547->83549 83624 5a6c3 83548->83624 83549->83548 83551 9f560 83551->83551 83553 59c91 83552->83553 83554 59cac 83553->83554 83555 59c9a 83553->83555 83557 5a961 8 API calls 83554->83557 83618 59cb3 83555->83618 83558 59ca2 83557->83558 83558->83489 83558->83493 83559->83502 83561 5575c CreateFileW 83560->83561 83562 94035 83560->83562 83564 5577b 83561->83564 83563 9403b CreateFileW 83562->83563 83562->83564 83563->83564 83565 94063 83563->83565 83564->83513 83564->83519 83630 554c6 83565->83630 83569 553f3 83568->83569 83582 553f0 83568->83582 83570 554c6 3 API calls 83569->83570 83569->83582 83571 55410 83570->83571 83572 93f4b 83571->83572 83573 5541d 83571->83573 83574 6fa5b 3 API calls 83572->83574 83575 6fe0b 8 API calls 83573->83575 83574->83582 83576 55429 83575->83576 83636 55722 83576->83636 83581 554c6 3 API calls 83581->83582 83582->83524 83584 554c6 3 API calls 83583->83584 83585 6fa79 83584->83585 83586 554c6 3 API calls 83585->83586 83587 6fa9a 83586->83587 83587->83504 83589 6fe0b 8 API calls 83588->83589 83590 56295 83589->83590 83591 6fddb 8 API calls 83590->83591 83592 562a3 83591->83592 83593 6f141 83592->83593 83594 6f14c 83593->83594 83595 6f188 83593->83595 83594->83595 83599 6f15b 83594->83599 83596 5a6c3 8 API calls 83595->83596 83605 bcaeb 83596->83605 83597 6f170 83646 6f18e 83597->83646 83598 6f17d 83653 bcbf2 12 API calls 83598->83653 83599->83597 83599->83598 83600 bcb1a 83600->83520 83603 6f179 83603->83520 83605->83600 83654 bca89 ReadFile SetFilePointerEx 83605->83654 83655 549bd 8 API calls 83605->83655 83607->83495 83608->83500 83609->83505 83610->83531 83611->83527 83612->83533 83613->83530 83614->83528 83615->83493 83616->83515 83617->83525 83619 59cc2 _wcslen 83618->83619 83620 6fe0b 8 API calls 83619->83620 83621 59cea 83620->83621 83622 6fddb 8 API calls 83621->83622 83623 59d00 83622->83623 83623->83558 83625 5a6d0 83624->83625 83626 5a6dd 83624->83626 83625->83551 83627 6fddb 8 API calls 83626->83627 83628 5a6e7 83627->83628 83629 6fe0b 8 API calls 83628->83629 83629->83625 83635 554dd 83630->83635 83631 55564 SetFilePointerEx SetFilePointerEx 83634 55530 83631->83634 83632 93f9c SetFilePointerEx 83633 93f8b 83633->83632 83634->83564 83635->83631 83635->83632 83635->83633 83635->83634 83637 6fddb 8 API calls 83636->83637 83638 55433 83637->83638 83639 59a40 83638->83639 83640 59abb 83639->83640 83643 59a4e 83639->83643 83645 6e40f SetFilePointerEx 83640->83645 83642 5543f 83642->83581 83643->83642 83644 59a8c ReadFile 83643->83644 83644->83642 83644->83643 83645->83643 83656 6f1d8 83646->83656 83652 6f1c1 83652->83603 83653->83603 83654->83605 83655->83605 83657 6fe0b 8 API calls 83656->83657 83658 6f1ef 83657->83658 83659 6fddb 8 API calls 83658->83659 83660 6f1a6 83659->83660 83661 597b6 83660->83661 83668 59a1e 83661->83668 83663 597c7 83664 59a40 2 API calls 83663->83664 83666 597fc 83663->83666 83675 59b01 8 API calls 83663->83675 83664->83663 83666->83652 83667 56e14 10 API calls 83666->83667 83667->83652 83669 9f378 83668->83669 83670 59a2f 83668->83670 83671 6fddb 8 API calls 83669->83671 83670->83663 83672 9f382 83671->83672 83673 6fe0b 8 API calls 83672->83673 83674 9f397 83673->83674 83675->83663 83677 bdbdc GetFileAttributesW 83676->83677 83678 bd4d5 83676->83678 83677->83678 83679 bdbe8 FindFirstFileW 83677->83679 83678->83465 83679->83678 83680 bdbf9 FindClose 83679->83680 83680->83678 83681 b904e 83682 b9059 83681->83682 83683 b9067 83681->83683 83684 593b2 8 API calls 83682->83684 83687 56e90 83683->83687 83685 b9065 83684->83685 83688 56f24 83687->83688 83689 56ea3 83687->83689 83690 593b2 8 API calls 83688->83690 83689->83688 83691 56eaf 83689->83691 83696 56ec1 83690->83696 83692 56ee7 83691->83692 83693 56eb9 83691->83693 83695 6fddb 8 API calls 83692->83695 83699 56f34 8 API calls 83693->83699 83697 56ef1 83695->83697 83696->83685 83698 6fe0b 8 API calls 83697->83698 83698->83696 83699->83696 83700 54f80 83701 6fe0b 8 API calls 83700->83701 83702 54f95 83701->83702 83703 55722 8 API calls 83702->83703 83704 54fa1 83703->83704 83705 550a5 83704->83705 83706 93d1d 83704->83706 83710 54fdc 83704->83710 83714 542a2 83705->83714 83722 c304d RtlEnterCriticalSection RtlLeaveCriticalSection SetFilePointerEx GetLastError 83706->83722 83709 93d22 83723 5511f RtlEnterCriticalSection RtlLeaveCriticalSection SetFilePointerEx GetLastError 83709->83723 83710->83709 83713 5506e 83710->83713 83721 5511f RtlEnterCriticalSection RtlLeaveCriticalSection SetFilePointerEx GetLastError 83710->83721 83715 542b8 83714->83715 83716 542bc FindResourceExW 83715->83716 83720 542d9 83715->83720 83717 935ba LoadResource 83716->83717 83716->83720 83718 935cf SizeofResource 83717->83718 83717->83720 83719 935e3 LockResource 83718->83719 83718->83720 83719->83720 83720->83710 83721->83710 83722->83709 83723->83713 83724 52b83 7 API calls 83727 52cd4 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 83724->83727 83728 52d65 LoadIconW 83727->83728 83730 52c5e 83728->83730 83731 5c108 83732 a091a 83731->83732 83733 5c189 83731->83733 83752 c3209 9 API calls 83732->83752 83734 6fddb 8 API calls 83733->83734 83737 5c190 83734->83737 83736 5c253 83739 a0976 83736->83739 83742 5c297 83736->83742 83737->83736 83747 5c350 83737->83747 83753 5a8c7 8 API calls 83737->83753 83754 5aceb 9 API calls 83739->83754 83745 a09bf 83742->83745 83749 5aceb 9 API calls 83742->83749 83744 5c335 83744->83745 83750 5a704 8 API calls 83744->83750 83748 5c3ac 83747->83748 83751 6ce17 8 API calls 83747->83751 83749->83744 83750->83747 83751->83747 83752->83737 83753->83736 83754->83745 83755 544d5 83756 544e1 83755->83756 83757 93833 83756->83757 83758 544f5 83756->83758 83759 9384c 83756->83759 83757->83759 83763 93869 83757->83763 83789 5940c 41 API calls _wcslen 83758->83789 83790 bda5a 15 API calls 83759->83790 83762 5450d 83765 6fe0b 8 API calls 83763->83765 83764 93862 83764->83763 83766 938ae 83765->83766 83767 93a5f 83766->83767 83772 59cb3 8 API calls 83766->83772 83775 5a4a1 83766->83775 83783 53ff7 83766->83783 83791 b967e 8 API calls 83766->83791 83792 b95ad 9 API calls _wcslen 83766->83792 83793 c0b5a 8 API calls 83766->83793 83794 b989b 14 API calls 83767->83794 83772->83766 83776 5a52b 83775->83776 83782 5a4b1 83775->83782 83779 6fe0b 8 API calls 83776->83779 83777 6fddb 8 API calls 83778 5a4b8 83777->83778 83780 6fddb 8 API calls 83778->83780 83781 5a4d6 83778->83781 83779->83782 83780->83781 83781->83766 83782->83777 83784 5400a 83783->83784 83787 540ae 83783->83787 83786 6fe0b 8 API calls 83784->83786 83788 5403c 83784->83788 83785 6fddb 8 API calls 83785->83788 83786->83788 83787->83766 83788->83785 83788->83787 83789->83762 83790->83764 83791->83766 83792->83766 83793->83766 83794->83767 83795 51056 83798 5344d 83795->83798 83797 5106a 83799 5345d 83798->83799 83800 5a961 8 API calls 83799->83800 83801 53513 83800->83801 83829 53a5a 83801->83829 83803 5351c 83836 53357 83803->83836 83810 5a961 8 API calls 83811 5354d 83810->83811 83812 5a6c3 8 API calls 83811->83812 83813 53556 RegOpenKeyExW 83812->83813 83814 53578 83813->83814 83815 93176 RegQueryValueExW 83813->83815 83814->83797 83816 9320c RegCloseKey 83815->83816 83817 93193 83815->83817 83816->83814 83828 9321e _wcslen 83816->83828 83818 6fe0b 8 API calls 83817->83818 83819 931ac 83818->83819 83821 55722 8 API calls 83819->83821 83820 54c6d 8 API calls 83820->83828 83822 931b7 RegQueryValueExW 83821->83822 83823 931d4 83822->83823 83825 931ee 83822->83825 83824 56b57 8 API calls 83823->83824 83824->83825 83825->83816 83826 59cb3 8 API calls 83826->83828 83827 5515f 8 API calls 83827->83828 83828->83814 83828->83820 83828->83826 83828->83827 83857 91f50 83829->83857 83832 59cb3 8 API calls 83833 53a8d 83832->83833 83859 53aa2 83833->83859 83835 53a97 83835->83803 83837 91f50 83836->83837 83838 53364 GetFullPathNameW 83837->83838 83839 53386 83838->83839 83840 56b57 8 API calls 83839->83840 83841 533a4 83840->83841 83842 533c6 83841->83842 83843 930bb 83842->83843 83844 533dd 83842->83844 83846 6fddb 8 API calls 83843->83846 83873 533ee 83844->83873 83848 930c5 _wcslen 83846->83848 83847 533e8 83851 5515f 83847->83851 83849 6fe0b 8 API calls 83848->83849 83850 930fe 83849->83850 83852 5516e 83851->83852 83856 5518f 83851->83856 83854 6fe0b 8 API calls 83852->83854 83853 6fddb 8 API calls 83855 53544 83853->83855 83854->83856 83855->83810 83856->83853 83858 53a67 GetModuleFileNameW 83857->83858 83858->83832 83860 91f50 83859->83860 83861 53aaf GetFullPathNameW 83860->83861 83862 53ace 83861->83862 83863 53ae9 83861->83863 83864 56b57 8 API calls 83862->83864 83865 5a6c3 8 API calls 83863->83865 83866 53ada 83864->83866 83865->83866 83869 537a0 83866->83869 83870 537ae 83869->83870 83871 593b2 8 API calls 83870->83871 83872 537c2 83871->83872 83872->83835 83874 533fe _wcslen 83873->83874 83875 9311d 83874->83875 83876 53411 83874->83876 83877 6fddb 8 API calls 83875->83877 83883 5a587 83876->83883 83879 93127 83877->83879 83881 6fe0b 8 API calls 83879->83881 83880 5341e 83880->83847 83882 93157 83881->83882 83884 5a59d 83883->83884 83887 5a598 83883->83887 83885 6fe0b 8 API calls 83884->83885 83886 9f80f 83884->83886 83885->83887 83886->83886 83887->83880 83888 53156 83891 53170 83888->83891 83892 53187 83891->83892 83893 5318c 83892->83893 83894 531eb 83892->83894 83931 531e9 83892->83931 83895 53265 PostQuitMessage 83893->83895 83896 53199 83893->83896 83898 92dfb 83894->83898 83899 531f1 83894->83899 83932 5316a 83895->83932 83903 531a4 83896->83903 83904 92e7c 83896->83904 83897 531d0 NtdllDefWindowProc_W 83897->83932 83940 518e2 10 API calls 83898->83940 83900 5321d SetTimer RegisterClipboardFormatW 83899->83900 83901 531f8 83899->83901 83908 53246 CreatePopupMenu 83900->83908 83900->83932 83905 53201 KillTimer 83901->83905 83906 92d9c 83901->83906 83909 92e68 83903->83909 83910 531ae 83903->83910 83955 bbf30 20 API calls ___scrt_fastfail 83904->83955 83936 530f2 Shell_NotifyIconW ___scrt_fastfail 83905->83936 83917 92da1 83906->83917 83918 92dd7 MoveWindow 83906->83918 83907 92e1c 83941 6e499 19 API calls 83907->83941 83908->83932 83954 bc161 13 API calls ___scrt_fastfail 83909->83954 83915 92e4d 83910->83915 83916 531b9 83910->83916 83915->83897 83953 b0ad7 8 API calls 83915->83953 83921 531c4 83916->83921 83922 53253 83916->83922 83924 92da7 83917->83924 83925 92dc6 SetFocus 83917->83925 83918->83932 83919 53214 83937 53c50 DeleteObject DestroyWindow 83919->83937 83920 53263 83920->83932 83921->83897 83942 530f2 Shell_NotifyIconW ___scrt_fastfail 83921->83942 83938 5326f 30 API calls ___scrt_fastfail 83922->83938 83923 92e8e 83923->83897 83923->83932 83924->83921 83929 92db0 83924->83929 83925->83932 83939 518e2 10 API calls 83929->83939 83931->83897 83934 92e41 83943 53837 83934->83943 83936->83919 83937->83932 83938->83920 83939->83932 83940->83907 83941->83921 83942->83934 83944 53862 ___scrt_fastfail 83943->83944 83956 54212 83944->83956 83947 538e8 83949 53906 Shell_NotifyIconW 83947->83949 83950 93386 Shell_NotifyIconW 83947->83950 83960 53923 83949->83960 83952 5391c 83952->83931 83953->83931 83954->83920 83955->83923 83957 538b7 83956->83957 83958 935a4 83956->83958 83957->83947 83982 bc874 LoadIconW ExtractIconExW 83957->83982 83958->83957 83959 935ad DestroyCursor 83958->83959 83959->83957 83961 53a13 83960->83961 83962 5393f 83960->83962 83961->83952 83963 56270 8 API calls 83962->83963 83964 5394d 83963->83964 83965 93393 LoadStringW 83964->83965 83966 5395a 83964->83966 83968 933ad 83965->83968 83967 56b57 8 API calls 83966->83967 83969 5396f 83967->83969 83977 53994 ___scrt_fastfail 83968->83977 83984 5a8c7 8 API calls 83968->83984 83970 933c9 83969->83970 83971 5397c 83969->83971 83985 56350 8 API calls 83970->83985 83971->83968 83973 53986 83971->83973 83983 56350 8 API calls 83973->83983 83976 933d7 83976->83977 83978 533c6 8 API calls 83976->83978 83979 539f9 Shell_NotifyIconW 83977->83979 83980 933f9 83978->83980 83979->83961 83981 533c6 8 API calls 83980->83981 83981->83977 83982->83947 83983->83977 83984->83977 83985->83976 83986 5df10 83989 5b710 83986->83989 83990 5b72b 83989->83990 83991 a00f8 83990->83991 83992 a0146 83990->83992 84011 5b750 83990->84011 83995 a0102 83991->83995 83998 a010f 83991->83998 83991->84011 84029 d58a2 24 API calls __Init_thread_footer 83992->84029 84027 d5d33 24 API calls 83995->84027 84015 5ba20 83998->84015 84028 d61d0 24 API calls __Init_thread_footer 83998->84028 84001 a03d9 84001->84001 84002 5bbe0 17 API calls 84002->84011 84004 6d336 17 API calls 84004->84011 84006 5ba4e 84007 a0322 84033 d5c0c 14 API calls 84007->84033 84011->84002 84011->84004 84011->84006 84011->84007 84011->84015 84016 5ec40 23 API calls 84011->84016 84019 5a81b 18 API calls 84011->84019 84020 6d2f0 17 API calls 84011->84020 84021 6a01b 23 API calls 84011->84021 84022 70242 5 API calls __Init_thread_wait 84011->84022 84023 6edcd 8 API calls 84011->84023 84024 701f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent 84011->84024 84025 6ee53 14 API calls 84011->84025 84026 6e5ca 24 API calls 84011->84026 84030 5aceb 9 API calls 84011->84030 84031 af6bf 9 API calls 84011->84031 84032 5a8c7 8 API calls 84011->84032 84015->84006 84034 c359c 14 API calls 84015->84034 84016->84011 84019->84011 84020->84011 84021->84011 84022->84011 84023->84011 84024->84011 84025->84011 84026->84011 84027->83998 84028->84015 84029->84011 84030->84011 84031->84011 84032->84011 84033->84015 84034->84001 84035 5dddc 84036 5b710 24 API calls 84035->84036 84037 5ddea 84036->84037 84038 4165db 84049 401e65 84038->84049 84040 4165eb 84041 4020f6 28 API calls 84040->84041 84042 4165f6 84041->84042 84043 401e65 22 API calls 84042->84043 84044 416601 84043->84044 84045 4020f6 28 API calls 84044->84045 84046 41660c 84045->84046 84054 412965 84046->84054 84050 401e6d 84049->84050 84051 401e75 84050->84051 84073 402158 22 API calls 84050->84073 84051->84040 84074 40482d 84054->84074 84056 412979 84081 4048c8 connect 84056->84081 84060 41299a 84146 402f10 84060->84146 84063 404aa1 61 API calls 84064 4129ae 84063->84064 84065 401fd8 11 API calls 84064->84065 84066 4129b6 84065->84066 84151 404c10 84066->84151 84069 401fd8 11 API calls 84070 4129cc 84069->84070 84071 401fd8 11 API calls 84070->84071 84072 4129d4 84071->84072 84075 404846 socket 84074->84075 84076 404839 84074->84076 84078 404860 CreateEventW 84075->84078 84079 404842 84075->84079 84169 40489e WSAStartup 84076->84169 84078->84056 84079->84056 84080 40483e 84080->84075 84080->84079 84082 404a1b 84081->84082 84083 4048ee 84081->84083 84084 40497e 84082->84084 84085 404a21 WSAGetLastError 84082->84085 84083->84084 84108 404923 84083->84108 84170 40531e 84083->84170 84141 402f31 84084->84141 84085->84084 84086 404a31 84085->84086 84089 404932 84086->84089 84090 404a36 84086->84090 84095 402093 28 API calls 84089->84095 84210 41cb72 30 API calls 84090->84210 84091 40492b 84091->84089 84094 404941 84091->84094 84092 40490f 84175 402093 84092->84175 84105 404950 84094->84105 84106 404987 84094->84106 84098 404a80 84095->84098 84097 404a40 84211 4052fd 28 API calls 84097->84211 84102 402093 28 API calls 84098->84102 84107 404a8f 84102->84107 84111 402093 28 API calls 84105->84111 84207 421ad1 54 API calls 84106->84207 84112 41b580 80 API calls 84107->84112 84205 420cf1 27 API calls 84108->84205 84115 40495f 84111->84115 84112->84084 84114 40498f 84117 4049c4 84114->84117 84118 404994 84114->84118 84119 402093 28 API calls 84115->84119 84209 420e97 28 API calls 84117->84209 84121 402093 28 API calls 84118->84121 84122 40496e 84119->84122 84124 4049a3 84121->84124 84125 41b580 80 API calls 84122->84125 84128 402093 28 API calls 84124->84128 84129 404973 84125->84129 84126 4049cc 84127 4049f9 CreateEventW CreateEventW 84126->84127 84130 402093 28 API calls 84126->84130 84127->84084 84131 4049b2 84128->84131 84206 41e7a2 RtlDeleteCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 84129->84206 84132 4049e2 84130->84132 84133 41b580 80 API calls 84131->84133 84135 402093 28 API calls 84132->84135 84136 4049b7 84133->84136 84137 4049f1 84135->84137 84208 421143 52 API calls 84136->84208 84139 41b580 80 API calls 84137->84139 84140 4049f6 84139->84140 84140->84127 84142 4020df 11 API calls 84141->84142 84143 402f3d 84142->84143 84144 4032a0 28 API calls 84143->84144 84145 402f59 84144->84145 84145->84060 84262 401fb0 84146->84262 84148 402f1e 84149 402055 11 API calls 84148->84149 84150 402f2d 84149->84150 84150->84063 84152 4020df 11 API calls 84151->84152 84153 404c27 84152->84153 84154 4020df 11 API calls 84153->84154 84157 404c30 84154->84157 84155 43bda0 new 21 API calls 84155->84157 84157->84155 84158 4020b7 28 API calls 84157->84158 84159 404ca1 84157->84159 84163 401fd8 11 API calls 84157->84163 84265 404b96 84157->84265 84271 401fe2 84157->84271 84280 404cc3 84157->84280 84158->84157 84293 404e26 WaitForSingleObject 84159->84293 84163->84157 84164 401fd8 11 API calls 84165 404cb1 84164->84165 84166 401fd8 11 API calls 84165->84166 84167 404cba 84166->84167 84167->84069 84169->84080 84171 4020df 11 API calls 84170->84171 84172 40532a 84171->84172 84212 4032a0 84172->84212 84174 405346 84174->84092 84176 40209b 84175->84176 84177 4023ce 11 API calls 84176->84177 84178 4020a6 84177->84178 84216 4024ed 84178->84216 84181 41b580 84182 41b631 84181->84182 84183 41b596 GetLocalTime 84181->84183 84185 401fd8 11 API calls 84182->84185 84184 40531e 28 API calls 84183->84184 84186 41b5d8 84184->84186 84187 41b639 84185->84187 84220 406383 84186->84220 84189 401fd8 11 API calls 84187->84189 84191 41b641 84189->84191 84191->84108 84192 402f10 28 API calls 84193 41b5f0 84192->84193 84194 406383 28 API calls 84193->84194 84195 41b5fc 84194->84195 84225 40723b 77 API calls 84195->84225 84197 41b60a 84198 401fd8 11 API calls 84197->84198 84199 41b616 84198->84199 84200 401fd8 11 API calls 84199->84200 84201 41b61f 84200->84201 84202 401fd8 11 API calls 84201->84202 84203 41b628 84202->84203 84204 401fd8 11 API calls 84203->84204 84204->84182 84205->84091 84206->84084 84207->84114 84208->84129 84209->84126 84210->84097 84214 4032aa 84212->84214 84213 4032c9 84213->84174 84214->84213 84215 4028e8 28 API calls 84214->84215 84215->84213 84217 4024f9 84216->84217 84218 40250a 28 API calls 84217->84218 84219 4020b1 84218->84219 84219->84181 84226 4051ef 84220->84226 84222 406391 84230 402055 84222->84230 84225->84197 84227 4051fb 84226->84227 84236 405274 84227->84236 84229 405208 84229->84222 84231 402061 84230->84231 84232 4023ce 11 API calls 84231->84232 84233 40207b 84232->84233 84258 40267a 84233->84258 84237 405282 84236->84237 84238 405288 84237->84238 84239 40529e 84237->84239 84247 4025f0 84238->84247 84241 4052f5 84239->84241 84242 4052b6 84239->84242 84256 4028a4 22 API calls 84241->84256 84243 40529c 84242->84243 84246 4028e8 28 API calls 84242->84246 84243->84229 84246->84243 84248 402888 22 API calls 84247->84248 84249 402602 84248->84249 84250 402672 84249->84250 84251 402629 84249->84251 84257 4028a4 22 API calls 84250->84257 84254 4028e8 28 API calls 84251->84254 84255 40263b 84251->84255 84254->84255 84255->84243 84259 40268b 84258->84259 84260 4023ce 11 API calls 84259->84260 84261 40208d 84260->84261 84261->84192 84263 4025f0 28 API calls 84262->84263 84264 401fbd 84263->84264 84264->84148 84266 404ba0 WaitForSingleObject 84265->84266 84267 404bcd recv 84265->84267 84306 421107 54 API calls 84266->84306 84269 404be0 84267->84269 84269->84157 84270 404bbc SetEvent 84270->84269 84272 401ff1 84271->84272 84273 402039 84271->84273 84274 4023ce 11 API calls 84272->84274 84273->84157 84275 401ffa 84274->84275 84276 40203c 84275->84276 84278 402015 84275->84278 84277 40267a 11 API calls 84276->84277 84277->84273 84307 403098 28 API calls 84278->84307 84281 4020df 11 API calls 84280->84281 84286 404cde 84281->84286 84282 404e13 84283 401fd8 11 API calls 84282->84283 84284 404e1c 84283->84284 84284->84157 84285 4041a2 28 API calls 84285->84286 84286->84282 84286->84285 84287 401fe2 28 API calls 84286->84287 84288 4020f6 28 API calls 84286->84288 84291 401fd8 11 API calls 84286->84291 84308 4129da 84286->84308 84352 401fc0 84286->84352 84287->84286 84288->84286 84291->84286 84294 404e40 SetEvent FindCloseChangeNotification 84293->84294 84295 404e57 closesocket 84293->84295 84296 404ca8 84294->84296 84297 404e64 84295->84297 84296->84164 84298 404e7a 84297->84298 84889 4050e4 84 API calls 84297->84889 84300 404e8c WaitForSingleObject 84298->84300 84301 404ece SetEvent CloseHandle 84298->84301 84890 41e7a2 RtlDeleteCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 84300->84890 84301->84296 84303 404e9b SetEvent WaitForSingleObject 84891 41e7a2 RtlDeleteCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 84303->84891 84305 404eb3 SetEvent CloseHandle CloseHandle 84305->84301 84306->84270 84307->84273 84309 4129ec 84308->84309 84356 4041a2 84309->84356 84312 4020f6 28 API calls 84313 412a0e 84312->84313 84314 4020f6 28 API calls 84313->84314 84315 412a1d 84314->84315 84359 41beac 84315->84359 84318 412ace 84319 401e8d 11 API calls 84318->84319 84321 412ad7 84319->84321 84320 401e65 22 API calls 84322 412a3d 84320->84322 84323 401fd8 11 API calls 84321->84323 84324 4020f6 28 API calls 84322->84324 84325 412ae0 84323->84325 84326 412a48 84324->84326 84327 401fd8 11 API calls 84325->84327 84328 401e65 22 API calls 84326->84328 84329 412ae8 84327->84329 84330 412a53 84328->84330 84329->84286 84331 4020f6 28 API calls 84330->84331 84332 412a5e 84331->84332 84333 401e65 22 API calls 84332->84333 84334 412a69 84333->84334 84335 4020f6 28 API calls 84334->84335 84336 412a74 84335->84336 84337 401e65 22 API calls 84336->84337 84338 412a7f 84337->84338 84339 4020f6 28 API calls 84338->84339 84340 412a8a 84339->84340 84341 401e65 22 API calls 84340->84341 84342 412a95 84341->84342 84343 4020f6 28 API calls 84342->84343 84344 412aa0 84343->84344 84345 401e65 22 API calls 84344->84345 84346 412aae 84345->84346 84347 4020f6 28 API calls 84346->84347 84348 412ab9 84347->84348 84381 412aef GetModuleFileNameW 84348->84381 84351 404e26 99 API calls 84351->84318 84353 401fd2 CreateEventA CreateThread WaitForSingleObject FindCloseChangeNotification 84352->84353 84354 401fc9 84352->84354 84353->84286 84748 415b25 84353->84748 84747 4025e0 28 API calls 84354->84747 84528 40423a 84356->84528 84360 4020df 11 API calls 84359->84360 84380 41bebf 84360->84380 84361 41bf2f 84362 401fd8 11 API calls 84361->84362 84363 41bf61 84362->84363 84364 401fd8 11 API calls 84363->84364 84367 41bf69 84364->84367 84365 41bf31 84368 4041a2 28 API calls 84365->84368 84366 4041a2 28 API calls 84366->84380 84369 401fd8 11 API calls 84367->84369 84370 41bf3d 84368->84370 84373 412a26 84369->84373 84371 401fe2 28 API calls 84370->84371 84374 41bf46 84371->84374 84372 401fe2 28 API calls 84372->84380 84373->84318 84373->84320 84375 401fd8 11 API calls 84374->84375 84377 41bf4e 84375->84377 84376 401fd8 11 API calls 84376->84380 84535 41cec5 28 API calls 84377->84535 84380->84361 84380->84365 84380->84366 84380->84372 84380->84376 84534 41cec5 28 API calls 84380->84534 84382 4020df 11 API calls 84381->84382 84383 412b1a 84382->84383 84384 4020df 11 API calls 84383->84384 84385 412b26 84384->84385 84386 4020df 11 API calls 84385->84386 84395 412b32 84386->84395 84387 40da23 32 API calls 84387->84395 84388 401fd8 11 API calls 84388->84395 84389 41ba09 43 API calls 84389->84395 84390 4042fc 79 API calls 84390->84395 84391 40431d 28 API calls 84391->84395 84392 403014 28 API calls 84392->84395 84393 412c58 Sleep 84393->84395 84394 4185a3 31 API calls 84394->84395 84395->84387 84395->84388 84395->84389 84395->84390 84395->84391 84395->84392 84395->84393 84395->84394 84396 412cfa Sleep 84395->84396 84397 40417e 28 API calls 84395->84397 84398 401f09 11 API calls 84395->84398 84399 412d9c Sleep 84395->84399 84400 412dff DeleteFileW 84395->84400 84401 41c516 32 API calls 84395->84401 84402 412e36 DeleteFileW 84395->84402 84403 412e88 Sleep 84395->84403 84404 412e72 DeleteFileW 84395->84404 84405 412f01 84395->84405 84412 412ecd Sleep 84395->84412 84396->84395 84397->84395 84398->84395 84399->84395 84400->84395 84401->84395 84402->84395 84403->84395 84404->84395 84406 401f09 11 API calls 84405->84406 84407 412f0d 84406->84407 84408 401f09 11 API calls 84407->84408 84409 412f19 84408->84409 84410 401f09 11 API calls 84409->84410 84411 412f25 84410->84411 84536 40b93f 84411->84536 84414 401f09 11 API calls 84412->84414 84419 412edd 84414->84419 84415 412f38 84417 4020f6 28 API calls 84415->84417 84416 401f09 11 API calls 84416->84419 84418 412f58 84417->84418 84542 413268 84418->84542 84419->84395 84419->84416 84421 412eff 84419->84421 84421->84411 84424 412f6f 84425 4130e3 84424->84425 84426 412f8f 84424->84426 84557 41bdaf 84425->84557 84428 41bdaf 28 API calls 84426->84428 84430 412f9b 84428->84430 84570 41bc1f 84430->84570 84431 402f31 28 API calls 84433 413123 84431->84433 84435 402f10 28 API calls 84433->84435 84437 413132 84435->84437 84436 402f31 28 API calls 84438 412fe5 84436->84438 84439 402f10 28 API calls 84437->84439 84440 402f10 28 API calls 84438->84440 84442 41313e 84439->84442 84441 412ff4 84440->84441 84444 402f10 28 API calls 84441->84444 84443 402f10 28 API calls 84442->84443 84445 41314d 84443->84445 84446 413003 84444->84446 84447 402f10 28 API calls 84445->84447 84448 402f10 28 API calls 84446->84448 84449 41315c 84447->84449 84450 413012 84448->84450 84451 402f10 28 API calls 84449->84451 84452 402f10 28 API calls 84450->84452 84453 41316b 84451->84453 84454 413021 84452->84454 84455 402f10 28 API calls 84453->84455 84456 402f10 28 API calls 84454->84456 84457 41317a 84455->84457 84458 41302d 84456->84458 84561 402ea1 84457->84561 84460 402f10 28 API calls 84458->84460 84462 413039 84460->84462 84464 402ea1 28 API calls 84462->84464 84463 404aa1 61 API calls 84465 413191 84463->84465 84466 413048 84464->84466 84467 401fd8 11 API calls 84465->84467 84468 402f10 28 API calls 84466->84468 84469 41319d 84467->84469 84470 413054 84468->84470 84471 401fd8 11 API calls 84469->84471 84472 402ea1 28 API calls 84470->84472 84474 4131a9 84471->84474 84473 41305e 84472->84473 84476 404aa1 61 API calls 84473->84476 84475 401fd8 11 API calls 84474->84475 84477 4131b5 84475->84477 84478 41306b 84476->84478 84479 401fd8 11 API calls 84477->84479 84480 401fd8 11 API calls 84478->84480 84481 4131c1 84479->84481 84482 413074 84480->84482 84483 401fd8 11 API calls 84481->84483 84484 401fd8 11 API calls 84482->84484 84485 4131ca 84483->84485 84486 41307d 84484->84486 84487 401fd8 11 API calls 84485->84487 84488 401fd8 11 API calls 84486->84488 84489 4131d3 84487->84489 84490 413086 84488->84490 84491 401fd8 11 API calls 84489->84491 84492 401fd8 11 API calls 84490->84492 84493 4130d7 84491->84493 84494 41308f 84492->84494 84496 401fd8 11 API calls 84493->84496 84495 401fd8 11 API calls 84494->84495 84497 41309b 84495->84497 84498 4131e5 84496->84498 84499 401fd8 11 API calls 84497->84499 84500 401f09 11 API calls 84498->84500 84501 4130a7 84499->84501 84502 4131f1 84500->84502 84503 401fd8 11 API calls 84501->84503 84505 401fd8 11 API calls 84502->84505 84504 4130b3 84503->84504 84507 401fd8 11 API calls 84504->84507 84506 4131fd 84505->84506 84508 401fd8 11 API calls 84506->84508 84509 4130bf 84507->84509 84510 413209 84508->84510 84511 401fd8 11 API calls 84509->84511 84512 401fd8 11 API calls 84510->84512 84513 4130cb 84511->84513 84514 413215 84512->84514 84515 401fd8 11 API calls 84513->84515 84516 401fd8 11 API calls 84514->84516 84515->84493 84517 413221 84516->84517 84518 401fd8 11 API calls 84517->84518 84519 41322d 84518->84519 84520 401fd8 11 API calls 84519->84520 84521 413239 84520->84521 84522 401fd8 11 API calls 84521->84522 84523 413245 84522->84523 84524 401fd8 11 API calls 84523->84524 84525 413251 84524->84525 84526 401fd8 11 API calls 84525->84526 84527 412abe 84526->84527 84527->84351 84529 404243 84528->84529 84530 4023ce 11 API calls 84529->84530 84531 40424e 84530->84531 84532 402569 28 API calls 84531->84532 84533 4041b5 84532->84533 84533->84312 84534->84380 84535->84361 84537 40b947 84536->84537 84575 402252 84537->84575 84539 40b952 84579 40b967 84539->84579 84541 40b961 84541->84415 84543 4132a6 84542->84543 84545 413277 84542->84545 84544 4132b5 84543->84544 84613 10001c5b 84543->84613 84607 40417e 84544->84607 84617 411d2d 84545->84617 84550 401fd8 11 API calls 84552 412f63 84550->84552 84554 401f09 84552->84554 84555 402252 11 API calls 84554->84555 84556 401f12 84555->84556 84556->84424 84558 41bdbc 84557->84558 84559 4020b7 28 API calls 84558->84559 84560 4130ec 84559->84560 84560->84431 84567 402eb0 84561->84567 84562 402ef2 84563 401fb0 28 API calls 84562->84563 84564 402ef0 84563->84564 84565 402055 11 API calls 84564->84565 84566 402f09 84565->84566 84566->84463 84567->84562 84568 402ee7 84567->84568 84737 403365 28 API calls 84568->84737 84738 441ed1 84570->84738 84573 402093 28 API calls 84574 412fb5 84573->84574 84574->84436 84576 4022ac 84575->84576 84577 40225c 84575->84577 84576->84539 84577->84576 84586 402779 11 API calls std::_Deallocate 84577->84586 84580 40b9a1 84579->84580 84581 40b973 84579->84581 84598 4028a4 22 API calls 84580->84598 84587 4027e6 84581->84587 84585 40b97d 84585->84541 84586->84576 84588 4027ef 84587->84588 84589 402851 84588->84589 84590 4027f9 84588->84590 84605 4028a4 22 API calls 84589->84605 84593 402802 84590->84593 84594 402815 84590->84594 84599 402aea 84593->84599 84596 402813 84594->84596 84597 402252 11 API calls 84594->84597 84596->84585 84597->84596 84600 402af4 __EH_prolog 84599->84600 84606 402e45 22 API calls 84600->84606 84602 402252 11 API calls 84604 402bce 84602->84604 84603 402b60 84603->84602 84604->84596 84606->84603 84608 404186 84607->84608 84609 402252 11 API calls 84608->84609 84610 404191 84609->84610 84621 4041bc 84610->84621 84614 10001c6b ___scrt_fastfail 84613->84614 84642 100012ee 84614->84642 84616 10001c87 84616->84544 84684 411d39 84617->84684 84620 411fa2 22 API calls new 84620->84543 84622 4041c8 84621->84622 84625 4041d9 84622->84625 84624 40419c 84624->84550 84626 4041e9 84625->84626 84627 404206 84626->84627 84628 4041ef 84626->84628 84629 4027e6 28 API calls 84627->84629 84632 404267 84628->84632 84631 404204 84629->84631 84631->84624 84633 402888 22 API calls 84632->84633 84634 40427b 84633->84634 84635 404290 84634->84635 84636 4042a5 84634->84636 84637 4042df 22 API calls 84635->84637 84638 4027e6 28 API calls 84636->84638 84639 404299 84637->84639 84641 4042a3 84638->84641 84640 402c48 22 API calls 84639->84640 84640->84641 84641->84631 84643 10001324 ___scrt_fastfail 84642->84643 84644 100013b7 GetEnvironmentVariableW 84643->84644 84668 100010f1 84644->84668 84647 100010f1 57 API calls 84648 10001465 84647->84648 84649 100010f1 57 API calls 84648->84649 84650 10001479 84649->84650 84651 100010f1 57 API calls 84650->84651 84652 1000148d 84651->84652 84653 100010f1 57 API calls 84652->84653 84654 100014a1 84653->84654 84655 100010f1 57 API calls 84654->84655 84656 100014b5 lstrlenW 84655->84656 84657 100014d2 84656->84657 84658 100014d9 lstrlenW 84656->84658 84657->84616 84659 100010f1 57 API calls 84658->84659 84660 10001501 lstrlenW lstrcatW 84659->84660 84661 100010f1 57 API calls 84660->84661 84662 10001539 lstrlenW lstrcatW 84661->84662 84663 100010f1 57 API calls 84662->84663 84664 1000156b lstrlenW lstrcatW 84663->84664 84665 100010f1 57 API calls 84664->84665 84666 1000159d lstrlenW lstrcatW 84665->84666 84667 100010f1 57 API calls 84666->84667 84667->84657 84669 10001118 ___scrt_fastfail 84668->84669 84670 10001129 lstrlenW 84669->84670 84681 10002c40 84670->84681 84673 10001177 lstrlenW FindFirstFileW 84675 100011a0 84673->84675 84676 100011e1 84673->84676 84674 10001168 lstrlenW 84674->84673 84677 100011c7 FindNextFileW 84675->84677 84678 100011aa 84675->84678 84676->84647 84677->84675 84680 100011da FindClose 84677->84680 84678->84677 84683 10001000 57 API calls ___scrt_fastfail 84678->84683 84680->84676 84682 10001148 lstrcatW lstrlenW 84681->84682 84682->84673 84682->84674 84683->84678 84717 4117d7 84684->84717 84686 411d57 84687 411d6d SetLastError 84686->84687 84688 4117d7 SetLastError 84686->84688 84714 411d35 84686->84714 84687->84714 84689 411d8a 84688->84689 84689->84687 84691 411dac GetNativeSystemInfo 84689->84691 84689->84714 84692 411df2 84691->84692 84703 411dff SetLastError 84692->84703 84720 411cde VirtualAlloc 84692->84720 84695 411e22 84696 411e47 GetProcessHeap RtlAllocateHeap 84695->84696 84730 411cde VirtualAlloc 84695->84730 84698 411e70 84696->84698 84699 411e5e 84696->84699 84702 4117d7 SetLastError 84698->84702 84731 411cf5 VirtualFree 84699->84731 84700 411e3a 84700->84696 84700->84703 84704 411eb9 84702->84704 84703->84714 84705 411f6b 84704->84705 84721 411cde VirtualAlloc 84704->84721 84732 4120b2 GetProcessHeap HeapFree 84705->84732 84708 411ed2 ctype 84722 4117ea SetLastError ctype ___scrt_fastfail 84708->84722 84710 411efe 84710->84705 84723 411b9a 26 API calls 84710->84723 84712 411f2b 84712->84705 84724 41198a 84712->84724 84714->84620 84715 411f36 84715->84705 84715->84714 84716 411f60 SetLastError 84715->84716 84716->84705 84718 4117e6 84717->84718 84719 4117db SetLastError 84717->84719 84718->84686 84719->84686 84720->84695 84721->84708 84722->84710 84723->84712 84728 4119b0 84724->84728 84725 411a99 84726 4118ed VirtualProtect 84725->84726 84727 411aab 84726->84727 84727->84715 84728->84725 84728->84727 84733 4118ed 84728->84733 84730->84700 84731->84703 84732->84714 84734 4118fe 84733->84734 84736 4118f6 84733->84736 84735 411971 VirtualProtect 84734->84735 84734->84736 84735->84736 84736->84728 84737->84564 84739 441edd 84738->84739 84742 441ccd 84739->84742 84741 41bc43 84741->84573 84743 441ce4 84742->84743 84744 441d1b __cftoe 84743->84744 84746 44062d 20 API calls _Atexit 84743->84746 84744->84741 84744->84744 84746->84744 84747->84353 84749 4020f6 28 API calls 84748->84749 84750 415b47 SetEvent 84749->84750 84751 415b5c 84750->84751 84752 4041a2 28 API calls 84751->84752 84753 415b76 84752->84753 84754 4020f6 28 API calls 84753->84754 84755 415b86 84754->84755 84756 4020f6 28 API calls 84755->84756 84757 415b98 84756->84757 84758 41beac 28 API calls 84757->84758 84759 415ba1 84758->84759 84761 415bc1 GetTickCount 84759->84761 84762 415d20 84759->84762 84825 415d11 84759->84825 84760 401e8d 11 API calls 84764 4170cd 84760->84764 84763 41bc1f 28 API calls 84761->84763 84762->84825 84826 415d34 84762->84826 84767 415bd2 84763->84767 84766 401fd8 11 API calls 84764->84766 84769 4170d9 84766->84769 84827 41bb77 GetLastInputInfo GetTickCount 84767->84827 84770 401fd8 11 API calls 84769->84770 84773 4170e5 84770->84773 84771 415bde 84772 41bc1f 28 API calls 84771->84772 84774 415be9 84772->84774 84828 41bb27 84774->84828 84777 41bdaf 28 API calls 84778 415c05 84777->84778 84779 401e65 22 API calls 84778->84779 84780 415c13 84779->84780 84781 402f31 28 API calls 84780->84781 84782 415c21 84781->84782 84783 402ea1 28 API calls 84782->84783 84784 415c30 84783->84784 84785 402f10 28 API calls 84784->84785 84786 415c3f 84785->84786 84787 402ea1 28 API calls 84786->84787 84788 415c4e 84787->84788 84789 402f10 28 API calls 84788->84789 84790 415c5a 84789->84790 84791 402ea1 28 API calls 84790->84791 84792 415c64 84791->84792 84793 404aa1 61 API calls 84792->84793 84794 415c73 84793->84794 84795 401fd8 11 API calls 84794->84795 84796 415c7c 84795->84796 84797 401fd8 11 API calls 84796->84797 84798 415c88 84797->84798 84799 401fd8 11 API calls 84798->84799 84800 415c94 84799->84800 84801 401fd8 11 API calls 84800->84801 84802 415ca0 84801->84802 84803 401fd8 11 API calls 84802->84803 84804 415cac 84803->84804 84805 401fd8 11 API calls 84804->84805 84806 415cb8 84805->84806 84807 401f09 11 API calls 84806->84807 84808 415cc1 84807->84808 84809 401fd8 11 API calls 84808->84809 84810 415cca 84809->84810 84811 401fd8 11 API calls 84810->84811 84812 415cd3 84811->84812 84813 401e65 22 API calls 84812->84813 84814 415cde 84813->84814 84833 43bb2c 84814->84833 84817 415cf0 84820 415d09 84817->84820 84821 415cfe 84817->84821 84818 415d16 84819 401e65 22 API calls 84818->84819 84819->84762 84838 404f51 84820->84838 84837 404ff4 82 API calls 84821->84837 84824 415d04 84824->84825 84825->84760 84853 4050e4 84 API calls 84826->84853 84827->84771 84854 436f10 84828->84854 84831 40417e 28 API calls 84832 415bf7 84831->84832 84832->84777 84834 43bb45 _strftime 84833->84834 84856 43ae83 84834->84856 84836 415ceb 84836->84817 84836->84818 84837->84824 84839 404fea 84838->84839 84840 404f65 84838->84840 84839->84825 84841 404f6e 84840->84841 84842 404fc0 CreateEventA CreateThread 84840->84842 84843 404f7d GetLocalTime 84840->84843 84841->84842 84842->84839 84885 405150 84842->84885 84844 41bc1f 28 API calls 84843->84844 84845 404f91 84844->84845 84884 4052fd 28 API calls 84845->84884 84853->84824 84855 41bb46 GetForegroundWindow GetWindowTextW 84854->84855 84855->84831 84872 43ba8a 84856->84872 84858 43ae95 84859 43aed0 84858->84859 84861 43aeaa 84858->84861 84871 43aeaf __cftoe 84858->84871 84878 43a837 36 API calls 2 library calls 84859->84878 84877 44062d 20 API calls _Atexit 84861->84877 84864 43aedc 84865 43af0b 84864->84865 84879 43bacf 40 API calls __Tolower 84864->84879 84868 43af77 84865->84868 84880 43ba36 20 API calls 2 library calls 84865->84880 84881 43ba36 20 API calls 2 library calls 84868->84881 84869 43b03e _strftime 84869->84871 84882 44062d 20 API calls _Atexit 84869->84882 84871->84836 84873 43baa2 84872->84873 84874 43ba8f 84872->84874 84873->84858 84883 44062d 20 API calls _Atexit 84874->84883 84876 43ba94 __cftoe 84876->84858 84877->84871 84878->84864 84879->84864 84880->84868 84881->84869 84882->84871 84883->84876 84888 40515c 102 API calls 84885->84888 84887 405159 84888->84887 84889->84298 84890->84303 84891->84305 84892 51098 84895 542de 84892->84895 84894 5109d 84896 5a961 8 API calls 84895->84896 84897 542f5 GetVersionExW 84896->84897 84898 56b57 8 API calls 84897->84898 84899 54342 84898->84899 84900 593b2 8 API calls 84899->84900 84905 54378 84899->84905 84901 5436c 84900->84901 84903 537a0 8 API calls 84901->84903 84902 5441b GetCurrentProcess IsWow64Process 84904 54437 84902->84904 84903->84905 84906 5444f LoadLibraryA 84904->84906 84907 93824 GetSystemInfo 84904->84907 84905->84902 84912 937df 84905->84912 84908 54460 GetProcAddress 84906->84908 84909 5449c GetSystemInfo 84906->84909 84908->84909 84910 54470 GetNativeSystemInfo 84908->84910 84911 54476 84909->84911 84910->84911 84913 54481 84911->84913 84914 5447a FreeLibrary 84911->84914 84913->84894 84914->84913 84915 40165e 84916 401666 84915->84916 84917 401669 84915->84917 84918 4016a8 84917->84918 84920 401696 84917->84920 84919 43455e new 22 API calls 84918->84919 84921 40169c 84919->84921 84923 43455e 84920->84923 84925 434563 84923->84925 84924 43bda0 new 21 API calls 84924->84925 84925->84924 84926 43458f 84925->84926 84930 443001 7 API calls 2 library calls 84925->84930 84931 434c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 84925->84931 84932 4352fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 84925->84932 84926->84921 84930->84925 84933 52da5 84934 91f50 84933->84934 84935 52db2 GetLongPathNameW 84934->84935 84936 56b57 8 API calls 84935->84936 84937 52dda 84936->84937 84938 52ea5 84939 52ead 84938->84939 84943 92cb0 84938->84943 84993 5a8c7 8 API calls 84939->84993 84941 52ec3 84994 56f88 8 API calls 84941->84994 85007 53084 8 API calls 84943->85007 84944 52ecf 84945 59cb3 8 API calls 84944->84945 84946 52edc 84945->84946 84995 5a81b 18 API calls 84946->84995 84949 52eec 84951 59cb3 8 API calls 84949->84951 84950 92d02 85008 53084 8 API calls 84950->85008 84952 52f12 84951->84952 84996 5a81b 18 API calls 84952->84996 84955 92d1e 84956 53a5a 10 API calls 84955->84956 84957 92d44 84956->84957 85009 53084 8 API calls 84957->85009 84958 52f21 84961 5a961 8 API calls 84958->84961 84960 92d50 85010 5a8c7 8 API calls 84960->85010 84963 52f3f 84961->84963 84997 53084 8 API calls 84963->84997 84964 92d5e 85011 53084 8 API calls 84964->85011 84967 52f4b 84967->84943 84969 52f63 84967->84969 84968 92d6d 85012 5a8c7 8 API calls 84968->85012 84969->84950 84972 52f78 84969->84972 84971 92d83 85013 53084 8 API calls 84971->85013 84972->84955 84976 52f8d 84972->84976 84974 92d90 84975 52fdc 84975->84968 84977 52fe8 84975->84977 84976->84975 84998 53084 8 API calls 84976->84998 84977->84974 85001 563eb 8 API calls 84977->85001 84980 52fbf 84999 5a8c7 8 API calls 84980->84999 84981 52ff8 85002 56a50 8 API calls 84981->85002 84984 52fcd 85000 53084 8 API calls 84984->85000 84986 53006 85003 570b0 9 API calls 84986->85003 84990 53021 84991 53065 84990->84991 85004 56f88 8 API calls 84990->85004 85005 570b0 9 API calls 84990->85005 85006 53084 8 API calls 84990->85006 84993->84941 84994->84944 84995->84949 84996->84958 84997->84967 84998->84980 84999->84984 85000->84975 85001->84981 85002->84986 85003->84990 85004->84990 85005->84990 85006->84990 85007->84950 85008->84955 85009->84960 85010->84964 85011->84968 85012->84971 85013->84974 85014 5dae6 85015 5daab 85014->85015 85017 5d997 85015->85017 85018 c359c 14 API calls 85015->85018 85018->85017 85019 52c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 85020 1000c7a7 85021 1000c7be 85020->85021 85025 1000c82c 85020->85025 85021->85025 85032 1000c7e6 GetModuleHandleA 85021->85032 85022 1000c872 85023 1000c835 GetModuleHandleA 85026 1000c83f 85023->85026 85025->85022 85025->85023 85025->85026 85026->85025 85027 1000c85f GetProcAddress 85026->85027 85027->85025 85028 1000c7dd 85028->85025 85028->85026 85029 1000c800 GetProcAddress 85028->85029 85029->85025 85030 1000c80d VirtualProtect 85029->85030 85030->85025 85031 1000c81c VirtualProtect 85030->85031 85031->85025 85033 1000c7ef 85032->85033 85041 1000c82c 85032->85041 85044 1000c803 GetProcAddress 85033->85044 85035 1000c835 GetModuleHandleA 85040 1000c83f 85035->85040 85036 1000c7f4 85038 1000c800 GetProcAddress 85036->85038 85036->85041 85037 1000c872 85039 1000c80d VirtualProtect 85038->85039 85038->85041 85039->85041 85042 1000c81c VirtualProtect 85039->85042 85040->85041 85043 1000c85f GetProcAddress 85040->85043 85041->85035 85041->85037 85041->85040 85042->85041 85043->85041 85045 1000c82c 85044->85045 85046 1000c80d VirtualProtect 85044->85046 85048 1000c872 85045->85048 85049 1000c835 GetModuleHandleA 85045->85049 85046->85045 85047 1000c81c VirtualProtect 85046->85047 85047->85045 85051 1000c83f 85049->85051 85050 1000c85f GetProcAddress 85050->85051 85051->85045 85051->85050 85052 51cad SystemParametersInfoW 85053 7e5eb 85056 7e52a 85053->85056 85055 7e5fd 85057 7e536 __FrameHandler3::FrameUnwindToState 85056->85057 85059 7e544 __dosmaperr _abort 85057->85059 85062 88061 85057->85062 85059->85055 85060 7e58f 85060->85059 85070 7e5d4 RtlLeaveCriticalSection 85060->85070 85063 8806d __FrameHandler3::FrameUnwindToState 85062->85063 85071 82f5e RtlEnterCriticalSection 85063->85071 85065 8807b 85072 880fb 85065->85072 85069 880ac _abort 85069->85060 85070->85059 85071->85065 85077 8811e 85072->85077 85073 88088 85081 880b7 85073->85081 85075 88177 85075->85073 85086 83405 6 API calls CatchGuardHandler 85075->85086 85077->85073 85077->85075 85084 7918d RtlEnterCriticalSection 85077->85084 85085 791a1 RtlLeaveCriticalSection 85077->85085 85078 881a8 85087 7918d RtlEnterCriticalSection 85078->85087 85088 82fa6 RtlLeaveCriticalSection 85081->85088 85083 880be 85083->85069 85084->85077 85085->85077 85086->85078 85087->85073 85088->85083 85089 3be23d0 85103 3be0000 85089->85103 85091 3be246a 85106 3be22c0 85091->85106 85093 3be2493 CreateFileW 85095 3be24e7 85093->85095 85102 3be24e2 85093->85102 85096 3be24fe VirtualAlloc 85095->85096 85095->85102 85097 3be251f ReadFile 85096->85097 85096->85102 85098 3be253a 85097->85098 85097->85102 85099 3be1070 7 API calls 85098->85099 85100 3be2554 85099->85100 85101 3be2070 685 API calls 85100->85101 85101->85102 85109 3be34b0 GetPEB 85103->85109 85105 3be068b 85105->85091 85107 3be22c9 Sleep 85106->85107 85108 3be22d7 85107->85108 85110 3be34da 85109->85110 85110->85105 85111 7dbb3 85112 7dbc1 85111->85112 85113 7dbcd __dosmaperr 85111->85113 85112->85113 85115 7d9cc 85112->85115 85118 7d97b 85115->85118 85117 7d9f0 85117->85113 85119 7d987 __FrameHandler3::FrameUnwindToState 85118->85119 85126 7918d RtlEnterCriticalSection 85119->85126 85121 7d995 85127 7d9f4 85121->85127 85123 7d9a2 85130 7d9c0 RtlLeaveCriticalSection 85123->85130 85125 7d9b3 _abort 85125->85117 85126->85121 85131 849a1 85127->85131 85129 7da09 85129->85123 85130->85125 85132 849b0 85131->85132 85134 849bc 85132->85134 85135 83820 85132->85135 85134->85129 85137 8385c __dosmaperr 85135->85137 85139 8382e 85135->85139 85136 83849 RtlAllocateHeap 85136->85137 85136->85139 85137->85134 85139->85136 85139->85137 85140 74ead 7 API calls CatchGuardHandler 85139->85140 85140->85139 85141 53af0 85144 53b1c 85141->85144 85145 53b0f 85144->85145 85146 53b29 85144->85146 85146->85145 85147 53b30 RegOpenKeyExW 85146->85147 85147->85145 85148 53b4a RegQueryValueExW 85147->85148 85149 53b80 RegCloseKey 85148->85149 85150 53b6b 85148->85150 85149->85145 85150->85149 85151 6fc70 85153 6fc85 85151->85153 85152 6fd1d VirtualAlloc 85154 6fceb 85152->85154 85153->85152 85153->85154 85155 52b3d 85156 53837 15 API calls 85155->85156 85157 52b44 85156->85157 85159 52b5f 85157->85159 85162 530f2 Shell_NotifyIconW ___scrt_fastfail 85157->85162 85160 52b66 SetCurrentDirectoryW 85159->85160 85161 52b7a 85160->85161 85162->85159 85163 5f7bf 85164 5fcb6 85163->85164 85165 5f7d3 85163->85165 85191 5aceb 9 API calls 85164->85191 85167 5fcc2 85165->85167 85168 6fddb 8 API calls 85165->85168 85192 5aceb 9 API calls 85167->85192 85170 5f7e5 85168->85170 85170->85167 85171 5fd3d 85170->85171 85188 5ec76 85170->85188 85193 c1155 8 API calls 85171->85193 85173 a4beb 85197 c359c 14 API calls 85173->85197 85175 6fddb 8 API calls 85175->85188 85176 5ed9d 85178 a4b0b 85195 c359c 14 API calls 85178->85195 85179 5a8c7 8 API calls 85179->85188 85182 5fbe3 85182->85176 85184 a4bdc 85182->85184 85189 5f3ae 85182->85189 85183 5a961 8 API calls 85183->85188 85196 c359c 14 API calls 85184->85196 85186 70242 RtlEnterCriticalSection RtlLeaveCriticalSection RtlLeaveCriticalSection WaitForSingleObjectEx RtlEnterCriticalSection 85186->85188 85187 701f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 85187->85188 85188->85173 85188->85175 85188->85176 85188->85178 85188->85179 85188->85182 85188->85183 85188->85186 85188->85187 85188->85189 85190 606a0 8 API calls 85188->85190 85189->85176 85194 c359c 14 API calls 85189->85194 85190->85188 85191->85167 85192->85171 85193->85176 85194->85176 85195->85176 85196->85173 85197->85176 85198 703fb 85199 70407 __FrameHandler3::FrameUnwindToState 85198->85199 85229 6feb1 85199->85229 85201 7040e 85202 70561 85201->85202 85205 70438 85201->85205 85256 7083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 85202->85256 85204 70568 85257 74e52 15 API calls _abort 85204->85257 85218 70477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 85205->85218 85240 8247d 85205->85240 85207 7056e 85258 74e04 15 API calls _abort 85207->85258 85211 70576 85259 70aea GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 85211->85259 85212 70457 85215 7057c __scrt_common_main_seh 85216 704d8 85248 70959 85216->85248 85218->85216 85252 74e1a 19 API calls 3 library calls 85218->85252 85220 704de 85221 704f3 85220->85221 85253 70992 GetModuleHandleW 85221->85253 85223 704fa 85223->85204 85224 704fe 85223->85224 85225 70507 85224->85225 85254 74df5 15 API calls _abort 85224->85254 85255 70040 13 API calls 2 library calls 85225->85255 85228 7050f 85228->85212 85230 6feba 85229->85230 85260 70698 IsProcessorFeaturePresent 85230->85260 85232 6fec6 85261 72c94 10 API calls 3 library calls 85232->85261 85234 6fecb 85239 6fecf 85234->85239 85262 82317 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 85234->85262 85236 6fee6 85236->85201 85237 6fed8 85237->85236 85263 72cbd 8 API calls 3 library calls 85237->85263 85239->85201 85243 82494 85240->85243 85242 70451 85242->85212 85244 82421 85242->85244 85264 70a8c 85243->85264 85247 82450 85244->85247 85245 70a8c CatchGuardHandler 5 API calls 85246 82479 85245->85246 85246->85218 85247->85245 85272 72340 85248->85272 85251 7097f 85251->85220 85252->85216 85253->85223 85254->85225 85255->85228 85256->85204 85257->85207 85258->85211 85259->85215 85260->85232 85261->85234 85262->85237 85263->85239 85265 70a97 IsProcessorFeaturePresent 85264->85265 85266 70a95 85264->85266 85268 70c5d 85265->85268 85266->85242 85271 70c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 85268->85271 85270 70d40 85270->85242 85271->85270 85273 7096c GetStartupInfoW 85272->85273 85273->85251 85274 5db38 85276 5db40 85274->85276 85277 5db73 TranslateMessage DispatchMessageW 85276->85277 85278 5db8f PeekMessageW 85276->85278 85279 a1cbe TranslateAcceleratorW 85276->85279 85282 5d815 85276->85282 85296 6edf6 IsDialogMessageW GetClassLongW 85276->85296 85277->85278 85278->85276 85278->85282 85279->85276 85280 a2cb4 85280->85280 85281 5d888 85288 5d997 85281->85288 85289 5dd50 85281->85289 85282->85280 85282->85281 85283 5da04 timeGetTime 85282->85283 85284 a1dda timeGetTime 85282->85284 85298 c3a2a 9 API calls 85282->85298 85283->85282 85297 6e300 9 API calls 85284->85297 85290 5dd6f 85289->85290 85292 5dd83 85289->85292 85299 5d260 24 API calls 85290->85299 85300 c359c 14 API calls 85292->85300 85293 5dd7a 85293->85288 85295 a2f75 85295->85295 85296->85276 85297->85282 85298->85282 85299->85293 85300->85295 85301 1d97a0 85302 1d97b0 85301->85302 85303 1d98ca LoadLibraryA 85302->85303 85308 1d990f VirtualProtect VirtualProtect 85302->85308 85304 1d98e1 85303->85304 85304->85302 85307 1d98f3 GetProcAddress 85304->85307 85306 1d9974 85306->85306 85307->85304 85309 1d9909 ExitProcess 85307->85309 85308->85306

                      Executed Functions

                      Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                      • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                      • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                      • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                      • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                      • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                      • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                      • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                      • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                      • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                      • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                      • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                      • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                      • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                      • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                      • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                      • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                      • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$LibraryLoad$HandleModule
                      • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                      • API String ID: 4236061018-3687161714
                      • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                      • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                      • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                      • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                      Function 0041812A Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289nativelibraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 448 41812a-418153 449 418157-4181be GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 448->449 450 4181c4-4181cb 449->450 451 4184bb 449->451 450->451 452 4181d1-4181d8 450->452 453 4184bd-4184c7 451->453 452->451 454 4181de-4181e0 452->454 454->451 455 4181e6-418213 call 436f10 * 2 454->455 455->451 460 418219-418224 455->460 460->451 461 41822a-41825a CreateProcessW 460->461 462 418260-418288 VirtualAlloc Wow64GetThreadContext 461->462 463 4184b5 GetLastError 461->463 464 41847f-4184b3 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->464 465 41828e-4182ae ReadProcessMemory 462->465 463->451 464->451 465->464 466 4182b4-4182d6 NtCreateSection 465->466 466->464 467 4182dc-4182e9 466->467 468 4182eb-4182f6 NtUnmapViewOfSection 467->468 469 4182fc-41831e NtMapViewOfSection 467->469 468->469 470 418320-41835d VirtualFree NtClose TerminateProcess 469->470 471 418368-41838f GetCurrentProcess NtMapViewOfSection 469->471 470->449 472 418363 470->472 471->464 473 418395-418399 471->473 472->451 474 4183a2-4183c0 call 436990 473->474 475 41839b-41839f 473->475 478 418402-41840b 474->478 479 4183c2-4183d0 474->479 475->474 481 41842b-41842f 478->481 482 41840d-418413 478->482 480 4183d2-4183f5 call 436990 479->480 493 4183f7-4183fe 480->493 484 418431-41844e WriteProcessMemory 481->484 485 418454-41846b Wow64SetThreadContext 481->485 482->481 483 418415-418428 call 41853e 482->483 483->481 484->464 488 418450 484->488 485->464 489 41846d-418479 ResumeThread 485->489 488->485 489->464 492 41847b-41847d 489->492 492->453 493->478
                      APIs
                      • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                      • GetProcAddress.KERNEL32(00000000), ref: 00418174
                      • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                      • GetProcAddress.KERNEL32(00000000), ref: 00418188
                      • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                      • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                      • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                      • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                      • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                      • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                      • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                      • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004182CE
                      • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182F6
                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418316
                      • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00418328
                      • NtClose.NTDLL(?), ref: 00418332
                      • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                      • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                      • NtMapViewOfSection.NTDLL(?,00000000), ref: 00418387
                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                      • ResumeThread.KERNEL32(?), ref: 00418470
                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                      • GetCurrentProcess.KERNEL32(?), ref: 00418492
                      • NtUnmapViewOfSection.NTDLL(00000000), ref: 00418499
                      • NtClose.NTDLL(?), ref: 004184A3
                      • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                      • GetLastError.KERNEL32 ref: 004184B5
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
                      • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                      • API String ID: 3150337530-3035715614
                      • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                      • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                      • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                      • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                      Function 00053170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145timewindowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1778 53170-53185 1779 531e5-531e7 1778->1779 1780 53187-5318a 1778->1780 1779->1780 1783 531e9 1779->1783 1781 5318c-53193 1780->1781 1782 531eb 1780->1782 1784 53265-5326d PostQuitMessage 1781->1784 1785 53199-5319e 1781->1785 1787 92dfb-92e23 call 518e2 call 6e499 1782->1787 1788 531f1-531f6 1782->1788 1786 531d0-531d8 NtdllDefWindowProc_W 1783->1786 1795 53219-5321b 1784->1795 1792 531a4-531a8 1785->1792 1793 92e7c-92e90 call bbf30 1785->1793 1794 531de-531e4 1786->1794 1823 92e28-92e2f 1787->1823 1789 5321d-53244 SetTimer RegisterClipboardFormatW 1788->1789 1790 531f8-531fb 1788->1790 1789->1795 1799 53246-53251 CreatePopupMenu 1789->1799 1796 53201-53214 KillTimer call 530f2 call 53c50 1790->1796 1797 92d9c-92d9f 1790->1797 1800 92e68-92e77 call bc161 1792->1800 1801 531ae-531b3 1792->1801 1793->1795 1817 92e96 1793->1817 1795->1794 1796->1795 1809 92da1-92da5 1797->1809 1810 92dd7-92df6 MoveWindow 1797->1810 1799->1795 1800->1795 1806 92e4d-92e54 1801->1806 1807 531b9-531be 1801->1807 1806->1786 1811 92e5a-92e63 call b0ad7 1806->1811 1815 531c4-531ca 1807->1815 1816 53253-53263 call 5326f 1807->1816 1818 92da7-92daa 1809->1818 1819 92dc6-92dd2 SetFocus 1809->1819 1810->1795 1811->1786 1815->1786 1815->1823 1816->1795 1817->1786 1818->1815 1824 92db0-92dc1 call 518e2 1818->1824 1819->1795 1823->1786 1828 92e35-92e48 call 530f2 call 53837 1823->1828 1824->1795 1828->1786
                      APIs
                      • NtdllDefWindowProc_W.NTDLL(?,?,?,?,?,?,?,?,?,0005316A,?,?), ref: 000531D8
                      • KillTimer.USER32(?,00000001,?,?,?,?,?,0005316A,?,?), ref: 00053204
                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00053227
                      • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00053232
                      • CreatePopupMenu.USER32 ref: 00053246
                      • PostQuitMessage.USER32(00000000), ref: 00053267
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                      • String ID: TaskbarCreated
                      • API String ID: 157504867-2362178303
                      • Opcode ID: 3287946916e54c2832ffa4f3c6941a1604ba2ad6631c47966f52dbfca44cb99c
                      • Instruction ID: b58f46dac278578ef528758c4ddd75abde9df06ca4b3f7599058172e4c6cfe98
                      • Opcode Fuzzy Hash: 3287946916e54c2832ffa4f3c6941a1604ba2ad6631c47966f52dbfca44cb99c
                      • Instruction Fuzzy Hash: BD418B30204644BBEF349B389D4DBBF3A9AF7153C6F040125FD02965A2CB718E99D7A5
                      Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                      • lstrcatW.KERNEL32(?,?), ref: 10001151
                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                      • FindClose.KERNEL32(00000000), ref: 100011DB
                      Memory Dump Source
                      • Source File: 00000002.00000002.3714287463.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                      • Associated: 00000002.00000002.3714157300.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3714287463.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_10000000_Monteverdi.jbxd
                      Similarity
                      • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                      • String ID:
                      • API String ID: 1083526818-0
                      • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                      • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                      • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                      • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                      Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                      Download Yara Rule
                      APIs
                      • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                      • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                      • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                      • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                      • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                      Strings
                      • http://geoplugin.net/json.gp, xrefs: 0041B448
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseHandleOpen$FileRead
                      • String ID: http://geoplugin.net/json.gp
                      • API String ID: 3121278467-91888290
                      • Opcode ID: 70a4068dcfb2335a76a71926155551062e92c520b8980e27f9727ee13041a59e
                      • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                      • Opcode Fuzzy Hash: 70a4068dcfb2335a76a71926155551062e92c520b8980e27f9727ee13041a59e
                      • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                      Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                      • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                      • GetNativeSystemInfo.KERNEL32(?,0040D2DD,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                      • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                        • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                      • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00411E52
                      • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                        • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                        • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorHeapLast$Process$AllocAllocateFreeInfoNativeSystemVirtual
                      • String ID:
                      • API String ID: 2227336758-0
                      • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                      • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                      • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                      • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                      Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                        • Part of subcall function 00413584: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                        • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                      • Sleep.KERNEL32(00000BB8), ref: 0040F896
                      • ExitProcess.KERNEL32 ref: 0040F905
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseExitOpenProcessQuerySleepValue
                      • String ID: 5.1.1 Pro$override$pth_unenc
                      • API String ID: 2281282204-2344886030
                      • Opcode ID: 077b0451481bc85b1eca9d02d35cd6b1b13a66a4ddac241b8030233240a4e94f
                      • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                      • Opcode Fuzzy Hash: 077b0451481bc85b1eca9d02d35cd6b1b13a66a4ddac241b8030233240a4e94f
                      • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                      Function 000BDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?,00095222), ref: 000BDBCE
                      • GetFileAttributesW.KERNEL32(?), ref: 000BDBDD
                      • FindFirstFileW.KERNEL32(?,?), ref: 000BDBEE
                      • FindClose.KERNEL32(00000000), ref: 000BDBFA
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: FileFind$AttributesCloseFirstlstrlen
                      • String ID:
                      • API String ID: 2695905019-0
                      • Opcode ID: 6b54a1f30c8cd4dca2aa540e4afa0b9072dc3169923f0a412c2d1943e7c72216
                      • Instruction ID: 809eaf6855366c35ed61f6be34c09bfff044c8f1008c6ee51b2d6a9cc72dcf77
                      • Opcode Fuzzy Hash: 6b54a1f30c8cd4dca2aa540e4afa0b9072dc3169923f0a412c2d1943e7c72216
                      • Instruction Fuzzy Hash: 8BF0E53081091197A2206B7CAC4ECEABBAC9F02334B104707F936D20F0FBB55D56C6D5
                      Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                      Download Yara Rule
                      APIs
                      • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B6BB
                      • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Name$ComputerUser
                      • String ID:
                      • API String ID: 4229901323-0
                      • Opcode ID: 1bdb1b444e31cc85a3aeaac18ca5b9946824f987dbc55398ed07e24c53412e85
                      • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                      • Opcode Fuzzy Hash: 1bdb1b444e31cc85a3aeaac18ca5b9946824f987dbc55398ed07e24c53412e85
                      • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                      Function 0040EA00 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 48 40ef2d-40ef3e call 401fd8 22->48 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 102 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->102 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 98 40ec27-40ec3d call 401fab call 4139e4 79->98 90 40ec47-40ec49 80->90 91 40ec4e-40ec55 80->91 96 40ef2c 90->96 92 40ec57 91->92 93 40ec59-40ec65 call 41b354 91->93 92->93 103 40ec67-40ec69 93->103 104 40ec6e-40ec72 93->104 96->48 98->80 124 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 102->124 103->104 107 40ecb1-40ecc4 call 401e65 call 401fab 104->107 108 40ec74 call 407751 104->108 129 40ecc6 call 407790 107->129 130 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->130 118 40ec79-40ec7b 108->118 121 40ec87-40ec9a call 401e65 call 401fab 118->121 122 40ec7d-40ec82 call 407773 call 40729b 118->122 121->107 141 40ec9c-40eca2 121->141 122->121 157 40f3e0-40f3ea call 40dd7d call 414f65 124->157 129->130 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 130->177 178 40edbb-40edbf 130->178 141->107 144 40eca4-40ecaa 141->144 144->107 147 40ecac call 40729b 144->147 147->107 177->178 202 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->202 179 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->179 180 40edc5-40edcc 178->180 233 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 179->233 182 40ee4a-40ee54 call 409092 180->182 183 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 180->183 192 40ee59-40ee7d call 40247c call 434829 182->192 183->192 213 40ee8c 192->213 214 40ee7f-40ee8a call 436f10 192->214 202->178 217 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 213->217 214->217 271 40eede-40ef03 call 434832 call 401e65 call 40b9f8 217->271 286 40f017-40f019 233->286 287 40effc 233->287 271->233 288 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 271->288 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 288->233 306 40ef2a 288->306 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 306->96 347 40f13e-40f156 call 401e65 call 401fab 344->347 345->347 356 40f194-40f1a7 call 401e65 call 401fab 347->356 357 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 347->357 368 40f207-40f21a call 401e65 call 401fab 356->368 369 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 356->369 357->356 379 40f255-40f279 call 41b69e call 401f13 call 401f09 368->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 368->380 369->368 400 40f27b-40f27c SetProcessDEPPolicy 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 426 40f31f-40f322 416->426 418->416 426->157 428 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 426->428 443 40f381-40f386 DeleteFileW 428->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->124 445->124 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                      APIs
                        • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                        • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                        • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                        • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                        • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                        • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                        • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                        • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                        • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                        • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                        • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                        • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                        • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                        • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                        • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\scrolar\Monteverdi.exe,00000104), ref: 0040EA29
                        • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                      • String ID: 8SG$8SG$Access Level: $Administrator$C:\Users\user\AppData\Local\scrolar\Monteverdi.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Rmc-NKQ1SM$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                      • API String ID: 2830904901-1259793067
                      • Opcode ID: 0400b5e41a5d34231e2f14ac6c1621c7ca96275b27cec4f49d85524cf3520b45
                      • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                      • Opcode Fuzzy Hash: 0400b5e41a5d34231e2f14ac6c1621c7ca96275b27cec4f49d85524cf3520b45
                      • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                      Function 00414F65 Relevance: 49.8, APIs: 5, Strings: 23, Instructions: 809sleepnetworkCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 494 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 507 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 494->507 508 414faf-414fb6 Sleep 494->508 523 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 507->523 524 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 507->524 508->507 523->524 577 415127-41512e 524->577 578 415119-415125 524->578 579 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 577->579 578->579 606 415210-41521e call 40482d 579->606 607 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 579->607 612 415220-415246 call 402093 * 2 call 41b580 606->612 613 41524b-415260 call 404f51 call 4048c8 606->613 629 415ade-415af0 call 404e26 call 4021fa 607->629 612->629 628 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 613->628 613->629 694 4153bb-4153c8 call 405aa6 628->694 695 4153cd-4153f4 call 401fab call 4135e1 628->695 643 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 629->643 644 415b18-415b20 call 401e8d 629->644 643->644 644->524 694->695 701 4153f6-4153f8 695->701 702 4153fb-415a45 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 695->702 701->702 947 415a4a-415a51 702->947 948 415a53-415a5a 947->948 949 415a65-415a6c 947->949 948->949 950 415a5c-415a5e 948->950 951 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 949->951 952 415a6e-415a73 call 40b08c 949->952 950->949 963 415aac-415ab8 CreateThread 951->963 964 415abe-415ad9 call 401fd8 * 2 call 401f09 951->964 952->951 963->964 964->629
                      APIs
                      • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414FB6
                      • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                      • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                        • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep$ErrorLastLocalTime
                      • String ID: | $%I64u$5.1.1 Pro$8SG$C:\Users\user\AppData\Local\scrolar\Monteverdi.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$PSG$Rmc-NKQ1SM$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                      • API String ID: 524882891-875590643
                      • Opcode ID: b017a3ac86c6d1aee7f5525d09a0a7ab5c139c4a7f409468b6eb2934c867146c
                      • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                      • Opcode Fuzzy Hash: b017a3ac86c6d1aee7f5525d09a0a7ab5c139c4a7f409468b6eb2934c867146c
                      • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                      Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 971 412aef-412b38 GetModuleFileNameW call 4020df * 3 978 412b3a-412bc4 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 971->978 1003 412bc6-412c56 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 978->1003 1026 412c66 1003->1026 1027 412c58-412c60 Sleep 1003->1027 1028 412c68-412cf8 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1026->1028 1027->1003 1027->1026 1051 412d08 1028->1051 1052 412cfa-412d02 Sleep 1028->1052 1053 412d0a-412d9a call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1051->1053 1052->1028 1052->1051 1076 412daa-412dcf 1053->1076 1077 412d9c-412da4 Sleep 1053->1077 1078 412dd3-412def call 401f04 call 41c516 1076->1078 1077->1053 1077->1076 1083 412df1-412e00 call 401f04 DeleteFileW 1078->1083 1084 412e06-412e22 call 401f04 call 41c516 1078->1084 1083->1084 1091 412e24-412e3d call 401f04 DeleteFileW 1084->1091 1092 412e3f 1084->1092 1094 412e43-412e5f call 401f04 call 41c516 1091->1094 1092->1094 1100 412e61-412e73 call 401f04 DeleteFileW 1094->1100 1101 412e79-412e7b 1094->1101 1100->1101 1102 412e88-412e93 Sleep 1101->1102 1103 412e7d-412e7f 1101->1103 1102->1078 1106 412e99-412eab call 406b63 1102->1106 1103->1102 1105 412e81-412e86 1103->1105 1105->1102 1105->1106 1110 412f01-412f20 call 401f09 * 3 1106->1110 1111 412ead-412ebb call 406b63 1106->1111 1122 412f25-412f89 call 40b93f call 401f04 call 4020f6 call 413268 call 401f09 call 405b05 1110->1122 1111->1110 1117 412ebd-412ecb call 406b63 1111->1117 1117->1110 1123 412ecd-412ef9 Sleep call 401f09 * 3 1117->1123 1143 4130e3-41318c call 41bdaf call 402f31 call 402f10 * 6 call 402ea1 call 404aa1 1122->1143 1144 412f8f-4130de call 41bdaf call 41bc1f call 402f31 call 402f10 * 6 call 402ea1 call 402f10 call 402ea1 call 404aa1 call 401fd8 * 10 1122->1144 1123->978 1137 412eff 1123->1137 1137->1122 1183 413191-4131dc call 401fd8 * 7 1143->1183 1213 4131e0-413267 call 401fd8 call 401f09 call 401fd8 * 9 1144->1213 1183->1213
                      APIs
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                        • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                        • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                        • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                      • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                      • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                      • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                      • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                      • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                      • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                      • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                      • Sleep.KERNEL32(00000064), ref: 00412ECF
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                      • String ID: /stext "$0TG$0TG$NG$NG
                      • API String ID: 1223786279-2576077980
                      • Opcode ID: 22dc35138b7920030c5d3a4ffb102177871a25a2f243a233058b99cba0250bbe
                      • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                      • Opcode Fuzzy Hash: 22dc35138b7920030c5d3a4ffb102177871a25a2f243a233058b99cba0250bbe
                      • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                      Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                        • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?), ref: 10001151
                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                        • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                        • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                        • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                      • lstrlenW.KERNEL32(?), ref: 100014C5
                      • lstrlenW.KERNEL32(?), ref: 100014E0
                      • lstrlenW.KERNEL32(?,?), ref: 1000150F
                      • lstrcatW.KERNEL32(00000000), ref: 10001521
                      • lstrlenW.KERNEL32(?,?), ref: 10001547
                      • lstrcatW.KERNEL32(00000000), ref: 10001553
                      • lstrlenW.KERNEL32(?,?), ref: 10001579
                      • lstrcatW.KERNEL32(00000000), ref: 10001585
                      • lstrlenW.KERNEL32(?,?), ref: 100015AB
                      • lstrcatW.KERNEL32(00000000), ref: 100015B7
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3714287463.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                      • Associated: 00000002.00000002.3714157300.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3714287463.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_10000000_Monteverdi.jbxd
                      Similarity
                      • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                      • String ID: )$Foxmail$ProgramFiles
                      • API String ID: 672098462-2938083778
                      • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                      • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                      • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                      • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                      Function 000542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1286 542de-5434d call 5a961 GetVersionExW call 56b57 1291 54353 1286->1291 1292 93617-9362a 1286->1292 1293 54355-54357 1291->1293 1294 9362b-9362f 1292->1294 1295 5435d-543bc call 593b2 call 537a0 1293->1295 1296 93656 1293->1296 1297 93631 1294->1297 1298 93632-9363e 1294->1298 1314 937df-937e6 1295->1314 1315 543c2-543c4 1295->1315 1301 9365d-93660 1296->1301 1297->1298 1298->1294 1300 93640-93642 1298->1300 1300->1293 1303 93648-9364f 1300->1303 1304 5441b-54435 GetCurrentProcess IsWow64Process 1301->1304 1305 93666-936a8 1301->1305 1303->1292 1307 93651 1303->1307 1310 54494-5449a 1304->1310 1311 54437 1304->1311 1305->1304 1308 936ae-936b1 1305->1308 1307->1296 1312 936db-936e5 1308->1312 1313 936b3-936bd 1308->1313 1316 5443d-54449 1310->1316 1311->1316 1320 936f8-93702 1312->1320 1321 936e7-936f3 1312->1321 1317 936ca-936d6 1313->1317 1318 936bf-936c5 1313->1318 1322 937e8 1314->1322 1323 93806-93809 1314->1323 1315->1301 1319 543ca-543dd 1315->1319 1324 5444f-5445e LoadLibraryA 1316->1324 1325 93824-93828 GetSystemInfo 1316->1325 1317->1304 1318->1304 1328 543e3-543e5 1319->1328 1329 93726-9372f 1319->1329 1331 93715-93721 1320->1331 1332 93704-93710 1320->1332 1321->1304 1330 937ee 1322->1330 1333 9380b-9381a 1323->1333 1334 937f4-937fc 1323->1334 1326 54460-5446e GetProcAddress 1324->1326 1327 5449c-544a6 GetSystemInfo 1324->1327 1326->1327 1335 54470-54474 GetNativeSystemInfo 1326->1335 1336 54476-54478 1327->1336 1337 9374d-93762 1328->1337 1338 543eb-543ee 1328->1338 1339 9373c-93748 1329->1339 1340 93731-93737 1329->1340 1330->1334 1331->1304 1332->1304 1333->1330 1341 9381c-93822 1333->1341 1334->1323 1335->1336 1344 54481-54493 1336->1344 1345 5447a-5447b FreeLibrary 1336->1345 1342 9376f-9377b 1337->1342 1343 93764-9376a 1337->1343 1346 543f4-5440f 1338->1346 1347 93791-93794 1338->1347 1339->1304 1340->1304 1341->1334 1342->1304 1343->1304 1345->1344 1349 54415 1346->1349 1350 93780-9378c 1346->1350 1347->1304 1348 9379a-937c1 1347->1348 1351 937ce-937da 1348->1351 1352 937c3-937c9 1348->1352 1349->1304 1350->1304 1351->1304 1352->1304
                      APIs
                      • GetVersionExW.KERNEL32(?), ref: 0005430D
                        • Part of subcall function 00056B57: _wcslen.LIBCMT ref: 00056B6A
                      • GetCurrentProcess.KERNEL32(?,000ECB64,00000000,?,?), ref: 00054422
                      • IsWow64Process.KERNEL32(00000000,?,?), ref: 00054429
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00054454
                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00054466
                      • GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00054474
                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 0005447B
                      • GetSystemInfo.KERNEL32(?,?,?), ref: 000544A0
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                      • String ID: GetNativeSystemInfo$kernel32.dll$|O
                      • API String ID: 3290436268-3101561225
                      • Opcode ID: d09c7ead0eb87f15fefd1e4b8134403207a52492fe514f064aac693d2568459c
                      • Instruction ID: d34e74fcb450b87fa8fe0519028750030eb758e96bf0e1757d859adc27c14c03
                      • Opcode Fuzzy Hash: d09c7ead0eb87f15fefd1e4b8134403207a52492fe514f064aac693d2568459c
                      • Instruction Fuzzy Hash: 5BA1C46290A2C0FFCB31CB6A7C845DA7FE67B76724B045899D44197E22D23046EBDF21
                      Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • Sleep.KERNEL32(00001388), ref: 0040A77B
                        • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                        • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                        • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                        • Part of subcall function 0040A6B0: FindCloseChangeNotification.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                      • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                      • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                        • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                      • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$AttributesCreate$Sleep$ChangeCloseDirectoryExistsFindNotificationPathSize
                      • String ID: 8SG$8SG$pQG$pQG$PG$PG
                      • API String ID: 110482706-1152054767
                      • Opcode ID: 6144cf37adff2a7f210bd31e1e2e67230f41baaa9fb228c2512d06c7f9e1b35a
                      • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                      • Opcode Fuzzy Hash: 6144cf37adff2a7f210bd31e1e2e67230f41baaa9fb228c2512d06c7f9e1b35a
                      • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                      Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1451 4048c8-4048e8 connect 1452 404a1b-404a1f 1451->1452 1453 4048ee-4048f1 1451->1453 1456 404a21-404a2f WSAGetLastError 1452->1456 1457 404a97 1452->1457 1454 404a17-404a19 1453->1454 1455 4048f7-4048fa 1453->1455 1458 404a99-404a9e 1454->1458 1459 404926-404930 call 420cf1 1455->1459 1460 4048fc-404923 call 40531e call 402093 call 41b580 1455->1460 1456->1457 1461 404a31-404a34 1456->1461 1457->1458 1470 404941-40494e call 420f20 1459->1470 1471 404932-40493c 1459->1471 1460->1459 1464 404a71-404a76 1461->1464 1465 404a36-404a6f call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 1461->1465 1467 404a7b-404a94 call 402093 * 2 call 41b580 1464->1467 1465->1457 1467->1457 1484 404950-404973 call 402093 * 2 call 41b580 1470->1484 1485 404987-404992 call 421ad1 1470->1485 1471->1467 1514 404976-404982 call 420d31 1484->1514 1497 4049c4-4049d1 call 420e97 1485->1497 1498 404994-4049c2 call 402093 * 2 call 41b580 call 421143 1485->1498 1508 4049d3-4049f6 call 402093 * 2 call 41b580 1497->1508 1509 4049f9-404a14 CreateEventW * 2 1497->1509 1498->1514 1508->1509 1509->1454 1514->1457
                      APIs
                      • connect.WS2_32(FFFFFFFF,0141BB00,00000010), ref: 004048E0
                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                      • WSAGetLastError.WS2_32 ref: 00404A21
                        • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateEvent$ErrorLastLocalTimeconnect
                      • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                      • API String ID: 994465650-2151626615
                      • Opcode ID: 824217cee8cd65e2c4566ef3e2df31ee38e4afb75aaed780d8085e8039972954
                      • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                      • Opcode Fuzzy Hash: 824217cee8cd65e2c4566ef3e2df31ee38e4afb75aaed780d8085e8039972954
                      • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                      Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                      • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                      • FindCloseChangeNotification.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                      • closesocket.WS2_32(000000FF), ref: 00404E5A
                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                      • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseEvent$HandleObjectSingleWait$ChangeFindNotificationclosesocket
                      • String ID:
                      • API String ID: 2403171778-0
                      • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                      • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                      • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                      • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                      Function 0005344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1543 5344d-53572 call 91f50 call 5a961 call 53a5a call 53357 call 533c6 call 5515f call 5a961 call 5a6c3 RegOpenKeyExW 1560 53578-53595 call 5988f * 2 1543->1560 1561 93176-93191 RegQueryValueExW 1543->1561 1563 9320c-93218 RegCloseKey 1561->1563 1564 93193-931d2 call 6fe0b call 55722 RegQueryValueExW 1561->1564 1563->1560 1566 9321e-93222 1563->1566 1577 931f0-931f7 1564->1577 1578 931d4-931ee call 56b57 1564->1578 1569 93227-9324d call 54c6d * 2 1566->1569 1584 9324f-9325d call 54c6d 1569->1584 1585 93272-9327f call 74963 1569->1585 1579 931f9-93207 call 6fdcd call 6fe14 1577->1579 1580 9320a 1577->1580 1578->1577 1579->1580 1580->1563 1584->1585 1593 9325f-93270 call 79038 1584->1593 1595 93281-93292 call 74963 1585->1595 1596 932a5-932df call 59cb3 call 5515f call 5988f call 54c6d 1585->1596 1604 932e5-932e6 1593->1604 1595->1596 1605 93294-932a4 call 79038 1595->1605 1596->1560 1596->1604 1604->1569 1605->1596
                      APIs
                        • Part of subcall function 00053A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,0005351C,?,?,?,?,0005106A,-00120FC4), ref: 00053A78
                        • Part of subcall function 00053357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00053527,?,?,?,?,0005106A,-00120FC4), ref: 00053379
                      • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\,?,?,?,?,0005106A,-00120FC4), ref: 0005356A
                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,?,?,?,0005106A,-00120FC4), ref: 0009318D
                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,?,?,0005106A,-00120FC4), ref: 000931CE
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,0005106A,-00120FC4), ref: 00093210
                      • _wcslen.LIBCMT ref: 00093277
                      • _wcslen.LIBCMT ref: 00093286
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                      • API String ID: 98802146-2727554177
                      • Opcode ID: ff9f93209db6383588b8caba11846585b65d08812b94fe549ebdb94ecf671604
                      • Instruction ID: 81b6e313b01bec55499ffa87868f4ca9a41f13f37d216e9107065725b655cb82
                      • Opcode Fuzzy Hash: ff9f93209db6383588b8caba11846585b65d08812b94fe549ebdb94ecf671604
                      • Instruction Fuzzy Hash: F171B371504301BEC724DF65EC818AFBBE8FF89740F80042EF94597162EB359A8ACB52
                      Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • __Init_thread_footer.LIBCMT ref: 0040AD73
                      • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                      • GetForegroundWindow.USER32 ref: 0040AD84
                      • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                      • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                      • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                        • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                      • String ID: [${ User has been idle for $ minutes }$]
                      • API String ID: 911427763-3954389425
                      • Opcode ID: cd7fe95a449e6e0fc0b63964b9a6b2421b8fd0577ee76cb056e7bb1106d995db
                      • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                      • Opcode Fuzzy Hash: cd7fe95a449e6e0fc0b63964b9a6b2421b8fd0577ee76cb056e7bb1106d995db
                      • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                      Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1693 40da6f-40da94 call 401f86 1696 40da9a 1693->1696 1697 40dbbe-40dc56 call 401f04 GetLongPathNameW call 40417e * 2 call 40de0c call 402fa5 * 2 call 401f09 * 5 1693->1697 1698 40dae0-40dae7 call 41c048 1696->1698 1699 40daa1-40daa6 1696->1699 1700 40db93-40db98 1696->1700 1701 40dad6-40dadb 1696->1701 1702 40dba9 1696->1702 1703 40db9a-40dba7 call 43c11f 1696->1703 1704 40daab-40dab9 call 41b645 call 401f13 1696->1704 1705 40dacc-40dad1 1696->1705 1706 40db8c-40db91 1696->1706 1719 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1698->1719 1720 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1698->1720 1709 40dbae-40dbb3 call 43c11f 1699->1709 1700->1709 1701->1709 1702->1709 1703->1702 1721 40dbb4-40dbb9 call 409092 1703->1721 1727 40dabe 1704->1727 1705->1709 1706->1709 1709->1721 1732 40dac2-40dac7 call 401f09 1719->1732 1720->1727 1721->1697 1727->1732 1732->1697
                      APIs
                      • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: LongNamePath
                      • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                      • API String ID: 82841172-425784914
                      • Opcode ID: 1477ab1c134df82023f42978b4e1f93011bec4b9807944189709cd800a93564e
                      • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                      • Opcode Fuzzy Hash: 1477ab1c134df82023f42978b4e1f93011bec4b9807944189709cd800a93564e
                      • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                      Function 00052B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 00052B8E
                      • LoadCursorW.USER32(00000000,00007F00), ref: 00052B9D
                      • LoadIconW.USER32(00000063), ref: 00052BB3
                      • LoadIconW.USER32(000000A4), ref: 00052BC5
                      • LoadIconW.USER32(000000A2), ref: 00052BD7
                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00052BEF
                      • RegisterClassExW.USER32(?), ref: 00052C40
                        • Part of subcall function 00052CD4: GetSysColorBrush.USER32(0000000F), ref: 00052D07
                        • Part of subcall function 00052CD4: RegisterClassExW.USER32(00000030), ref: 00052D31
                        • Part of subcall function 00052CD4: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00052D42
                        • Part of subcall function 00052CD4: LoadIconW.USER32(000000A9), ref: 00052D85
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                      • String ID: #$0$AutoIt v3
                      • API String ID: 2880975755-4155596026
                      • Opcode ID: b91ec18fe676a935fdba5e254629f1690d2bd02879a52ef10f8b69adbe35b5ed
                      • Instruction ID: 0d54730961edf96a497bd3a3210f9544fe68ebac402cff7b411418ada5e983cb
                      • Opcode Fuzzy Hash: b91ec18fe676a935fdba5e254629f1690d2bd02879a52ef10f8b69adbe35b5ed
                      • Instruction Fuzzy Hash: A0211D71E00354BBEB20DFA5EC95A997FB6FB58B60F00002AE500A6AA0D7B50592DF94
                      Function 00052CD4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53registrywindowclipboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 00052D07
                      • RegisterClassExW.USER32(00000030), ref: 00052D31
                      • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00052D42
                      • LoadIconW.USER32(000000A9), ref: 00052D85
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: Register$BrushClassClipboardColorFormatIconLoad
                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                      • API String ID: 975902462-1005189915
                      • Opcode ID: c0884143b82b087a92ab1b686ff0ef92d28de4283458c2ea9a1ccc05da6bb17e
                      • Instruction ID: 83df9bbe471df4d1d8090490e76ec6b9b83043dd4d14f645babb9474efc2df1c
                      • Opcode Fuzzy Hash: c0884143b82b087a92ab1b686ff0ef92d28de4283458c2ea9a1ccc05da6bb17e
                      • Instruction Fuzzy Hash: FB21E5B1901348BFEB10DFA4E889BDDBBB4FB08B04F00411AF551BA6A0D7B60592CF91
                      Function 0005D7D7 Relevance: 12.2, APIs: 8, Instructions: 245windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetInputState.USER32 ref: 0005D807
                      • timeGetTime.WINMM ref: 0005DA07
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0005DB28
                      • TranslateMessage.USER32(?), ref: 0005DB7B
                      • DispatchMessageW.USER32(?), ref: 0005DB89
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0005DB9F
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: Message$Peek$DispatchInputStateTimeTranslatetime
                      • String ID:
                      • API String ID: 3249950245-0
                      • Opcode ID: e309317e559ffcc4ea2dc84b6e2b6710e89f9f2391358d970b0e5a2574146567
                      • Instruction ID: 87d4cd15a3f530492b16cb834528135dd2f3755e8f88adb5845a93bf82c5a856
                      • Opcode Fuzzy Hash: e309317e559ffcc4ea2dc84b6e2b6710e89f9f2391358d970b0e5a2574146567
                      • Instruction Fuzzy Hash: 65A1B130608341EFEB78CF24C894BAAB7E1BB55315F14852FE855872A1D770E889CF92
                      Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                        • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                        • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                        • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                        • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                      • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CloseCurrentOpenQueryValueWow64
                      • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                      • API String ID: 782494840-2070987746
                      • Opcode ID: 697c2019ecc49fbbbeb48104f1224f3a46b5ec4160ceda2913ffea691057c52c
                      • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                      • Opcode Fuzzy Hash: 697c2019ecc49fbbbeb48104f1224f3a46b5ec4160ceda2913ffea691057c52c
                      • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                      Function 00052C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00052C91
                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00052CB2
                      • ShowWindow.USER32(00000000,?,?,00052B2F), ref: 00052CC6
                      • ShowWindow.USER32(00000000,?,?,00052B2F), ref: 00052CCF
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: Window$CreateShow
                      • String ID: AutoIt v3$edit
                      • API String ID: 1584632944-3779509399
                      • Opcode ID: a99f39d03dd29daa69f5f4a55ad8de897e28489c7a1031fc8bbd4919afb619ad
                      • Instruction ID: 1c6ab7aa84ee0ca820de518a3031af0a219f2b867ba14a2cf1a1510003538c4c
                      • Opcode Fuzzy Hash: a99f39d03dd29daa69f5f4a55ad8de897e28489c7a1031fc8bbd4919afb619ad
                      • Instruction Fuzzy Hash: ECF0D0755403D47AF7319717AC4CE776E7EE7DAF60B010069F900A6960C67618A2DA70
                      Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                      • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                        • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                        • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                        • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                      Memory Dump Source
                      • Source File: 00000002.00000002.3714287463.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                      • Associated: 00000002.00000002.3714157300.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3714287463.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_10000000_Monteverdi.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProcProtectVirtual
                      • String ID:
                      • API String ID: 2099061454-0
                      • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                      • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                      • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                      • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                      Function 000542A2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 000542C9
                      • LoadResource.KERNEL32(?,00000000), ref: 000935BE
                      • SizeofResource.KERNEL32(?,00000000), ref: 000935D3
                      • LockResource.KERNEL32(?), ref: 000935E6
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: Resource$FindLoadLockSizeof
                      • String ID: SCRIPT
                      • API String ID: 3473537107-3967369404
                      • Opcode ID: 6f5f22472770a983dfccbbb414e885dca94e74ef2415eeb2bd4d96c82d25b890
                      • Instruction ID: a4015af56dd7c519e90d5eb04f834ebfcc8f0dd1229f985d41b4f898d0cb72b7
                      • Opcode Fuzzy Hash: 6f5f22472770a983dfccbbb414e885dca94e74ef2415eeb2bd4d96c82d25b890
                      • Instruction Fuzzy Hash: 65117C70600741BFEB218B65DC88F677BB9EBC5B56F14416DB902AA250DB72DC468A20
                      Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                      • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                      • FindCloseChangeNotification.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$ChangeCloseCreateFindNotificationSizeSleep
                      • String ID: XQG
                      • API String ID: 4068920109-3606453820
                      • Opcode ID: 5e85c57a8a0a59fffe22b28246bca6f2e1dee11e2122bcee3766e2885952b1a1
                      • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                      • Opcode Fuzzy Hash: 5e85c57a8a0a59fffe22b28246bca6f2e1dee11e2122bcee3766e2885952b1a1
                      • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                      Function 03BE0AE0 Relevance: 7.8, APIs: 5, Instructions: 311COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3713149237.0000000003BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_3be0000_Monteverdi.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cb7927dc6896edca3cb2058d14b686bb091f9728231d1a1fdbc02456f8f93d93
                      • Instruction ID: ba78d128899cca975785ab9e9854ad45028c8e44603fd9412c379f07920887d3
                      • Opcode Fuzzy Hash: cb7927dc6896edca3cb2058d14b686bb091f9728231d1a1fdbc02456f8f93d93
                      • Instruction Fuzzy Hash: 46D11314A24348D6EB10DFB4D854BDEB236FF68700F1095A9A10DEB3D0E77A8E41CB5A
                      Function 001D97A0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(?), ref: 001D98DA
                      • GetProcAddress.KERNEL32(?,001D2FF9), ref: 001D98F8
                      • ExitProcess.KERNEL32(?,001D2FF9), ref: 001D9909
                      • VirtualProtect.KERNEL32(00050000,00001000,00000004,?,00000000), ref: 001D9957
                      • VirtualProtect.KERNEL32(00050000,00001000), ref: 001D996C
                      Memory Dump Source
                      • Source File: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                      • String ID:
                      • API String ID: 1996367037-0
                      • Opcode ID: b556f7e2e96c3b69d49535668672d4504e88755fe973284db71fafa6d6420c55
                      • Instruction ID: 9d984315598f772afd97459eedbfdf2cb4b1aa7fe485fc6b2486e501b2f89d2a
                      • Opcode Fuzzy Hash: b556f7e2e96c3b69d49535668672d4504e88755fe973284db71fafa6d6420c55
                      • Instruction Fuzzy Hash: 10516972A503565BD7248EB8CCD06B4B790EB12724728073FCAE6C73C6E7A45806D7A0
                      Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                        • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                        • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                        • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                        • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                      Memory Dump Source
                      • Source File: 00000002.00000002.3714287463.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                      • Associated: 00000002.00000002.3714157300.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3714287463.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_10000000_Monteverdi.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProcProtectVirtual
                      • String ID:
                      • API String ID: 2099061454-0
                      • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                      • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                      • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                      • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                      Function 0041C482 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041C5A1,00000000,00000000,?), ref: 0041C4C1
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A922,?,00000000,00000000), ref: 0041C4DE
                      • CloseHandle.KERNEL32(00000000,?,0040A922,?,00000000,00000000), ref: 0041C4EA
                      • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A922,?,00000000,00000000), ref: 0041C4FB
                      • FindCloseChangeNotification.KERNEL32(00000000,?,0040A922,?,00000000,00000000), ref: 0041C508
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$Close$ChangeCreateFindHandleNotificationPointerWrite
                      • String ID:
                      • API String ID: 1087594267-0
                      • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                      • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                      • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                      • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                      Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                      • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                      • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                      • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                      Memory Dump Source
                      • Source File: 00000002.00000002.3714287463.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                      • Associated: 00000002.00000002.3714157300.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3714287463.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_10000000_Monteverdi.jbxd
                      Similarity
                      • API ID: AddressProcProtectVirtual$HandleModule
                      • String ID:
                      • API String ID: 2152742572-0
                      • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                      • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                      • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                      • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                      Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CountEventTick
                      • String ID: !D@$NG
                      • API String ID: 180926312-2721294649
                      • Opcode ID: 6fd66c1aef2622ce068c1f9e39d9121fc7bc7c1ae812650c85c7f76063d9f93a
                      • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                      • Opcode Fuzzy Hash: 6fd66c1aef2622ce068c1f9e39d9121fc7bc7c1ae812650c85c7f76063d9f93a
                      • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                      Function 03BE23D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 03BE22C0: Sleep.KERNEL32(000001F4), ref: 03BE22D1
                      • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03BE24D6
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3713149237.0000000003BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_3be0000_Monteverdi.jbxd
                      Similarity
                      • API ID: CreateFileSleep
                      • String ID: 5FQCT1OGNKCU4IPL
                      • API String ID: 2694422964-4036242590
                      • Opcode ID: ac46bef636165db3fd79e225decb54ad8fadf376ba4cf62b30dae10da0e3e599
                      • Instruction ID: e53df316fc1454b592e3bd662bc0ea5c9af143af29259a7052ed7f3c366c1b28
                      • Opcode Fuzzy Hash: ac46bef636165db3fd79e225decb54ad8fadf376ba4cf62b30dae10da0e3e599
                      • Instruction Fuzzy Hash: 29518371D04249DAEF10EBA8C914BEFBBB9AF44304F0045E9D619BB2C0D7B91B45CBA5
                      Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                      • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040A249
                      • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040A255
                        • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                        • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateThread$LocalTimewsprintf
                      • String ID: Offline Keylogger Started
                      • API String ID: 465354869-4114347211
                      • Opcode ID: fe065420ca94a284740c958e6aca368fd534191a11fd25c1716703f1c0298a79
                      • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                      • Opcode Fuzzy Hash: fe065420ca94a284740c958e6aca368fd534191a11fd25c1716703f1c0298a79
                      • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                      Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                      Download Yara Rule
                      APIs
                      • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404F81
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404FCD
                      • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                      Strings
                      • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Create$EventLocalThreadTime
                      • String ID: KeepAlive | Enabled | Timeout:
                      • API String ID: 2532271599-1507639952
                      • Opcode ID: 7014718608cfeb48bfe47f339cac9c5a9a17279d6e1db9155cd03e2f3c9ced1b
                      • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                      • Opcode Fuzzy Hash: 7014718608cfeb48bfe47f339cac9c5a9a17279d6e1db9155cd03e2f3c9ced1b
                      • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                      Function 00053B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00053B0F,SwapMouseButtons,00000004,?), ref: 00053B40
                      • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,00053B0F,SwapMouseButtons,00000004,?,?,?,?,00054D9C), ref: 00053B61
                      • RegCloseKey.KERNEL32(00000000,?,?,00053B0F,SwapMouseButtons,00000004,?,?,?,?,00054D9C), ref: 00053B83
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID: Control Panel\Mouse
                      • API String ID: 3677997916-824357125
                      • Opcode ID: e36aab4fa5b0e1386b77573f957a84237e6b2af83d0904a74c2165d3458c0f66
                      • Instruction ID: 83664c9d7e302a896dd3a3da506d99d99de9448a61273a070b87569f1a9837bf
                      • Opcode Fuzzy Hash: e36aab4fa5b0e1386b77573f957a84237e6b2af83d0904a74c2165d3458c0f66
                      • Instruction Fuzzy Hash: 541118B5511218FEEB608FA5DC84EAFB7A8EF44785B104459EA05E7110D3319E459760
                      Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                      • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.1 Pro), ref: 004137E1
                      • RegCloseKey.ADVAPI32(?,?,?,0040F88E,004674C8,5.1.1 Pro), ref: 004137EC
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCreateValue
                      • String ID: pth_unenc
                      • API String ID: 1818849710-4028850238
                      • Opcode ID: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                      • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                      • Opcode Fuzzy Hash: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                      • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                      Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                      • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                      • FindCloseChangeNotification.KERNEL32(00000000,?,00000000), ref: 00404DDB
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
                      • String ID:
                      • API String ID: 2579639479-0
                      • Opcode ID: b1d94ccb09ae88335c98018fba1659fd9f6643181a77e83682c5dcad394a06c0
                      • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                      • Opcode Fuzzy Hash: b1d94ccb09ae88335c98018fba1659fd9f6643181a77e83682c5dcad394a06c0
                      • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                      Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C568
                      • FindCloseChangeNotification.KERNEL32(00000000), ref: 0041C576
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$ChangeCloseCreateFindNotificationReadSize
                      • String ID:
                      • API String ID: 2135649906-0
                      • Opcode ID: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                      • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                      • Opcode Fuzzy Hash: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                      • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                      Function 00053923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000933A2
                        • Part of subcall function 00056B57: _wcslen.LIBCMT ref: 00056B6A
                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00053A04
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: IconLoadNotifyShell_String_wcslen
                      • String ID: Line:
                      • API String ID: 2289894680-1585850449
                      • Opcode ID: 59e10de17fe17f4663e004aec61dd655bd3b0e9a4abc2b2c3788789ec43a3269
                      • Instruction ID: 429c82becc26c90e8c563fea7c5a8d2e6b8cc24ebdc36c083d0affa6ffb291e1
                      • Opcode Fuzzy Hash: 59e10de17fe17f4663e004aec61dd655bd3b0e9a4abc2b2c3788789ec43a3269
                      • Instruction Fuzzy Hash: E331C2B1408304BAD721EB20DC45BEFB7D8AB50761F00492EF99993092DB749B5DCBD2
                      Function 0006FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                      Download Yara Rule
                      APIs
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00070668
                        • Part of subcall function 000732A4: RaiseException.KERNEL32(?,?,?,0007068A,?,001213F0,?,?,?,?,?,?,0007068A,?,00118738), ref: 00073304
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00070685
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: Exception@8Throw$ExceptionRaise
                      • String ID: Unknown exception
                      • API String ID: 3476068407-410509341
                      • Opcode ID: f0cd8ef819e611b73de51a048b2e5a6fe29c64b45da472b2083ef3dc9633be2a
                      • Instruction ID: 41b9678d9c3a3944136266e66d42b9a4d4c7fa05124a5a0e013b81ff4b864fa6
                      • Opcode Fuzzy Hash: f0cd8ef819e611b73de51a048b2e5a6fe29c64b45da472b2083ef3dc9633be2a
                      • Instruction Fuzzy Hash: 12F0C834D0020EB7CB04B664EC56CEE77AE5F40350B60C231B81C955D3EF75EA65C588
                      Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                      • GetLastError.KERNEL32 ref: 0040D0BE
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateErrorLastMutex
                      • String ID: Rmc-NKQ1SM
                      • API String ID: 1925916568-3604705642
                      • Opcode ID: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                      • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                      • Opcode Fuzzy Hash: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                      • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                      Function 000510F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00051BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00051BF4
                        • Part of subcall function 00051BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00051BFC
                        • Part of subcall function 00051BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00051C07
                        • Part of subcall function 00051BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00051C12
                        • Part of subcall function 00051BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00051C1A
                        • Part of subcall function 00051BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00051C22
                        • Part of subcall function 00051B4A: RegisterClipboardFormatW.USER32(00000004), ref: 00051BA2
                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0005136A
                      • OleInitialize.OLE32 ref: 00051388
                      • CloseHandle.KERNEL32(00000000,00000000), ref: 000924AB
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                      • String ID:
                      • API String ID: 3094916012-0
                      • Opcode ID: 56bac8694329255798a73c3685a7c50f4a977901b15009e814c88a81a2f92361
                      • Instruction ID: f4c3eb401348d2952ab0ccc93f3d846484d76692267838ec596624f144ac3e49
                      • Opcode Fuzzy Hash: 56bac8694329255798a73c3685a7c50f4a977901b15009e814c88a81a2f92361
                      • Instruction Fuzzy Hash: FF71F3B4901344BFD7A4EF39ED856953AE1FBAA34031482BAD40AD7B62E73444A7CF40
                      Function 000554C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000001,?,00000000), ref: 0005556D
                      • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 0005557D
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: FilePointer
                      • String ID:
                      • API String ID: 973152223-0
                      • Opcode ID: 92c36c747991497d8854510bf94c5bcb18cbab85fe6d040633b505447f53133b
                      • Instruction ID: b28dbae7817da53bac15f1892864a37d403cac8890212161f4e843e031f69ee0
                      • Opcode Fuzzy Hash: 92c36c747991497d8854510bf94c5bcb18cbab85fe6d040633b505447f53133b
                      • Instruction Fuzzy Hash: 83314A71A00A09EFDB14CF68CC90B9AB7B6FB48316F148629ED1597240D771FA98CB90
                      Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                      Download Yara Rule
                      APIs
                      • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      • WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                      • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: EventObjectSingleWaitsend
                      • String ID:
                      • API String ID: 3963590051-0
                      • Opcode ID: b1d66744df5c6cb587348be29f4f2b73cfa97db57556f8ad38e66ecf600c3840
                      • Instruction ID: ade4869c8039bafc3f5202e75afdfb18787be874a76dce876c460fae4797ad88
                      • Opcode Fuzzy Hash: b1d66744df5c6cb587348be29f4f2b73cfa97db57556f8ad38e66ecf600c3840
                      • Instruction Fuzzy Hash: 152124B2900119BBCB04ABA1DC95DEEB77CFF14314B00452FF515B71E2EB38AA15C6A4
                      Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                      • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                      • RegCloseKey.KERNEL32(?), ref: 0041362D
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID:
                      • API String ID: 3677997916-0
                      • Opcode ID: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                      • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                      • Opcode Fuzzy Hash: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                      • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                      Function 00413733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                      • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                      • RegCloseKey.KERNEL32(00000000), ref: 00413773
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID:
                      • API String ID: 3677997916-0
                      • Opcode ID: b53d5430339f24b3f35949c1b6b46cee90247795c41e72649518dd5831c8e0a8
                      • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                      • Opcode Fuzzy Hash: b53d5430339f24b3f35949c1b6b46cee90247795c41e72649518dd5831c8e0a8
                      • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                      Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                      • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                      • RegCloseKey.KERNEL32(?), ref: 004135CD
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID:
                      • API String ID: 3677997916-0
                      • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                      • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                      • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                      • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                      Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C1D7,00466C58), ref: 00413551
                      • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C1D7,00466C58), ref: 00413565
                      • RegCloseKey.KERNEL32(?,?,?,0040C1D7,00466C58), ref: 00413570
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID:
                      • API String ID: 3677997916-0
                      • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                      • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                      • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                      • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                      Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                      • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                      • RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCreateValue
                      • String ID:
                      • API String ID: 1818849710-0
                      • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                      • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                      • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                      • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                      Function 00404B96 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON
                      Download Yara Rule
                      APIs
                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                      • SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                      • recv.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404BDA
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: EventObjectSingleWaitrecv
                      • String ID:
                      • API String ID: 311754179-0
                      • Opcode ID: cdb06e8163b8322063f134be74ce7e1cf20e247c26aa7992d3e9e0113c183a83
                      • Instruction ID: 0899ded2458b7d4720508400fe02e5f5257555b40415190a6d7bc1514cf1b529
                      • Opcode Fuzzy Hash: cdb06e8163b8322063f134be74ce7e1cf20e247c26aa7992d3e9e0113c183a83
                      • Instruction Fuzzy Hash: 53F05E36108212FFC7019F10EC09E0AFB62FB85721F10862AF510512B08771FC20DB95
                      Function 00409E1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: _wcslen
                      • String ID: pQG
                      • API String ID: 176396367-3769108836
                      • Opcode ID: 31285fc84d77848fd6dc80432e7cd96f73b5e2d9a287a33582fb78eeb2e2e7f8
                      • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                      • Opcode Fuzzy Hash: 31285fc84d77848fd6dc80432e7cd96f73b5e2d9a287a33582fb78eeb2e2e7f8
                      • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                      Function 0041B847 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                      Download Yara Rule
                      APIs
                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B85B
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: GlobalMemoryStatus
                      • String ID: @
                      • API String ID: 1890195054-2766056989
                      • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                      • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                      • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                      • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                      Function 00053837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                      Download Yara Rule
                      APIs
                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00053908
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: IconNotifyShell_
                      • String ID:
                      • API String ID: 1144537725-0
                      • Opcode ID: 3d4b6c6ca3713fedcc7b2b564da24d223d63da38c23a39584b324b6a3e54e662
                      • Instruction ID: b14fbc15b5482753f54aac03bc05e3d0f7360e5e819d70a842d3236a1af3fdf2
                      • Opcode Fuzzy Hash: 3d4b6c6ca3713fedcc7b2b564da24d223d63da38c23a39584b324b6a3e54e662
                      • Instruction Fuzzy Hash: 0C31D5B0504301AFE761DF24D8847E7BBE8FF49759F00092EF99A87240E771AA58CB52
                      Function 00055745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0005949C,?,00008000), ref: 00055773
                      • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0005949C,?,00008000), ref: 00094052
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: 786a8331a505895f69d7c2405540f1d91e5a6de64d62c82a060d92f4eab9e807
                      • Instruction ID: 88f78ccd35bf3d4b864064e0ca71940c2e5f4e3c8ddc0c57152971baf2492e72
                      • Opcode Fuzzy Hash: 786a8331a505895f69d7c2405540f1d91e5a6de64d62c82a060d92f4eab9e807
                      • Instruction Fuzzy Hash: 56019230145225B6E7700A2ADC0EF977F98EF06BB2F108300BE9D6E1E1C7B45855CB90
                      Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                      Download Yara Rule
                      APIs
                      • socket.WS2_32(00000002,00000001,00000006), ref: 00404852
                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                        • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateEventStartupsocket
                      • String ID:
                      • API String ID: 1953588214-0
                      • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                      • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                      • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                      • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                      Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                      • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                      • Opcode Fuzzy Hash: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                      • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                      Function 0041BB27 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32 ref: 0041BB49
                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BB5C
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$ForegroundText
                      • String ID:
                      • API String ID: 29597999-0
                      • Opcode ID: 9e14f14a0e9922ba764fe65eac9bb4b21bc38a877e3a7683c561b850b82ae2a9
                      • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                      • Opcode Fuzzy Hash: 9e14f14a0e9922ba764fe65eac9bb4b21bc38a877e3a7683c561b850b82ae2a9
                      • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                      Function 0005B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                      Download Yara Rule
                      APIs
                      • __Init_thread_footer.LIBCMT ref: 0005BB4E
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: Init_thread_footer
                      • String ID:
                      • API String ID: 1385522511-0
                      • Opcode ID: 6dfe3ccbbc111b72bc6ddf23c01f5b43af7c5dac526c35670cbbf56f5fb07460
                      • Instruction ID: 4e807ec70b578d94c8406c4830c944d325ac313309500a5063252b446795f4a5
                      • Opcode Fuzzy Hash: 6dfe3ccbbc111b72bc6ddf23c01f5b43af7c5dac526c35670cbbf56f5fb07460
                      • Instruction Fuzzy Hash: 16328C35A00209EFDB24CF94C894ABEB7F9EF49311F148059ED05AB252C7B5BE85CB91
                      Function 03BE1ED0 Relevance: 1.6, APIs: 1, Instructions: 81libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(00000000,?,?,?,?,03BE21CB), ref: 03BE1F07
                      Memory Dump Source
                      • Source File: 00000002.00000002.3713149237.0000000003BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_3be0000_Monteverdi.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: d22b9a85897b0480d9ab334fdf9dd112e4d2d472da5a885669ef85cb46738ed0
                      • Instruction ID: f2604f4d13679dedc9fc263ebde8bbc4c50c4dfee7a484b37506069cee595977
                      • Opcode Fuzzy Hash: d22b9a85897b0480d9ab334fdf9dd112e4d2d472da5a885669ef85cb46738ed0
                      • Instruction Fuzzy Hash: 1331C674A01249DFDB64CF58C884BEDB7B5FF48318F2486A8D80A9B351D734AA85CB94
                      Function 004118ED Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                      • Instruction ID: 3af98ca860494c99acd04ebe2bb4cc6dc665ec8dea8eb108ba88c8789d347e54
                      • Opcode Fuzzy Hash: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                      • Instruction Fuzzy Hash: 9411E3B27201019FD7149B18C860BA6B766FF50710F5942AAE256CB3B2DB35EC91CA98
                      Function 00059A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                      Download Yara Rule
                      APIs
                      • ReadFile.KERNEL32(?,?,00010000,00000000,00000000,?,?,00000000,?,0005543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00059A9C
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: FileRead
                      • String ID:
                      • API String ID: 2738559852-0
                      • Opcode ID: fc2db8f20c0d02326002611047fe7c24dd8d53166e15fc6b5e3a1f1b64df82cc
                      • Instruction ID: f0896069e1136720a7e308f26b7ce7f24eadb7a8ec64513cd784cbbc97740552
                      • Opcode Fuzzy Hash: fc2db8f20c0d02326002611047fe7c24dd8d53166e15fc6b5e3a1f1b64df82cc
                      • Instruction Fuzzy Hash: DB114831204705DFEB20CF15C880B67B7F9EF44765F14C42EE9AB8AA51C770A949CBA1
                      Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,00435329,?), ref: 004461EA
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocateHeap
                      • String ID:
                      • API String ID: 1279760036-0
                      • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                      • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                      • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                      • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                      Function 00083820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,?,00000004), ref: 00083852
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: AllocateHeap
                      • String ID:
                      • API String ID: 1279760036-0
                      • Opcode ID: 46801987766139ec586a6709af00e0c6240b0aebc10045f80a2667a1ab279449
                      • Instruction ID: 2746e84e2ac35de62923f6f7d33c7949d656ba08e36fa103a8e2d8f16e9c71f1
                      • Opcode Fuzzy Hash: 46801987766139ec586a6709af00e0c6240b0aebc10045f80a2667a1ab279449
                      • Instruction Fuzzy Hash: 08E0E531601325E7E63137669C06BDA3689BBC2FB0F154021BC98A6582DF25DD0283E4
                      Function 00052DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                      Download Yara Rule
                      APIs
                      • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00052DC4
                        • Part of subcall function 00056B57: _wcslen.LIBCMT ref: 00056B6A
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: LongNamePath_wcslen
                      • String ID:
                      • API String ID: 541455249-0
                      • Opcode ID: ef9c9a398adbcc69073a55280697f8d34e04d471fdc25dca2f8d4d6fb6ee6f8f
                      • Instruction ID: 96407ec0baf33a8c065e00e372599ca7db93529ca70c773e27b17933cc79bfac
                      • Opcode Fuzzy Hash: ef9c9a398adbcc69073a55280697f8d34e04d471fdc25dca2f8d4d6fb6ee6f8f
                      • Instruction Fuzzy Hash: DBE0C272A002285BDB20A2989C06FEA77EDDFC8790F0400B5FD09E7249EA74AD848690
                      Function 00052B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00053837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00053908
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00052B6B
                        • Part of subcall function 000530F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0005314E
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: IconNotifyShell_$CurrentDirectory
                      • String ID:
                      • API String ID: 2619246295-0
                      • Opcode ID: cd9652b5de9076efd52abe179d8efc69ea10e1ccf29fc6e6374f8d2d56acb9cb
                      • Instruction ID: a0f0bbcbf3dbc48100ffb4b831bbdebb026d02b15cb6c94cd9f493ac088c7c73
                      • Opcode Fuzzy Hash: cd9652b5de9076efd52abe179d8efc69ea10e1ccf29fc6e6374f8d2d56acb9cb
                      • Instruction Fuzzy Hash: 3EE0262270438412C618BB30A8524FFA7598BE1393F40183EF846831A3DF24868E8211
                      Function 03BE08E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesW.KERNEL32(?), ref: 03BE08EB
                      Memory Dump Source
                      • Source File: 00000002.00000002.3713149237.0000000003BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_3be0000_Monteverdi.jbxd
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                      • Instruction ID: 9d0810ebf2583d7fd9a8686cd3692e6844818674e58fd629c3acf5183a3b92f0
                      • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                      • Instruction Fuzzy Hash: 77E08C71A0520CEBEB20EFBD8C08AA973A8DB04324F0046A4E81AC72C0D6708A409654
                      Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                      Download Yara Rule
                      APIs
                      • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Startup
                      • String ID:
                      • API String ID: 724789610-0
                      • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                      • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                      • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                      • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB
                      Function 03BE08B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesW.KERNEL32(?), ref: 03BE08BB
                      Memory Dump Source
                      • Source File: 00000002.00000002.3713149237.0000000003BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_3be0000_Monteverdi.jbxd
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                      • Instruction ID: 77cbe1a4ececcace82720780b6761589cc56621365e99704b12d0ed9a6777fb6
                      • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                      • Instruction Fuzzy Hash: 5FD0A73090620CEBCB10DFF99C04ADA73ACDB04324F1047A4FD15D32C0D775994097A0
                      Function 00051CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                      Download Yara Rule
                      APIs
                      • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00051CBC
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: InfoParametersSystem
                      • String ID:
                      • API String ID: 3098949447-0
                      • Opcode ID: eaf0652238f1251fd14c516cdbccec7c16e3c360fbc54eb5515561905666fa1a
                      • Instruction ID: 9f234425133b40dd36afc1ba3082d4c042e2b6297d42a5e220a0c37f80807bae
                      • Opcode Fuzzy Hash: eaf0652238f1251fd14c516cdbccec7c16e3c360fbc54eb5515561905666fa1a
                      • Instruction Fuzzy Hash: 02C09236380348BFF224CB80BC8AF547765B35CF10F048001F609A99E3C3B228B2EA90
                      Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                      Download Yara Rule
                      APIs
                      • std::_Deallocate.LIBCONCRT ref: 00402E2B
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Deallocatestd::_
                      • String ID:
                      • API String ID: 1323251999-0
                      • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                      • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                      • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                      • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647
                      Function 03BE2070 Relevance: 1.4, APIs: 1, Instructions: 187memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 03BE20F6
                      Memory Dump Source
                      • Source File: 00000002.00000002.3713149237.0000000003BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_3be0000_Monteverdi.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 6cb4ba6d175bfa1163a25791b9aa6631b756f28669884805dc144b2524360b36
                      • Instruction ID: f6ec68774e74a5c3604eac275445935b3f9dc144a26eccba8eaf2f7fef60dc5c
                      • Opcode Fuzzy Hash: 6cb4ba6d175bfa1163a25791b9aa6631b756f28669884805dc144b2524360b36
                      • Instruction Fuzzy Hash: 4B81CA75A01209DFDB58DF98C990FAEB7B5FF48308F2485A9E505AB341C734AA41CB94
                      Function 0006FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                      • Instruction ID: 3b12dcd9044160509de9516489d60c95259ef85a940315587b481b82356c6710
                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                      • Instruction Fuzzy Hash: 8C31D275A0010ADBC768CF59E580969FBE7FF49310B2486A5E809CB656D731EEC1CBC0
                      Function 03BE22C0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000002.00000002.3713149237.0000000003BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_3be0000_Monteverdi.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                      • Instruction ID: 1bec3aa2766f158ddcb73f288f54bb709e57b8240b0a0e73424ac622e9649a64
                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                      • Instruction Fuzzy Hash: 1CE0E67494010DDFDB00EFF8D94969E7FB4EF04301F1005A1FD01D2280D7309D509A62
                      Function 00411CDE Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                      • Instruction ID: 079a7b638a28e99b338f4493b6ebfa8105bff269478f0661155a893ef6bf0f7e
                      • Opcode Fuzzy Hash: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                      • Instruction Fuzzy Hash: 13B00872418382EBCF02DF90DD0492ABAB2BB88741F184C5CB2A14107187228428EB06

                      Non-executed Functions

                      Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                      Download Yara Rule
                      APIs
                      • SetEvent.KERNEL32(?,?), ref: 00407CF4
                      • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                      • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                        • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                        • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                        • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                        • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                        • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                        • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                        • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                        • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                      • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                      • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                      • DeleteFileA.KERNEL32(?), ref: 0040868D
                        • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                        • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                        • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                        • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                      • Sleep.KERNEL32(000007D0), ref: 00408733
                      • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                        • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                      • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                      • API String ID: 1067849700-181434739
                      • Opcode ID: 1d7f95e269eb82d554e789f63264fb559ee9e4ce463f38c49f242ea75fa1d28d
                      • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                      • Opcode Fuzzy Hash: 1d7f95e269eb82d554e789f63264fb559ee9e4ce463f38c49f242ea75fa1d28d
                      • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                      Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                      Download Yara Rule
                      APIs
                      • __Init_thread_footer.LIBCMT ref: 004056E6
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      • __Init_thread_footer.LIBCMT ref: 00405723
                      • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                      • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                      • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                      • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                      • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                        • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                      • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                      • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                      • CloseHandle.KERNEL32 ref: 00405A23
                      • CloseHandle.KERNEL32 ref: 00405A2B
                      • CloseHandle.KERNEL32 ref: 00405A3D
                      • CloseHandle.KERNEL32 ref: 00405A45
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                      • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                      • API String ID: 2994406822-18413064
                      • Opcode ID: c30a8cf89a44f1cf57d18c0b64f38ea7b5420e979d9c278b3fb3eac4bd9d804e
                      • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                      • Opcode Fuzzy Hash: c30a8cf89a44f1cf57d18c0b64f38ea7b5420e979d9c278b3fb3eac4bd9d804e
                      • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                      Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcessId.KERNEL32 ref: 00412141
                        • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                        • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                        • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                      • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                      • CloseHandle.KERNEL32(00000000), ref: 00412190
                      • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                      • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                      • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                      • API String ID: 3018269243-13974260
                      • Opcode ID: e899667bffb115b18fd15f0bf7c170ad24ac01cccaac08ad72e0ad34f415d47c
                      • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                      • Opcode Fuzzy Hash: e899667bffb115b18fd15f0bf7c170ad24ac01cccaac08ad72e0ad34f415d47c
                      • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                      Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                      • FindClose.KERNEL32(00000000), ref: 0040BC04
                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                      • FindClose.KERNEL32(00000000), ref: 0040BD4D
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$CloseFile$FirstNext
                      • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                      • API String ID: 1164774033-3681987949
                      • Opcode ID: ddf3ae28b5732d4bdf30ea22351dc37fdb7451648e085e9b91ca2b4f61ea912e
                      • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                      • Opcode Fuzzy Hash: ddf3ae28b5732d4bdf30ea22351dc37fdb7451648e085e9b91ca2b4f61ea912e
                      • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                      Function 000E911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfilenativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00069BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00069BB2
                      • DragQueryPoint.SHELL32(?,?), ref: 000E9147
                        • Part of subcall function 000E7674: ClientToScreen.USER32(?,?), ref: 000E769A
                        • Part of subcall function 000E7674: GetWindowRect.USER32(?,?), ref: 000E7710
                        • Part of subcall function 000E7674: PtInRect.USER32(?,?,000E8B89), ref: 000E7720
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 000E91B0
                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 000E91BB
                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 000E91DE
                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 000E9225
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 000E923E
                      • SendMessageW.USER32(?,000000B1,?,?), ref: 000E9255
                      • SendMessageW.USER32(?,000000B1,?,?), ref: 000E9277
                      • DragFinish.SHELL32(?), ref: 000E927E
                      • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 000E9371
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen
                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                      • API String ID: 4085959399-3440237614
                      • Opcode ID: 3473d79a3232636ad9ddf50cb45bd80d0bad9be2f29f1a237afb268151b651bb
                      • Instruction ID: eb5673d4241e5d7e0de42f9fce75c7099a771a2b78cc6393eb7e30732cafe276
                      • Opcode Fuzzy Hash: 3473d79a3232636ad9ddf50cb45bd80d0bad9be2f29f1a237afb268151b651bb
                      • Instruction Fuzzy Hash: 55619A71108341AFE701DF60DC85DAFBBE8EF89750F40092EF995A71A2DB309A49CB52
                      Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • OpenClipboard.USER32 ref: 004168FD
                      • EmptyClipboard.USER32 ref: 0041690B
                      • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                      • GlobalFix.KERNEL32(00000000), ref: 00416934
                      • GlobalUnWire.KERNEL32(00000000), ref: 0041696A
                      • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                      • CloseClipboard.USER32 ref: 00416990
                      • OpenClipboard.USER32 ref: 00416997
                      • GetClipboardData.USER32(0000000D), ref: 004169A7
                      • GlobalFix.KERNEL32(00000000), ref: 004169B0
                      • GlobalUnWire.KERNEL32(00000000), ref: 004169B9
                      • CloseClipboard.USER32 ref: 004169BF
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Clipboard$Global$CloseDataOpenWire$AllocEmptysend
                      • String ID: !D@
                      • API String ID: 3354723728-604454484
                      • Opcode ID: d259b994e68c83a1489beb53d4054afcf1b6892fa1ac7d524fe9d6688d528fc7
                      • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                      • Opcode Fuzzy Hash: d259b994e68c83a1489beb53d4054afcf1b6892fa1ac7d524fe9d6688d528fc7
                      • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                      Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windownativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtdllDefWindowProc_A.NTDLL(?,00000401,?,?), ref: 0041D66B
                      • GetCursorPos.USER32(?), ref: 0041D67A
                      • SetForegroundWindow.USER32(?), ref: 0041D683
                      • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                      • Shell_NotifyIcon.SHELL32(00000002,00474B48), ref: 0041D6EE
                      • ExitProcess.KERNEL32 ref: 0041D6F6
                      • CreatePopupMenu.USER32 ref: 0041D6FC
                      • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
                      • String ID: Close
                      • API String ID: 1665278180-3535843008
                      • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                      • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                      • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                      • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                      Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                      • FindClose.KERNEL32(00000000), ref: 0040BE04
                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                      • FindClose.KERNEL32(00000000), ref: 0040BEEA
                      • FindClose.KERNEL32(00000000), ref: 0040BF0B
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$Close$File$FirstNext
                      • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                      • API String ID: 3527384056-432212279
                      • Opcode ID: efd911169634aa6eb296d91244de5f42230bb67941264acd6522b2be9cf9de9e
                      • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                      • Opcode Fuzzy Hash: efd911169634aa6eb296d91244de5f42230bb67941264acd6522b2be9cf9de9e
                      • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                      Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                      • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                      • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                      • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                      • CloseHandle.KERNEL32(00000000), ref: 0041349A
                      • CloseHandle.KERNEL32(?), ref: 004134A0
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                      • String ID:
                      • API String ID: 297527592-0
                      • Opcode ID: f8cfc853885fc8b29f950af92ed283b35790545d66a1b0f015cadf1906342396
                      • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                      • Opcode Fuzzy Hash: f8cfc853885fc8b29f950af92ed283b35790545d66a1b0f015cadf1906342396
                      • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                      Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0$1$2$3$4$5$6$7$VG
                      • API String ID: 0-1861860590
                      • Opcode ID: 2b7f1c5f9e74514b744c6683ac33cf56b6b25cbe789a3e3722b220038b1ce3bf
                      • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                      • Opcode Fuzzy Hash: 2b7f1c5f9e74514b744c6683ac33cf56b6b25cbe789a3e3722b220038b1ce3bf
                      • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                      Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 0040755C
                      • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Object_wcslen
                      • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                      • API String ID: 240030777-3166923314
                      • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                      • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                      • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                      • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                      Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                      • GetLastError.KERNEL32 ref: 0041A84C
                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: EnumServicesStatus$ErrorLastManagerOpen
                      • String ID:
                      • API String ID: 3587775597-0
                      • Opcode ID: 34368503a7797b2ad0ee3380c6031730a5bdfff2db558ca51b3840592ea9271e
                      • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                      • Opcode Fuzzy Hash: 34368503a7797b2ad0ee3380c6031730a5bdfff2db558ca51b3840592ea9271e
                      • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                      Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                        • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                      • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                      • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                      • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                      • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                      • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                      • String ID: JD$JD$JD
                      • API String ID: 745075371-3517165026
                      • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                      • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                      • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                      • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                      Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                      • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                      • FindClose.KERNEL32(00000000), ref: 0040C4B8
                      • FindClose.KERNEL32(00000000), ref: 0040C4E3
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$CloseFile$FirstNext
                      • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                      • API String ID: 1164774033-405221262
                      • Opcode ID: 132fc5728901236336626beb7552867808a8169284a3a6f5e6138339f1b07a50
                      • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                      • Opcode Fuzzy Hash: 132fc5728901236336626beb7552867808a8169284a3a6f5e6138339f1b07a50
                      • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                      Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C41F
                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C42C
                        • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                      • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C44D
                      • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                      • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                      • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C473
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                      • String ID:
                      • API String ID: 2341273852-0
                      • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                      • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                      • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                      • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                      Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                      • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                        • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$Find$CreateFirstNext
                      • String ID: 8SG$PXG$PXG$NG$PG
                      • API String ID: 341183262-3812160132
                      • Opcode ID: 8f7ae2c16572116b077adb3963745ee103b1bd3b1449f070d317cb7051f8310c
                      • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                      • Opcode Fuzzy Hash: 8f7ae2c16572116b077adb3963745ee103b1bd3b1449f070d317cb7051f8310c
                      • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                      Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                      • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                      • GetLastError.KERNEL32 ref: 0040A328
                        • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                      • TranslateMessage.USER32(?), ref: 0040A385
                      • DispatchMessageA.USER32(?), ref: 0040A390
                      Strings
                      • Keylogger initialization failure: error , xrefs: 0040A33C
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                      • String ID: Keylogger initialization failure: error
                      • API String ID: 3219506041-952744263
                      • Opcode ID: 0dc1c2640651d2c5fe804fd6a671654dad06f326112922524979b06ffad0e6ec
                      • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                      • Opcode Fuzzy Hash: 0dc1c2640651d2c5fe804fd6a671654dad06f326112922524979b06ffad0e6ec
                      • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                      Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                      • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressCloseCreateLibraryLoadProcsend
                      • String ID: SHDeleteKeyW$Shlwapi.dll
                      • API String ID: 2127411465-314212984
                      • Opcode ID: b44cb1558f59bac4f2b3dcee248625162a7a337fe61552d5fdae923e1d242d4e
                      • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                      • Opcode Fuzzy Hash: b44cb1558f59bac4f2b3dcee248625162a7a337fe61552d5fdae923e1d242d4e
                      • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                      Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00449292
                      • _free.LIBCMT ref: 004492B6
                      • _free.LIBCMT ref: 0044943D
                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                      • _free.LIBCMT ref: 00449609
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                      • String ID:
                      • API String ID: 314583886-0
                      • Opcode ID: dc83affbdda03aa590ab2c02cd23b1c998284294c935904359a7728a3f82a3ab
                      • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                      • Opcode Fuzzy Hash: dc83affbdda03aa590ab2c02cd23b1c998284294c935904359a7728a3f82a3ab
                      • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                      Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                        • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                        • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                        • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                        • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                      • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                      • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                      • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                      • String ID: !D@$PowrProf.dll$SetSuspendState
                      • API String ID: 1589313981-2876530381
                      • Opcode ID: ce5683030187738bceadf88c645d3be9b3a0420f2583575d8a918ca80ddea350
                      • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                      • Opcode Fuzzy Hash: ce5683030187738bceadf88c645d3be9b3a0420f2583575d8a918ca80ddea350
                      • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                      Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                      • GetLastError.KERNEL32 ref: 0040BA93
                      Strings
                      • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                      • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                      • [Chrome StoredLogins not found], xrefs: 0040BAAD
                      • UserProfile, xrefs: 0040BA59
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: DeleteErrorFileLast
                      • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      • API String ID: 2018770650-1062637481
                      • Opcode ID: 2a96545a4d0d9f85ca22cacb1c39f1202692d6e87788dc19eb8fe601ebee372c
                      • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                      • Opcode Fuzzy Hash: 2a96545a4d0d9f85ca22cacb1c39f1202692d6e87788dc19eb8fe601ebee372c
                      • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                      Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                      • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                      • GetLastError.KERNEL32 ref: 004179D8
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                      • String ID: SeShutdownPrivilege
                      • API String ID: 3534403312-3733053543
                      • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                      • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                      • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                      • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                      Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00409293
                        • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,0141BB00,00000010), ref: 004048E0
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                      • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                      • FindClose.KERNEL32(00000000), ref: 004093FC
                        • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                        • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                        • Part of subcall function 00404E26: FindCloseChangeNotification.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                      • FindClose.KERNEL32(00000000), ref: 004095F4
                        • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                        • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$Close$EventFileObjectSingleWait$ChangeException@8FirstH_prologNextNotificationThrowconnectsend
                      • String ID:
                      • API String ID: 2435342581-0
                      • Opcode ID: 9703fc64594d2a233a8d5a8bf14669c6e8d23059b9409c8694ac9703d2b7c932
                      • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                      • Opcode Fuzzy Hash: 9703fc64594d2a233a8d5a8bf14669c6e8d23059b9409c8694ac9703d2b7c932
                      • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                      Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                      • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                      • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                      • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                      • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                      • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Service$CloseHandle$Open$ManagerStart
                      • String ID:
                      • API String ID: 276877138-0
                      • Opcode ID: a996a6cc2d1247f035f36a86675caa1e5bb364fb16a9c3eb8bb73043d67029f0
                      • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                      • Opcode Fuzzy Hash: a996a6cc2d1247f035f36a86675caa1e5bb364fb16a9c3eb8bb73043d67029f0
                      • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                      Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                      • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                      • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: InfoLocale
                      • String ID: ACP$OCP
                      • API String ID: 2299586839-711371036
                      • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                      • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                      • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                      • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                      Function 0006997D Relevance: 7.9, APIs: 5, Instructions: 375nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00069BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00069BB2
                      • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00069A4E
                      • GetSysColor.USER32(0000000F), ref: 00069B23
                      • SetBkColor.GDI32(?,00000000), ref: 00069B36
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: Color$DialogLongNtdllProc_Window
                      • String ID:
                      • API String ID: 1958858920-0
                      • Opcode ID: a5298e55a6ba0c41418ec5f788a52fad3d3e99f497d3466a2f7b5585d07accff
                      • Instruction ID: d30e5a31abffc9a83bfb57287754bde51a830eed974f922e3f987c43296c038e
                      • Opcode Fuzzy Hash: a5298e55a6ba0c41418ec5f788a52fad3d3e99f497d3466a2f7b5585d07accff
                      • Instruction Fuzzy Hash: A5A10770208444BEE778DABD8C98EBF26DFEF43340B15811AF506D6E92CA359D41C6B2
                      Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 004096A5
                      • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                      • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                      • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstH_prologNext
                      • String ID:
                      • API String ID: 1157919129-0
                      • Opcode ID: 8d928cb8764d530f02ee04fa7acdf6cbb69203ab349246c104b3b77f47194400
                      • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                      • Opcode Fuzzy Hash: 8d928cb8764d530f02ee04fa7acdf6cbb69203ab349246c104b3b77f47194400
                      • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                      Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 0040884C
                      • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                      • String ID:
                      • API String ID: 1771804793-0
                      • Opcode ID: cc0f46f5d7fcd9a65ad3950b8493bb7e005b259a7c372be1b9e2f742007c138c
                      • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                      • Opcode Fuzzy Hash: cc0f46f5d7fcd9a65ad3950b8493bb7e005b259a7c372be1b9e2f742007c138c
                      • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                      Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                      Download Yara Rule
                      APIs
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                      • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: DownloadExecuteFileShell
                      • String ID: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe$open
                      • API String ID: 2825088817-2379269279
                      • Opcode ID: 99c0f8073da045de97b1d0efa5b724c7ff27a9100b470653de75895e1e26b2a5
                      • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                      • Opcode Fuzzy Hash: 99c0f8073da045de97b1d0efa5b724c7ff27a9100b470653de75895e1e26b2a5
                      • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                      Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                      • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileFind$FirstNextsend
                      • String ID: XPG$XPG
                      • API String ID: 4113138495-1962359302
                      • Opcode ID: c0e8889bea658093dd13b8d727a57821bf1de6d3767e3798d66387d962ccdd8c
                      • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                      • Opcode Fuzzy Hash: c0e8889bea658093dd13b8d727a57821bf1de6d3767e3798d66387d962ccdd8c
                      • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                      Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                      Download Yara Rule
                      APIs
                      • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                        • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                        • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.1 Pro), ref: 004137E1
                        • Part of subcall function 004137AA: RegCloseKey.ADVAPI32(?,?,?,0040F88E,004674C8,5.1.1 Pro), ref: 004137EC
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCreateInfoParametersSystemValue
                      • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                      • API String ID: 4127273184-3576401099
                      • Opcode ID: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                      • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                      • Opcode Fuzzy Hash: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                      • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                      Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                        • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                      • _wcschr.LIBVCRUNTIME ref: 00451ECA
                      • _wcschr.LIBVCRUNTIME ref: 00451ED8
                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                      • String ID:
                      • API String ID: 4212172061-0
                      • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                      • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                      • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                      • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                      Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                        • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                      • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                      • String ID: p'E$JD
                      • API String ID: 1084509184-908320845
                      • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                      • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                      • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                      • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                      Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                        • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorInfoLastLocale$_free$_abort
                      • String ID:
                      • API String ID: 2829624132-0
                      • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                      • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                      • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                      • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                      Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,00000000), ref: 004338DA
                      • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                      • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Crypt$Context$AcquireRandomRelease
                      • String ID:
                      • API String ID: 1815803762-0
                      • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                      • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                      • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                      • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                      Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                      Download Yara Rule
                      APIs
                      • OpenClipboard.USER32(00000000), ref: 0040B74C
                      • GetClipboardData.USER32(0000000D), ref: 0040B758
                      • CloseClipboard.USER32 ref: 0040B760
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Clipboard$CloseDataOpen
                      • String ID:
                      • API String ID: 2058664381-0
                      • Opcode ID: 9e2469c20f3451088fe6023568597aab4dade72446a07d8fef547dc5bb14dcf8
                      • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                      • Opcode Fuzzy Hash: 9e2469c20f3451088fe6023568597aab4dade72446a07d8fef547dc5bb14dcf8
                      • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                      Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                        • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                      • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                      • String ID: JD
                      • API String ID: 1084509184-2669065882
                      • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                      • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                      • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                      • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                      Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: InfoLocale
                      • String ID: GetLocaleInfoEx
                      • API String ID: 2299586839-2904428671
                      • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                      • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                      • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                      • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                      Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                        • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$_free$InfoLocale_abort
                      • String ID:
                      • API String ID: 1663032902-0
                      • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                      • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                      • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                      • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                      Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                        • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$InfoLocale_abort_free
                      • String ID:
                      • API String ID: 2692324296-0
                      • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                      • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                      • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                      • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                      Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00445909: RtlEnterCriticalSection.NTDLL(-0006D41D), ref: 00445918
                      • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalEnterEnumLocalesSectionSystem
                      • String ID:
                      • API String ID: 1272433827-0
                      • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                      • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                      • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                      • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                      Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                        • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                      • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                      • String ID:
                      • API String ID: 1084509184-0
                      • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                      • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                      • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                      • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                      Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                      Download Yara Rule
                      APIs
                      • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.1 Pro), ref: 0040F920
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: InfoLocale
                      • String ID:
                      • API String ID: 2299586839-0
                      • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                      • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                      • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                      • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                      Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                      • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                        • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                      • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                      • DeleteDC.GDI32(00000000), ref: 00418F65
                      • DeleteDC.GDI32(00000000), ref: 00418F68
                      • DeleteObject.GDI32(00000000), ref: 00418F6B
                      • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                      • DeleteDC.GDI32(00000000), ref: 00418F9D
                      • DeleteDC.GDI32(00000000), ref: 00418FA0
                      • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                      • GetCursorInfo.USER32(?), ref: 00418FE2
                      • GetIconInfo.USER32(?,?), ref: 00418FF8
                      • DeleteObject.GDI32(?), ref: 00419027
                      • DeleteObject.GDI32(?), ref: 00419034
                      • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                      • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                      • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                      • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                      • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                      • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                      • DeleteDC.GDI32(?), ref: 004191B7
                      • DeleteDC.GDI32(00000000), ref: 004191BA
                      • DeleteObject.GDI32(00000000), ref: 004191BD
                      • GlobalFree.KERNEL32(?), ref: 004191C8
                      • DeleteObject.GDI32(00000000), ref: 0041927C
                      • GlobalFree.KERNEL32(?), ref: 00419283
                      • DeleteDC.GDI32(?), ref: 00419293
                      • DeleteDC.GDI32(00000000), ref: 0041929E
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                      • String ID: DISPLAY
                      • API String ID: 4256916514-865373369
                      • Opcode ID: dfe77fb2dceb0fbb205aabf54f767b908c25502d30906bbb63463b6629d02dd1
                      • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                      • Opcode Fuzzy Hash: dfe77fb2dceb0fbb205aabf54f767b908c25502d30906bbb63463b6629d02dd1
                      • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                      Function 000E70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                      Download Yara Rule
                      APIs
                      • SetTextColor.GDI32(?,00000000), ref: 000E712F
                      • GetSysColorBrush.USER32(0000000F), ref: 000E7160
                      • GetSysColor.USER32(0000000F), ref: 000E716C
                      • SetBkColor.GDI32(?,000000FF), ref: 000E7186
                      • SelectObject.GDI32(?,?), ref: 000E7195
                      • InflateRect.USER32(?,000000FF,000000FF), ref: 000E71C0
                      • GetSysColor.USER32(00000010), ref: 000E71C8
                      • CreateSolidBrush.GDI32(00000000), ref: 000E71CF
                      • FrameRect.USER32(?,?,00000000), ref: 000E71DE
                      • DeleteObject.GDI32(00000000), ref: 000E71E5
                      • InflateRect.USER32(?,000000FE,000000FE), ref: 000E7230
                      • FillRect.USER32(?,?,?), ref: 000E7262
                      • GetWindowLongW.USER32(?,000000F0), ref: 000E7284
                        • Part of subcall function 000E73E8: GetSysColor.USER32(00000012), ref: 000E7421
                        • Part of subcall function 000E73E8: SetTextColor.GDI32(?,?), ref: 000E7425
                        • Part of subcall function 000E73E8: GetSysColorBrush.USER32(0000000F), ref: 000E743B
                        • Part of subcall function 000E73E8: GetSysColor.USER32(0000000F), ref: 000E7446
                        • Part of subcall function 000E73E8: GetSysColor.USER32(00000011), ref: 000E7463
                        • Part of subcall function 000E73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 000E7471
                        • Part of subcall function 000E73E8: SelectObject.GDI32(?,00000000), ref: 000E7482
                        • Part of subcall function 000E73E8: SetBkColor.GDI32(?,00000000), ref: 000E748B
                        • Part of subcall function 000E73E8: SelectObject.GDI32(?,?), ref: 000E7498
                        • Part of subcall function 000E73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 000E74B7
                        • Part of subcall function 000E73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000E74CE
                        • Part of subcall function 000E73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 000E74DB
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                      • String ID:
                      • API String ID: 4124339563-0
                      • Opcode ID: 1c57a2a0126c4acb6f27c7c7bac2722e06102b6d91bf810636a84711b0ac9841
                      • Instruction ID: b3aac8707f52ab65bfbda37c93c1c96a496eacbb7ebd8e1b3c1fdf3ff635f083
                      • Opcode Fuzzy Hash: 1c57a2a0126c4acb6f27c7c7bac2722e06102b6d91bf810636a84711b0ac9841
                      • Instruction Fuzzy Hash: BDA1D472008381BFE7109F64DC88E5B7BE9FF49720F100A19FA66AA1E1D736E941CB51
                      Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                        • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                        • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                        • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                        • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                        • Part of subcall function 0041C482: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041C5A1,00000000,00000000,?), ref: 0041C4C1
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                      • ExitProcess.KERNEL32 ref: 0040D80B
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                      • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                      • API String ID: 1861856835-1447701601
                      • Opcode ID: 16b211df3c93d8bcf8e624e457322fcf6631e75fc7442fb5225b75972f547e03
                      • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                      • Opcode Fuzzy Hash: 16b211df3c93d8bcf8e624e457322fcf6631e75fc7442fb5225b75972f547e03
                      • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                      Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                        • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                        • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                        • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                        • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                        • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                      • ExitProcess.KERNEL32 ref: 0040D454
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                      • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                      • API String ID: 3797177996-2483056239
                      • Opcode ID: fa5c9b192a04513e000af4d37f5d0f097e6efd5213e9bd63b6e59689916c8b44
                      • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                      • Opcode Fuzzy Hash: fa5c9b192a04513e000af4d37f5d0f097e6efd5213e9bd63b6e59689916c8b44
                      • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                      Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                      • ExitProcess.KERNEL32(00000000), ref: 004124DB
                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                      • CloseHandle.KERNEL32(00000000), ref: 00412576
                      • GetCurrentProcessId.KERNEL32 ref: 0041257C
                      • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                      • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                      • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                      • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                        • Part of subcall function 0041C482: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041C5A1,00000000,00000000,?), ref: 0041C4C1
                      • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                      • Sleep.KERNEL32(000001F4), ref: 004126BD
                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                      • CloseHandle.KERNEL32(00000000), ref: 004126E4
                      • GetCurrentProcessId.KERNEL32 ref: 004126EA
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                      • String ID: .exe$8SG$WDH$exepath$open$temp_
                      • API String ID: 2649220323-436679193
                      • Opcode ID: 3cffa361a1d5e78c41c9e20b4ce79e03a33a4e5eb5af412b5b95d5c06ba0ca12
                      • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                      • Opcode Fuzzy Hash: 3cffa361a1d5e78c41c9e20b4ce79e03a33a4e5eb5af412b5b95d5c06ba0ca12
                      • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                      Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                      • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                      • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                      • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                      • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                      • SetEvent.KERNEL32 ref: 0041B2AA
                      • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                      • CloseHandle.KERNEL32 ref: 0041B2CB
                      • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                      • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                      • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                      • API String ID: 738084811-2094122233
                      • Opcode ID: 06627e1b1ea1827e4d2f2326f0cc352d59285080fd94fddabf350432e27cb009
                      • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                      • Opcode Fuzzy Hash: 06627e1b1ea1827e4d2f2326f0cc352d59285080fd94fddabf350432e27cb009
                      • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                      Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                      • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                      • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                      • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                      • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                      • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                      • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                      • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                      • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                      • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$Write$Create
                      • String ID: RIFF$WAVE$data$fmt
                      • API String ID: 1602526932-4212202414
                      • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                      • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                      • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                      • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                      Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\AppData\Local\scrolar\Monteverdi.exe,00000001,00407688,C:\Users\user\AppData\Local\scrolar\Monteverdi.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                      • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                      • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                      • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                      • GetProcAddress.KERNEL32(00000000), ref: 00407308
                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                      • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                      • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                      • GetProcAddress.KERNEL32(00000000), ref: 00407330
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                      • API String ID: 1646373207-2299335075
                      • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                      • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                      • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                      • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                      Function 00068891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00068968
                      • GetSystemMetrics.USER32(00000007), ref: 00068970
                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0006899B
                      • GetSystemMetrics.USER32(00000008), ref: 000689A3
                      • GetSystemMetrics.USER32(00000004), ref: 000689C8
                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000689E5
                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000689F5
                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00068A28
                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00068A3C
                      • GetClientRect.USER32(00000000,000000FF), ref: 00068A5A
                      • GetStockObject.GDI32(00000011), ref: 00068A76
                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00068A81
                        • Part of subcall function 0006912D: GetCursorPos.USER32(?), ref: 00069141
                        • Part of subcall function 0006912D: ScreenToClient.USER32(00000000,?), ref: 0006915E
                        • Part of subcall function 0006912D: GetAsyncKeyState.USER32(00000001), ref: 00069183
                        • Part of subcall function 0006912D: GetAsyncKeyState.USER32(00000002), ref: 0006919D
                      • SetTimer.USER32(00000000,00000000,00000028,000690FC), ref: 00068AA8
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                      • String ID: AutoIt v3 GUI
                      • API String ID: 1458621304-248962490
                      • Opcode ID: 0445c11908fb63b13f6d2c65f42f258333cbab42f254028e4d986f8453eb6b8f
                      • Instruction ID: 3ecfc43fba852251352ba6e006b06aa8eea6707c1db2af9f9bb401aabfbfa900
                      • Opcode Fuzzy Hash: 0445c11908fb63b13f6d2c65f42f258333cbab42f254028e4d986f8453eb6b8f
                      • Instruction Fuzzy Hash: 0BB17F71A00209AFEF14DFA8DD85FAE3BB5FB48714F144219FA15AB290DB35A881CF51
                      Function 0040CE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 0040CE42
                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                      • CopyFileW.KERNEL32(C:\Users\user\AppData\Local\scrolar\Monteverdi.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                      • _wcslen.LIBCMT ref: 0040CF21
                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                      • CopyFileW.KERNEL32(C:\Users\user\AppData\Local\scrolar\Monteverdi.exe,00000000,00000000), ref: 0040CFBF
                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                      • _wcslen.LIBCMT ref: 0040D001
                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                      • ExitProcess.KERNEL32 ref: 0040D09D
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                      • String ID: 6$C:\Users\user\AppData\Local\scrolar\Monteverdi.exe$del$open
                      • API String ID: 1579085052-4181495324
                      • Opcode ID: 7be0b8c73f48dd80c56e532ca0ba81f4a909d2216d906caae310ebc44240cddc
                      • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                      • Opcode Fuzzy Hash: 7be0b8c73f48dd80c56e532ca0ba81f4a909d2216d906caae310ebc44240cddc
                      • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                      Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?), ref: 0041C0C7
                      • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                      • lstrlenW.KERNEL32(?), ref: 0041C0F8
                      • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                      • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                      • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                      • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                      • _wcslen.LIBCMT ref: 0041C1CC
                      • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                      • GetLastError.KERNEL32 ref: 0041C204
                      • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                      • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                      • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                      • GetLastError.KERNEL32 ref: 0041C261
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                      • String ID: ?
                      • API String ID: 3941738427-1684325040
                      • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                      • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                      • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                      • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                      Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$EnvironmentVariable$_wcschr
                      • String ID:
                      • API String ID: 3899193279-0
                      • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                      • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                      • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                      • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                      Function 00414DC1 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                      • LoadLibraryA.KERNEL32(?), ref: 00414E52
                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                      • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                      • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                      • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                      • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                      • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Library$AddressFreeProc$Load$DirectorySystem
                      • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                      • API String ID: 2490988753-744132762
                      • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                      • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                      • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                      • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                      Function 0041C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                      • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C786
                      • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseEnumOpen
                      • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                      • API String ID: 1332880857-3714951968
                      • Opcode ID: 132a9e2ff93fc21665a21f2e34fbfa3ed8450dc49093aec61130b783751931f0
                      • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                      • Opcode Fuzzy Hash: 132a9e2ff93fc21665a21f2e34fbfa3ed8450dc49093aec61130b783751931f0
                      • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                      Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$Info
                      • String ID:
                      • API String ID: 2509303402-0
                      • Opcode ID: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                      • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                      • Opcode Fuzzy Hash: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                      • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                      Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                      • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                      • __aulldiv.LIBCMT ref: 00408D88
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                        • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                      • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                      • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                      • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                      • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                      • CloseHandle.KERNEL32(00000000), ref: 00409037
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                      • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                      • API String ID: 3086580692-2582957567
                      • Opcode ID: 5872576aec726466043185f7c0be3d3eee987baa1611d502a54b7a717f7871ae
                      • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                      • Opcode Fuzzy Hash: 5872576aec726466043185f7c0be3d3eee987baa1611d502a54b7a717f7871ae
                      • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                      Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___free_lconv_mon.LIBCMT ref: 0045138A
                        • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                        • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                        • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                        • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                        • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                        • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                        • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                        • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                        • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                        • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                        • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                        • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                        • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                      • _free.LIBCMT ref: 0045137F
                        • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                        • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                      • _free.LIBCMT ref: 004513A1
                      • _free.LIBCMT ref: 004513B6
                      • _free.LIBCMT ref: 004513C1
                      • _free.LIBCMT ref: 004513E3
                      • _free.LIBCMT ref: 004513F6
                      • _free.LIBCMT ref: 00451404
                      • _free.LIBCMT ref: 0045140F
                      • _free.LIBCMT ref: 00451447
                      • _free.LIBCMT ref: 0045144E
                      • _free.LIBCMT ref: 0045146B
                      • _free.LIBCMT ref: 00451483
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                      • String ID:
                      • API String ID: 161543041-0
                      • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                      • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                      • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                      • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                      Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                        • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                        • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                        • Part of subcall function 00413733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                        • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                      • ExitProcess.KERNEL32 ref: 0040D9FF
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                      • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                      • API String ID: 1913171305-3159800282
                      • Opcode ID: ddd35168170237395ef730a59eebf14e838534a69def4b3a9319708d9f810069
                      • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                      • Opcode Fuzzy Hash: ddd35168170237395ef730a59eebf14e838534a69def4b3a9319708d9f810069
                      • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                      Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID:
                      • API String ID: 269201875-0
                      • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                      • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                      • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                      • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                      Function 00069838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00069944: GetWindowLongW.USER32(?,000000EB), ref: 00069952
                      • GetSysColor.USER32(0000000F), ref: 00069862
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: ColorLongWindow
                      • String ID:
                      • API String ID: 259745315-0
                      • Opcode ID: 865957cb5780b3e96f863d6267a0757238b6862d8c1d0e596e3df913720eabe7
                      • Instruction ID: 9c54365b344c1d9477d3f864304fe011dfbe98daac6c0c9d657d57c443c4dc3d
                      • Opcode Fuzzy Hash: 865957cb5780b3e96f863d6267a0757238b6862d8c1d0e596e3df913720eabe7
                      • Instruction Fuzzy Hash: F241BF31504640EFEB205F389C84BBA3BAABB47730F144659F9B29B1E1DB759C42DB20
                      Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                      • GetLastError.KERNEL32 ref: 00455D6F
                      • __dosmaperr.LIBCMT ref: 00455D76
                      • GetFileType.KERNEL32(00000000), ref: 00455D82
                      • GetLastError.KERNEL32 ref: 00455D8C
                      • __dosmaperr.LIBCMT ref: 00455D95
                      • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                      • CloseHandle.KERNEL32(?), ref: 00455EFF
                      • GetLastError.KERNEL32 ref: 00455F31
                      • __dosmaperr.LIBCMT ref: 00455F38
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                      • String ID: H
                      • API String ID: 4237864984-2852464175
                      • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                      • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                      • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                      • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                      Function 0040F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4F4
                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                      • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F59E
                        • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                        • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                      • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F6A9
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                      • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                      • API String ID: 3756808967-1743721670
                      • Opcode ID: c91aea4d40e4d1a0950ef19e8005302c09d623b329889b3b1db6a9c690c797fa
                      • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                      • Opcode Fuzzy Hash: c91aea4d40e4d1a0950ef19e8005302c09d623b329889b3b1db6a9c690c797fa
                      • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                      Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID: \&G$\&G$`&G
                      • API String ID: 269201875-253610517
                      • Opcode ID: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                      • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                      • Opcode Fuzzy Hash: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                      • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                      Function 0041A045 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 176sleeptimeCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 0041A04A
                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                      • Sleep.KERNEL32(000003E8), ref: 0041A18E
                      • GetLocalTime.KERNEL32(?), ref: 0041A196
                      • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep$CreateDirectoryH_prologLocalTime
                      • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                      • API String ID: 3069631530-1431523004
                      • Opcode ID: f8cb79ab315acd64e1cafed531d6f98a132ae3fa1d929d40e05129c0e31351f8
                      • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                      • Opcode Fuzzy Hash: f8cb79ab315acd64e1cafed531d6f98a132ae3fa1d929d40e05129c0e31351f8
                      • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                      Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 65535$udp
                      • API String ID: 0-1267037602
                      • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                      • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                      • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                      • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                      Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                      • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                      • __dosmaperr.LIBCMT ref: 0043A926
                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                      • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                      • __dosmaperr.LIBCMT ref: 0043A963
                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                      • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                      • __dosmaperr.LIBCMT ref: 0043A9B7
                      • _free.LIBCMT ref: 0043A9C3
                      • _free.LIBCMT ref: 0043A9CA
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                      • String ID:
                      • API String ID: 2441525078-0
                      • Opcode ID: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                      • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                      • Opcode Fuzzy Hash: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                      • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                      Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • SetEvent.KERNEL32(?,?), ref: 004054BF
                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                      • TranslateMessage.USER32(?), ref: 0040557E
                      • DispatchMessageA.USER32(?), ref: 00405589
                      • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                      • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                      • String ID: CloseChat$DisplayMessage$GetMessage
                      • API String ID: 2956720200-749203953
                      • Opcode ID: 6ab9195ce3c144dec039f7e49df656aea5875d2a9c186c118349d8c1a0a9022b
                      • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                      • Opcode Fuzzy Hash: 6ab9195ce3c144dec039f7e49df656aea5875d2a9c186c118349d8c1a0a9022b
                      • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                      Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                      • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                      • CloseHandle.KERNEL32(00000000), ref: 00417E20
                      • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                      • ShellExecuteEx.SHELL32(0000003C), ref: 00417DE3
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                      • String ID: 0VG$0VG$<$@$Temp
                      • API String ID: 1704390241-2575729100
                      • Opcode ID: a622ca32611d5a72253d61c9bab598c2ca2844357dabfe39f52712de72d2cd75
                      • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                      • Opcode Fuzzy Hash: a622ca32611d5a72253d61c9bab598c2ca2844357dabfe39f52712de72d2cd75
                      • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                      Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                      Download Yara Rule
                      APIs
                      • OpenClipboard.USER32 ref: 0041697C
                      • EmptyClipboard.USER32 ref: 0041698A
                      • CloseClipboard.USER32 ref: 00416990
                      • OpenClipboard.USER32 ref: 00416997
                      • GetClipboardData.USER32(0000000D), ref: 004169A7
                      • GlobalFix.KERNEL32(00000000), ref: 004169B0
                      • GlobalUnWire.KERNEL32(00000000), ref: 004169B9
                      • CloseClipboard.USER32 ref: 004169BF
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Clipboard$CloseGlobalOpen$DataEmptyWiresend
                      • String ID: !D@
                      • API String ID: 653963949-604454484
                      • Opcode ID: a43d608a2b8e33e847cae427567af0447e719639ef396aceacf3274e3b226fc5
                      • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                      • Opcode Fuzzy Hash: a43d608a2b8e33e847cae427567af0447e719639ef396aceacf3274e3b226fc5
                      • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                      Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                      • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Service$CloseHandle$Open$ControlManager
                      • String ID:
                      • API String ID: 221034970-0
                      • Opcode ID: 0ed79d4076665045b1f9cab59a83aeff363f29dd9362be522ae2060de172b89a
                      • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                      • Opcode Fuzzy Hash: 0ed79d4076665045b1f9cab59a83aeff363f29dd9362be522ae2060de172b89a
                      • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                      Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 004481B5
                        • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                        • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                      • _free.LIBCMT ref: 004481C1
                      • _free.LIBCMT ref: 004481CC
                      • _free.LIBCMT ref: 004481D7
                      • _free.LIBCMT ref: 004481E2
                      • _free.LIBCMT ref: 004481ED
                      • _free.LIBCMT ref: 004481F8
                      • _free.LIBCMT ref: 00448203
                      • _free.LIBCMT ref: 0044820E
                      • _free.LIBCMT ref: 0044821C
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                      • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                      • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                      • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                      Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Eventinet_ntoa
                      • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                      • API String ID: 3578746661-3604713145
                      • Opcode ID: 4bf7b553ad48a61432478035009b57f9ee15858f863905a8c9f222dfbb24189a
                      • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                      • Opcode Fuzzy Hash: 4bf7b553ad48a61432478035009b57f9ee15858f863905a8c9f222dfbb24189a
                      • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                      Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlDecodePointer.NTDLL(?), ref: 00455FA7
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: DecodePointer
                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                      • API String ID: 3527080286-3064271455
                      • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                      • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                      • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                      • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                      Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                      Download Yara Rule
                      APIs
                      • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                        • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                      • Sleep.KERNEL32(00000064), ref: 0041755C
                      • DeleteFileW.KERNEL32(00000000), ref: 00417590
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CreateDeleteExecuteShellSleep
                      • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                      • API String ID: 1462127192-2001430897
                      • Opcode ID: b4845073cafc808c1fea5ce059c26085e8ed1e069299650051a8013d5664e5ff
                      • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                      • Opcode Fuzzy Hash: b4845073cafc808c1fea5ce059c26085e8ed1e069299650051a8013d5664e5ff
                      • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                      Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                      • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\AppData\Local\scrolar\Monteverdi.exe), ref: 004074D9
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CurrentProcess
                      • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                      • API String ID: 2050909247-4242073005
                      • Opcode ID: 6ceb9103d77b1bc27c300794ecf0ee90de48fd3161816cd50b459a1cb4f425b3
                      • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                      • Opcode Fuzzy Hash: 6ceb9103d77b1bc27c300794ecf0ee90de48fd3161816cd50b459a1cb4f425b3
                      • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                      Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                      Download Yara Rule
                      APIs
                      • _strftime.LIBCMT ref: 00401D50
                        • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                      • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                      • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                      • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                      • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                      • API String ID: 3809562944-243156785
                      • Opcode ID: be84aaf7667932e47e23f663c217c21e3cdd9ab5d30d9f8f3cffa1a7c107896e
                      • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                      • Opcode Fuzzy Hash: be84aaf7667932e47e23f663c217c21e3cdd9ab5d30d9f8f3cffa1a7c107896e
                      • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                      Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                      Download Yara Rule
                      APIs
                      • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                      • int.LIBCPMT ref: 00410EBC
                        • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                        • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                      • std::_Facet_Register.LIBCPMT ref: 00410EFC
                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                      • __Init_thread_footer.LIBCMT ref: 00410F64
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                      • String ID: ,kG$0kG
                      • API String ID: 3815856325-2015055088
                      • Opcode ID: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                      • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                      • Opcode Fuzzy Hash: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                      • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                      Function 000B989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00093AAF,?,?,Bad directive syntax error,000ECC08,00000000,00000010,?,?), ref: 000B98BC
                      • LoadStringW.USER32(00000000,?,00093AAF,?), ref: 000B98C3
                        • Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD
                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 000B9987
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: HandleLoadMessageModuleString_wcslen
                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                      • API String ID: 858772685-4153970271
                      • Opcode ID: 113fef45c8850c96dd0fb68d4dfdaa80ab23bd43deab5c47943412ea7256e96a
                      • Instruction ID: 12be8e36944f7ace5e56eb6f4da36806665182abacbfcc19bf59920a9b55f4da
                      • Opcode Fuzzy Hash: 113fef45c8850c96dd0fb68d4dfdaa80ab23bd43deab5c47943412ea7256e96a
                      • Instruction Fuzzy Hash: BE217C3290021EEBDF15AF90CC06EEE7775FF18701F044469FA15760A2EB729A58DB11
                      Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                      Download Yara Rule
                      APIs
                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                      • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                      • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                      • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                      • waveInStart.WINMM ref: 00401CFE
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                      • String ID: dMG$|MG$PG
                      • API String ID: 1356121797-532278878
                      • Opcode ID: a43ee6cf57fb8fb71a413818e44f7525a44f3a40ce95ea5fa5f8790268e6ec6b
                      • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                      • Opcode Fuzzy Hash: a43ee6cf57fb8fb71a413818e44f7525a44f3a40ce95ea5fa5f8790268e6ec6b
                      • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                      Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                        • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                        • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                        • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                      • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                      • lstrcpyn.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                      • Shell_NotifyIcon.SHELL32(00000000,00474B48), ref: 0041D56E
                      • TranslateMessage.USER32(?), ref: 0041D57A
                      • DispatchMessageA.USER32(?), ref: 0041D584
                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                      • String ID: Remcos
                      • API String ID: 1970332568-165870891
                      • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                      • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                      • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                      • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                      Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                      • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                      • Opcode Fuzzy Hash: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                      • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                      Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                      Download Yara Rule
                      APIs
                      • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                      • __alloca_probe_16.LIBCMT ref: 00453F6A
                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                      • __alloca_probe_16.LIBCMT ref: 00454014
                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                        • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?), ref: 004461EA
                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                      • __freea.LIBCMT ref: 00454083
                      • __freea.LIBCMT ref: 0045408F
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                      • String ID:
                      • API String ID: 201697637-0
                      • Opcode ID: c58c81590331c8434bd69e2fe975192d11ab6ad4f25d793436d733d3ebd853b6
                      • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                      • Opcode Fuzzy Hash: c58c81590331c8434bd69e2fe975192d11ab6ad4f25d793436d733d3ebd853b6
                      • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                      Function 000E50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 000E5186
                      • ShowWindow.USER32(?,00000000), ref: 000E51C7
                      • ShowWindow.USER32(?,00000005,?,00000000), ref: 000E51CD
                      • SetFocus.USER32(?,?,00000005,?,00000000), ref: 000E51D1
                        • Part of subcall function 000E6FBA: DeleteObject.GDI32(?), ref: 000E6FE6
                      • GetWindowLongW.USER32(?,000000F0), ref: 000E520D
                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 000E521A
                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 000E524D
                      • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 000E5287
                      • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 000E5296
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                      • String ID:
                      • API String ID: 3210457359-0
                      • Opcode ID: 77930964a90ea17531e5505215c1cf5192f20d8b78aaadcc153610bfcc9328e7
                      • Instruction ID: e9a39e6c828a6cbd906aadcebb5470e61ed497abbc5e5656b498a5ea1ad4bc17
                      • Opcode Fuzzy Hash: 77930964a90ea17531e5505215c1cf5192f20d8b78aaadcc153610bfcc9328e7
                      • Instruction Fuzzy Hash: A551E730A40A88BFEF309F26CC45FD93BA5FB4672AF148855F614BA2E1D3759990DB40
                      Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                        • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                      • _memcmp.LIBVCRUNTIME ref: 004454A4
                      • _free.LIBCMT ref: 00445515
                      • _free.LIBCMT ref: 0044552E
                      • _free.LIBCMT ref: 00445560
                      • _free.LIBCMT ref: 00445569
                      • _free.LIBCMT ref: 00445575
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorLast$_abort_memcmp
                      • String ID: C
                      • API String ID: 1679612858-1037565863
                      • Opcode ID: 988bd1a8119ed4a709ec3dab848aee85f0f523c2f313b021c20f4b3607b372ff
                      • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                      • Opcode Fuzzy Hash: 988bd1a8119ed4a709ec3dab848aee85f0f523c2f313b021c20f4b3607b372ff
                      • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                      Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: tcp$udp
                      • API String ID: 0-3725065008
                      • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                      • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                      • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                      • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                      Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                      Download Yara Rule
                      APIs
                      • __Init_thread_footer.LIBCMT ref: 004018BE
                      • RtlExitUserThread.NTDLL(00000000), ref: 004018F6
                      • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                        • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
                      • String ID: PkG$XMG$NG$NG
                      • API String ID: 1265842484-3151166067
                      • Opcode ID: c16d948b925706f0e1c2446f809306646bc0445493584b03a26ca17a179a0305
                      • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                      • Opcode Fuzzy Hash: c16d948b925706f0e1c2446f809306646bc0445493584b03a26ca17a179a0305
                      • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                      Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                      • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                      • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                      • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                      • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                        • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                        • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                      • String ID: .part
                      • API String ID: 1303771098-3499674018
                      • Opcode ID: b439cb1cc5739fb2e5e9dac516359d4e28dbf68a862ac5bb0c5644bea812b4e7
                      • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                      • Opcode Fuzzy Hash: b439cb1cc5739fb2e5e9dac516359d4e28dbf68a862ac5bb0c5644bea812b4e7
                      • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                      Function 000BC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadIconW.USER32(00000000,00007F03), ref: 000BC913
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: IconLoad
                      • String ID: blank$info$question$stop$warning
                      • API String ID: 2457776203-404129466
                      • Opcode ID: 4ead298e2ac0773fed085f045e83f881cdb83577d52d4361c1dbad5e37dd4b37
                      • Instruction ID: d1cb942d71854364fbca1ded63543bed885e167552ef43e01a36190f194a898d
                      • Opcode Fuzzy Hash: 4ead298e2ac0773fed085f045e83f881cdb83577d52d4361c1dbad5e37dd4b37
                      • Instruction Fuzzy Hash: 98112432A89347BAF7049B549C82CEE77DCDF15724B20403AF504F62C2EBA5AE405269
                      Function 0041CE2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                      Download Yara Rule
                      APIs
                      • AllocConsole.KERNEL32(00475338), ref: 0041CE35
                      • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                      • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                      • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Console$Window$AllocOutputShow
                      • String ID: Remcos v$5.1.1 Pro$CONOUT$
                      • API String ID: 4067487056-3820604032
                      • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                      • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                      • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                      • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                      Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                      • __alloca_probe_16.LIBCMT ref: 0044AD5B
                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                      • __alloca_probe_16.LIBCMT ref: 0044AE40
                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                      • __freea.LIBCMT ref: 0044AEB0
                        • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?), ref: 004461EA
                      • __freea.LIBCMT ref: 0044AEB9
                      • __freea.LIBCMT ref: 0044AEDE
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                      • String ID:
                      • API String ID: 3864826663-0
                      • Opcode ID: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                      • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                      • Opcode Fuzzy Hash: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                      • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                      Function 0006F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                      Download Yara Rule
                      APIs
                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,000A682C,00000004,00000000,00000000), ref: 0006F953
                      • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,000A682C,00000004,00000000,00000000), ref: 000AF3D1
                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,000A682C,00000004,00000000,00000000), ref: 000AF454
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: ShowWindow
                      • String ID:
                      • API String ID: 1268545403-0
                      • Opcode ID: fbba96d9386cbb08c086ddbd72f73d931aa20f1fada7292d69df90184bb8d689
                      • Instruction ID: b9b945e3d3833481357d8847855e8c9c5489a331c4155030fca88bd4d2cfafae
                      • Opcode Fuzzy Hash: fbba96d9386cbb08c086ddbd72f73d931aa20f1fada7292d69df90184bb8d689
                      • Instruction Fuzzy Hash: 81414E31208782BEEB789B69E8C8B7E7BD3AB57314F14443CE097A6561C6329981C730
                      Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • SendInput.USER32 ref: 00419A25
                      • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                      • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                        • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: InputSend$Virtual
                      • String ID:
                      • API String ID: 1167301434-0
                      • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                      • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                      • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                      • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                      Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A451
                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                      • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                      • GetKeyState.USER32(00000010), ref: 0040A46E
                      • GetKeyboardState.USER32(?,?,004750F0), ref: 0040A479
                      • ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A49C
                      • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                      • ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A535
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                      • String ID:
                      • API String ID: 1888522110-0
                      • Opcode ID: 5def45b0df657d09093624a723b65539bd9408e2331ccdd7f3421457af051e57
                      • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                      • Opcode Fuzzy Hash: 5def45b0df657d09093624a723b65539bd9408e2331ccdd7f3421457af051e57
                      • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                      Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: __freea$__alloca_probe_16_free
                      • String ID: a/p$am/pm$h{D
                      • API String ID: 2936374016-2303565833
                      • Opcode ID: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                      • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                      • Opcode Fuzzy Hash: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                      • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                      Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$AllocateHeap
                      • String ID: KED
                      • API String ID: 3033488037-2133951994
                      • Opcode ID: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                      • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                      • Opcode Fuzzy Hash: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                      • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                      Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                      • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Enum$InfoQueryValue
                      • String ID: [regsplt]$xUG$TG
                      • API String ID: 3554306468-1165877943
                      • Opcode ID: 75a68814fcf36ba2b518a30f66f8d0fe6b7952cb0cbf9c0c0be22b53c2afcd19
                      • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                      • Opcode Fuzzy Hash: 75a68814fcf36ba2b518a30f66f8d0fe6b7952cb0cbf9c0c0be22b53c2afcd19
                      • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                      Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                      • __fassign.LIBCMT ref: 0044B4F9
                      • __fassign.LIBCMT ref: 0044B514
                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                      • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B559
                      • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B592
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                      • String ID:
                      • API String ID: 1324828854-0
                      • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                      • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                      • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                      • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                      Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                        • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                        • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseEnumInfoOpenQuerysend
                      • String ID: xUG$NG$NG$TG
                      • API String ID: 3114080316-2811732169
                      • Opcode ID: 7cc9ab8d1ca6eb641b19e512414f72db0f0c1a01730ddac8befa0b981732df1d
                      • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                      • Opcode Fuzzy Hash: 7cc9ab8d1ca6eb641b19e512414f72db0f0c1a01730ddac8befa0b981732df1d
                      • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                      Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                        • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                        • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                        • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                        • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                      • _wcslen.LIBCMT ref: 0041B7F4
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                      • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                      • API String ID: 3286818993-122982132
                      • Opcode ID: b8ec42c5e8d940804049c2597f5a1781c9d6f68aaf503f182f954e864ede5e5e
                      • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                      • Opcode Fuzzy Hash: b8ec42c5e8d940804049c2597f5a1781c9d6f68aaf503f182f954e864ede5e5e
                      • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                      Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                        • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                        • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                      • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                      • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                      • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                      • API String ID: 1133728706-4073444585
                      • Opcode ID: 88dc4103fbf8d6fb159cca406745b8bf077e9137e20dc25ae58c345b2a7fd90a
                      • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                      • Opcode Fuzzy Hash: 88dc4103fbf8d6fb159cca406745b8bf077e9137e20dc25ae58c345b2a7fd90a
                      • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                      Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                      • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                      • Opcode Fuzzy Hash: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                      • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                      Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                      • _free.LIBCMT ref: 00450FC8
                        • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                        • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                      • _free.LIBCMT ref: 00450FD3
                      • _free.LIBCMT ref: 00450FDE
                      • _free.LIBCMT ref: 00451032
                      • _free.LIBCMT ref: 0045103D
                      • _free.LIBCMT ref: 00451048
                      • _free.LIBCMT ref: 00451053
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                      • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                      • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                      • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                      Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                      • int.LIBCPMT ref: 004111BE
                        • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                        • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                      • std::_Facet_Register.LIBCPMT ref: 004111FE
                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                      • String ID: (mG
                      • API String ID: 2536120697-4059303827
                      • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                      • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                      • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                      • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                      Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                      • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                      • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                      • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                      • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                      Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                      • GetLastError.KERNEL32 ref: 0040BB22
                      Strings
                      • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                      • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                      • [Chrome Cookies not found], xrefs: 0040BB3C
                      • UserProfile, xrefs: 0040BAE8
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: DeleteErrorFileLast
                      • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      • API String ID: 2018770650-304995407
                      • Opcode ID: e57bb7af6ede7258cae938a4b9e303b9ad2d55d8c8bd3889b57b796562934694
                      • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                      • Opcode Fuzzy Hash: e57bb7af6ede7258cae938a4b9e303b9ad2d55d8c8bd3889b57b796562934694
                      • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                      Function 000C096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedExchange.KERNEL32(?,?), ref: 000C097B
                      • RtlEnterCriticalSection.NTDLL(?), ref: 000C098D
                      • TerminateThread.KERNEL32(00000000,000001F6,?,?,?,?,?,?,?,?,?,?,?,?,000926DC), ref: 000C099B
                      • WaitForSingleObject.KERNEL32(00000000,000003E8,?,?,?,?,?,?,?,?,?,?,?,?,000926DC), ref: 000C09A9
                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,000926DC), ref: 000C09B8
                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 000C09C8
                      • RtlLeaveCriticalSection.NTDLL(?), ref: 000C09CF
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                      • String ID:
                      • API String ID: 3495660284-0
                      • Opcode ID: 84eb2231ff196a6ac4ec32bf3cf454ea029899a7cb6b2ace4d6a825f760653b4
                      • Instruction ID: 8bb7b9f7238ec88e1c83ef9dbb8a63e7f814c5cb3a6e926e233db8ca4ed6e1fa
                      • Opcode Fuzzy Hash: 84eb2231ff196a6ac4ec32bf3cf454ea029899a7cb6b2ace4d6a825f760653b4
                      • Instruction Fuzzy Hash: BBF0CD31442652FBF7515BA4EEC9FDA7A69FF05B02F40101AF201688A1C77A9566CF90
                      Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                      Download Yara Rule
                      APIs
                      • __allrem.LIBCMT ref: 0043ACE9
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                      • __allrem.LIBCMT ref: 0043AD1C
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                      • __allrem.LIBCMT ref: 0043AD51
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                      • String ID:
                      • API String ID: 1992179935-0
                      • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                      • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                      • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                      • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                      Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                        • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: H_prologSleep
                      • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                      • API String ID: 3469354165-3054508432
                      • Opcode ID: 528bae195c464a5b6688c2c206259e5a51fc761cfbc3cf34bc79016095d0d98d
                      • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                      • Opcode Fuzzy Hash: 528bae195c464a5b6688c2c206259e5a51fc761cfbc3cf34bc79016095d0d98d
                      • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                      Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: __cftoe
                      • String ID:
                      • API String ID: 4189289331-0
                      • Opcode ID: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                      • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                      • Opcode Fuzzy Hash: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                      • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                      Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                      • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                      • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Service$CloseHandle$Open$ChangeConfigManager
                      • String ID:
                      • API String ID: 493672254-0
                      • Opcode ID: 9fa753acb95b1a50c2f860b2452779b386615047f036125b218b68b963e94683
                      • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                      • Opcode Fuzzy Hash: 9fa753acb95b1a50c2f860b2452779b386615047f036125b218b68b963e94683
                      • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                      Function 0044A084 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      • InitializeCriticalSectionEx, xrefs: 0044A1CA
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: __alldvrm$_strrchr
                      • String ID: InitializeCriticalSectionEx
                      • API String ID: 1036877536-3084827643
                      • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                      • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                      • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                      • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                      Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                      • _free.LIBCMT ref: 004482CC
                      • _free.LIBCMT ref: 004482F4
                      • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                      • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                      • _abort.LIBCMT ref: 00448313
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$_free$_abort
                      • String ID:
                      • API String ID: 3160817290-0
                      • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                      • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                      • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                      • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                      Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                      • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Service$CloseHandle$Open$ControlManager
                      • String ID:
                      • API String ID: 221034970-0
                      • Opcode ID: a51822a6131e5d284a1b032a992a97c2e2e455f1bd56036847002e28b674a142
                      • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                      • Opcode Fuzzy Hash: a51822a6131e5d284a1b032a992a97c2e2e455f1bd56036847002e28b674a142
                      • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                      Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                      • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Service$CloseHandle$Open$ControlManager
                      • String ID:
                      • API String ID: 221034970-0
                      • Opcode ID: 7b41b93198e4e158e00518e51cbc4b4f212d8a971dd117c9ed4f07e5206b74fb
                      • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                      • Opcode Fuzzy Hash: 7b41b93198e4e158e00518e51cbc4b4f212d8a971dd117c9ed4f07e5206b74fb
                      • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                      Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                      • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Service$CloseHandle$Open$ControlManager
                      • String ID:
                      • API String ID: 221034970-0
                      • Opcode ID: e25d8f3dfa961240da0dd009b3251180ee2c96285856cd205778ae0237d9d6ec
                      • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                      • Opcode Fuzzy Hash: e25d8f3dfa961240da0dd009b3251180ee2c96285856cd205778ae0237d9d6ec
                      • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                      Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                      • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                      • GetLastError.KERNEL32 ref: 0041D611
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ClassCreateErrorLastRegisterWindow
                      • String ID: 0$MsgWindowClass
                      • API String ID: 2877667751-2410386613
                      • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                      • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                      • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                      • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                      Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                      • CloseHandle.KERNEL32(?), ref: 004077E5
                      • CloseHandle.KERNEL32(?), ref: 004077EA
                      Strings
                      • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                      • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseHandle$CreateProcess
                      • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                      • API String ID: 2922976086-4183131282
                      • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                      • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                      • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                      • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                      Function 0040729B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                      Download Yara Rule
                      Strings
                      • Rmc-NKQ1SM, xrefs: 00407715
                      • C:\Users\user\AppData\Local\scrolar\Monteverdi.exe, xrefs: 004076FF
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe$Rmc-NKQ1SM
                      • API String ID: 0-675440183
                      • Opcode ID: 2044abb531cfc8a2cc52a7940299024e957ae24c063d1056a69331680f34b060
                      • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                      • Opcode Fuzzy Hash: 2044abb531cfc8a2cc52a7940299024e957ae24c063d1056a69331680f34b060
                      • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                      Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                      • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressFreeHandleLibraryModuleProc
                      • String ID: CorExitProcess$mscoree.dll
                      • API String ID: 4061214504-1276376045
                      • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                      • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                      • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                      • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                      Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                        • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                      • String ID: KeepAlive | Disabled
                      • API String ID: 2993684571-305739064
                      • Opcode ID: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                      • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                      • Opcode Fuzzy Hash: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                      • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                      Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                      • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                      • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                      • Sleep.KERNEL32(00002710), ref: 0041AE98
                      • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: PlaySound$HandleLocalModuleSleepTime
                      • String ID: Alarm triggered
                      • API String ID: 614609389-2816303416
                      • Opcode ID: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                      • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                      • Opcode Fuzzy Hash: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                      • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                      Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                      • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                      • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                      • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                      Strings
                      • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Console$AttributeText$BufferHandleInfoScreen
                      • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                      • API String ID: 3024135584-2418719853
                      • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                      • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                      • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                      • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                      Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                      Download Yara Rule
                      APIs
                      • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                      • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                      • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                      • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Resource$FindLoadLockSizeof
                      • String ID: SETTINGS
                      • API String ID: 3473537107-594951305
                      • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                      • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                      • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                      • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                      Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                      • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                      • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                      • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                      Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                      • _free.LIBCMT ref: 0044943D
                        • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                        • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                      • _free.LIBCMT ref: 00449609
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                      • String ID:
                      • API String ID: 1286116820-0
                      • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                      • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                      • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                      • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                      Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                        • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                      • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                      • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                        • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                        • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C096
                        • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                        • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                      • String ID:
                      • API String ID: 2180151492-0
                      • Opcode ID: 466c2ba7d862698c18eca10f796a94010bb2fdfec4d33d506baa337bf5da1f00
                      • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                      • Opcode Fuzzy Hash: 466c2ba7d862698c18eca10f796a94010bb2fdfec4d33d506baa337bf5da1f00
                      • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                      Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID:
                      • API String ID: 269201875-0
                      • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                      • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                      • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                      • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                      Function 0006912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetCursorPos.USER32(?), ref: 00069141
                      • ScreenToClient.USER32(00000000,?), ref: 0006915E
                      • GetAsyncKeyState.USER32(00000001), ref: 00069183
                      • GetAsyncKeyState.USER32(00000002), ref: 0006919D
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: AsyncState$ClientCursorScreen
                      • String ID:
                      • API String ID: 4210589936-0
                      • Opcode ID: 276023c7e7775cbeba494c8fb2bae9f7b1b850192e66ff53c5ca794b3a3e839a
                      • Instruction ID: 04ca15bd060770f06b7631da6634c269296ed9f96272d077c039271fe3923bb2
                      • Opcode Fuzzy Hash: 276023c7e7775cbeba494c8fb2bae9f7b1b850192e66ff53c5ca794b3a3e839a
                      • Instruction Fuzzy Hash: 62416071A0860AFBDF159FA8C844BEEB7B9FF46320F208215E429A7291C7345994CB91
                      Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                      • __alloca_probe_16.LIBCMT ref: 00451231
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                      • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                      • __freea.LIBCMT ref: 0045129D
                        • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?), ref: 004461EA
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                      • String ID:
                      • API String ID: 313313983-0
                      • Opcode ID: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                      • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                      • Opcode Fuzzy Hash: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                      • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                      Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                      • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                        • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?), ref: 004461EA
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                      • _free.LIBCMT ref: 0044F43F
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                      • String ID:
                      • API String ID: 336800556-0
                      • Opcode ID: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                      • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                      • Opcode Fuzzy Hash: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                      • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                      Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                      • _free.LIBCMT ref: 00448353
                      • _free.LIBCMT ref: 0044837A
                      • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                      • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$_free
                      • String ID:
                      • API String ID: 3170660625-0
                      • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                      • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                      • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                      • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                      Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                      Download Yara Rule
                      APIs
                      • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                      • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                      • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CloseHandleOpen$FileImageName
                      • String ID:
                      • API String ID: 2951400881-0
                      • Opcode ID: a466ccb92c7dfd33ca55c350389704782dc7c710618cc45707ed84d1b5d732df
                      • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                      • Opcode Fuzzy Hash: a466ccb92c7dfd33ca55c350389704782dc7c710618cc45707ed84d1b5d732df
                      • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                      Function 000BE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                      Download Yara Rule
                      APIs
                      • QueryPerformanceCounter.KERNEL32(?,00000000), ref: 000BE997
                      • QueryPerformanceFrequency.KERNEL32(?), ref: 000BE9A5
                      • Sleep.KERNEL32(00000000), ref: 000BE9AD
                      • QueryPerformanceCounter.KERNEL32(?), ref: 000BE9B7
                      • Sleep.KERNEL32(?,00000000), ref: 000BE9F3
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: PerformanceQuery$CounterSleep$Frequency
                      • String ID:
                      • API String ID: 2833360925-0
                      • Opcode ID: 58163fc2bc9fc106dae03e232eedbb68179a5f27e353c5ea75246761789976cd
                      • Instruction ID: 36d05a37f06686e49765bfc6e36a2aae393c90bcc61e5d71dac04f06bb91b71e
                      • Opcode Fuzzy Hash: 58163fc2bc9fc106dae03e232eedbb68179a5f27e353c5ea75246761789976cd
                      • Instruction Fuzzy Hash: 16016931C01669DBEF40AFE5DC99AEDBBB8FF0A701F000556E502B2241CB39A559CBA1
                      Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00450A54
                        • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                        • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                      • _free.LIBCMT ref: 00450A66
                      • _free.LIBCMT ref: 00450A78
                      • _free.LIBCMT ref: 00450A8A
                      • _free.LIBCMT ref: 00450A9C
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                      • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                      • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                      • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                      Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00444106
                        • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                        • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                      • _free.LIBCMT ref: 00444118
                      • _free.LIBCMT ref: 0044412B
                      • _free.LIBCMT ref: 0044413C
                      • _free.LIBCMT ref: 0044414D
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                      • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                      • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                      • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                      Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                      Download Yara Rule
                      APIs
                      • _strpbrk.LIBCMT ref: 0044E7B8
                      • _free.LIBCMT ref: 0044E8D5
                        • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017,0043BD3A,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000), ref: 0043BD6A
                        • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                        • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                      • String ID: *?$.
                      • API String ID: 2812119850-3972193922
                      • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                      • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                      • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                      • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                      Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                        • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,0141BB00,00000010), ref: 004048E0
                        • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateFileKeyboardLayoutNameconnectsend
                      • String ID: XQG$NG$PG
                      • API String ID: 1634807452-3565412412
                      • Opcode ID: 1d3b092b4c054f2ad057474d174eb08ec1cadda227f985496f65b267d605057e
                      • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                      • Opcode Fuzzy Hash: 1d3b092b4c054f2ad057474d174eb08ec1cadda227f985496f65b267d605057e
                      • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                      Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\scrolar\Monteverdi.exe,00000104), ref: 00443515
                      • _free.LIBCMT ref: 004435E0
                      • _free.LIBCMT ref: 004435EA
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$FileModuleName
                      • String ID: C:\Users\user\AppData\Local\scrolar\Monteverdi.exe
                      • API String ID: 2506810119-1162995082
                      • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                      • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                      • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                      • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                      Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                        • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                        • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                        • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                        • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                      • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                      • String ID: /sort "Visit Time" /stext "$0NG
                      • API String ID: 368326130-3219657780
                      • Opcode ID: a52fb820547994009a82547dcd6cbde1189004fc68fd9fa8dc3fc47d0d210e60
                      • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                      • Opcode Fuzzy Hash: a52fb820547994009a82547dcd6cbde1189004fc68fd9fa8dc3fc47d0d210e60
                      • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                      Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 00416330
                        • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                        • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                        • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                        • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: _wcslen$CloseCreateValue
                      • String ID: !D@$okmode$PG
                      • API String ID: 3411444782-3370592832
                      • Opcode ID: ecfe5100862ed62e40576249610b0ae6ee25fc531445174cf88e97f01db53f4c
                      • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                      • Opcode Fuzzy Hash: ecfe5100862ed62e40576249610b0ae6ee25fc531445174cf88e97f01db53f4c
                      • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                      Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                      • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                      • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                      Strings
                      • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                      • User Data\Default\Network\Cookies, xrefs: 0040C63E
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExistsFilePath
                      • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                      • API String ID: 1174141254-1980882731
                      • Opcode ID: 76a8a49218e0127d603d0a0932e780e4f3486ace7b5a8330dac648d282294df6
                      • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                      • Opcode Fuzzy Hash: 76a8a49218e0127d603d0a0932e780e4f3486ace7b5a8330dac648d282294df6
                      • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                      Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                      • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                      • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                      Strings
                      • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                      • User Data\Default\Network\Cookies, xrefs: 0040C70D
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExistsFilePath
                      • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                      • API String ID: 1174141254-1980882731
                      • Opcode ID: 902379d0316f7f8dafc8b973bb6e85758b3092e9ae00aa201464db89eb719788
                      • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                      • Opcode Fuzzy Hash: 902379d0316f7f8dafc8b973bb6e85758b3092e9ae00aa201464db89eb719788
                      • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                      Function 0040B19F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                      • wsprintfW.USER32 ref: 0040B22E
                        • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: EventLocalTimewsprintf
                      • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                      • API String ID: 1497725170-1359877963
                      • Opcode ID: 69492968dce4ce23e25adb3ef684fd4798edb2ea461c215276a3afbdccebbb84
                      • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                      • Opcode Fuzzy Hash: 69492968dce4ce23e25adb3ef684fd4798edb2ea461c215276a3afbdccebbb84
                      • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                      Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                        • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                        • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                      • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                      • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                      • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateThread$LocalTime$wsprintf
                      • String ID: Online Keylogger Started
                      • API String ID: 112202259-1258561607
                      • Opcode ID: ba2cdf5414176112680b2e36908cddbc25e6642888137417a8391819cda2a068
                      • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                      • Opcode Fuzzy Hash: ba2cdf5414176112680b2e36908cddbc25e6642888137417a8391819cda2a068
                      • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                      Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                      • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: CryptUnprotectData$crypt32
                      • API String ID: 2574300362-2380590389
                      • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                      • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                      • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                      • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                      Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                      • CloseHandle.KERNEL32(?), ref: 004051CA
                      • SetEvent.KERNEL32(?), ref: 004051D9
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseEventHandleObjectSingleWait
                      • String ID: Connection Timeout
                      • API String ID: 2055531096-499159329
                      • Opcode ID: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                      • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                      • Opcode Fuzzy Hash: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                      • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                      Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                      Download Yara Rule
                      APIs
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Exception@8Throw
                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                      • API String ID: 2005118841-1866435925
                      • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                      • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                      • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                      • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                      Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041385A
                      • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F85E,pth_unenc,004752D8), ref: 00413888
                      • RegCloseKey.ADVAPI32(004752D8,?,0040F85E,pth_unenc,004752D8), ref: 00413893
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCreateValue
                      • String ID: pth_unenc
                      • API String ID: 1818849710-4028850238
                      • Opcode ID: 26e15efbc33a27784ef885e8ca829e67d193987e9426d87e9fb60720a55483f6
                      • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                      • Opcode Fuzzy Hash: 26e15efbc33a27784ef885e8ca829e67d193987e9426d87e9fb60720a55483f6
                      • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                      Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                      Download Yara Rule
                      APIs
                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                        • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                        • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                      • String ID: bad locale name
                      • API String ID: 3628047217-1405518554
                      • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                      • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                      • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                      • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                      Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                      • ShowWindow.USER32(00000009), ref: 00416C9C
                      • SetForegroundWindow.USER32 ref: 00416CA8
                        • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475338), ref: 0041CE35
                        • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                        • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                        • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                      • String ID: !D@
                      • API String ID: 186401046-604454484
                      • Opcode ID: d0f15e859c495a6e9ef5f86c5ad74c1b66fc8ddf3a82526ce7b368d9da4323f8
                      • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                      • Opcode Fuzzy Hash: d0f15e859c495a6e9ef5f86c5ad74c1b66fc8ddf3a82526ce7b368d9da4323f8
                      • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                      Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExecuteShell
                      • String ID: /C $cmd.exe$open
                      • API String ID: 587946157-3896048727
                      • Opcode ID: 7fd806d0ad4715ea2cad33fc45fd5d8ea454bb844d8533dd622c2767a8298e1d
                      • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                      • Opcode Fuzzy Hash: 7fd806d0ad4715ea2cad33fc45fd5d8ea454bb844d8533dd622c2767a8298e1d
                      • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                      Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                      Download Yara Rule
                      APIs
                      • TerminateThread.KERNEL32(Function_0000A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                      • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                      • TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: TerminateThread$HookUnhookWindows
                      • String ID: pth_unenc
                      • API String ID: 3123878439-4028850238
                      • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                      • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                      • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                      • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                      Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                      • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: GetCursorInfo$User32.dll
                      • API String ID: 1646373207-2714051624
                      • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                      • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                      • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                      • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                      Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                      • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: GetLastInputInfo$User32.dll
                      • API String ID: 2574300362-1519888992
                      • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                      • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                      • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                      • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                      Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID:
                      • API String ID: 269201875-0
                      • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                      • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                      • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                      • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                      Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                      • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                      • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                      • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                      Function 00411B9A Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                      Download Yara Rule
                      APIs
                      • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                      • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00411C93
                      • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                      • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorHugeLastRead
                      • String ID:
                      • API String ID: 3239643929-0
                      • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                      • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                      • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                      • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99
                      Function 0008D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000004,00000000,00000000,?,00000012,00000000,?,00000001,00000004,?,00000001,?,?), ref: 0008D910
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0008D999
                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0008D9AB
                      • __freea.LIBCMT ref: 0008D9B4
                        • Part of subcall function 00083820: RtlAllocateHeap.NTDLL(00000000,?,00000004), ref: 00083852
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                      • String ID:
                      • API String ID: 2652629310-0
                      • Opcode ID: 861a478dda75000c5d6ab8a43f29c2e1dc71b6c828a5be4397f381093aceed75
                      • Instruction ID: 157f99489a7dd40042434eae8f81fb2316cc1a9678db8850981775516d9ce54c
                      • Opcode Fuzzy Hash: 861a478dda75000c5d6ab8a43f29c2e1dc71b6c828a5be4397f381093aceed75
                      • Instruction Fuzzy Hash: FA31D272A0021AABDF25AF65DC41EEE7BA5EB41710F05426AFC88D7191EB35CD50CB90
                      Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • Cleared browsers logins and cookies., xrefs: 0040C130
                      • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep
                      • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                      • API String ID: 3472027048-1236744412
                      • Opcode ID: 89087982b9f18f6ed7126e8e60e6f0f46d4aef64b1045ae46dea68bdf68e8d8b
                      • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                      • Opcode Fuzzy Hash: 89087982b9f18f6ed7126e8e60e6f0f46d4aef64b1045ae46dea68bdf68e8d8b
                      • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                      Function 004194FF Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                      Download Yara Rule
                      APIs
                      • EnumDisplayMonitors.USER32(00000000,00000000,0041960A,00000000), ref: 00419530
                      • EnumDisplayDevicesW.USER32(?), ref: 00419560
                      • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 004195D5
                      • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004195F2
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: DisplayEnum$Devices$Monitors
                      • String ID:
                      • API String ID: 1432082543-0
                      • Opcode ID: 2536863ea1043ca3eb30e89df6922ef64f047d79255f45d23e3b4c480c8389d5
                      • Instruction ID: 2d7c1ce958f8de7f9ce17d43b909e87ea7509c435c2805f0bc90a8abde121c81
                      • Opcode Fuzzy Hash: 2536863ea1043ca3eb30e89df6922ef64f047d79255f45d23e3b4c480c8389d5
                      • Instruction Fuzzy Hash: 232180721083146BD221DF26DC89EABBBECEBD1754F00053FF45AD3190EB749A49C66A
                      Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                        • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                        • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                      • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                      • Sleep.KERNEL32(00000064), ref: 0040A638
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$SleepText$ForegroundLength
                      • String ID: [ $ ]
                      • API String ID: 3309952895-93608704
                      • Opcode ID: bd7487fdc1006a7e3ee9d0a282af8e1ad335a64527479a6e856d98fad443e2c1
                      • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                      • Opcode Fuzzy Hash: bd7487fdc1006a7e3ee9d0a282af8e1ad335a64527479a6e856d98fad443e2c1
                      • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                      Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: SystemTimes$Sleep__aulldiv
                      • String ID:
                      • API String ID: 188215759-0
                      • Opcode ID: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                      • Instruction ID: 634937a4cd8d43e921f59083ecd148feda9109121ee8127270144c35be039893
                      • Opcode Fuzzy Hash: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                      • Instruction Fuzzy Hash: D01133B35043456BC304EAB5CD85DEF779CEBC4358F040A3EF64982061EE29E94986A6
                      Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                      • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                      • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                      • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                      Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                      • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                      • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                      • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                      Function 0005600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                      Download Yara Rule
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0005604C
                      • GetStockObject.GDI32(00000011), ref: 00056060
                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 0005606A
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: CreateMessageObjectSendStockWindow
                      • String ID:
                      • API String ID: 3970641297-0
                      • Opcode ID: 6c75a5b8491a2dafd58fbd16ae41549976d7b2dd43a281d91b48854d1a85bf38
                      • Instruction ID: c7a378cc60a2221e6fcc890726226deab65d806f4cefd17bf269223658faf2ae
                      • Opcode Fuzzy Hash: 6c75a5b8491a2dafd58fbd16ae41549976d7b2dd43a281d91b48854d1a85bf38
                      • Instruction Fuzzy Hash: 1D118E72101548BFEF224F94CC54EEB7BA9EF09765F401201FE0456060C737AC619B90
                      Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                      • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: LibraryLoad$ErrorLast
                      • String ID:
                      • API String ID: 3177248105-0
                      • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                      • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                      • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                      • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                      Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                        • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                      • _UnwindNestedFrames.LIBCMT ref: 00439911
                      • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                      • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                      • String ID:
                      • API String ID: 2633735394-0
                      • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                      • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                      • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                      • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                      Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                      Download Yara Rule
                      APIs
                      • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                      • GetSystemMetrics.USER32(0000004D), ref: 00419431
                      • GetSystemMetrics.USER32(0000004E), ref: 00419437
                      • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: MetricsSystem
                      • String ID:
                      • API String ID: 4116985748-0
                      • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                      • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                      • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                      • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                      Function 000E8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00069639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00069693
                        • Part of subcall function 00069639: SelectObject.GDI32(?,00000000), ref: 000696A2
                        • Part of subcall function 00069639: BeginPath.GDI32(?), ref: 000696B9
                        • Part of subcall function 00069639: SelectObject.GDI32(?,00000000), ref: 000696E2
                      • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 000E8887
                      • LineTo.GDI32(?,?,?), ref: 000E8894
                      • EndPath.GDI32(?), ref: 000E88A4
                      • StrokePath.GDI32(?), ref: 000E88B2
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                      • String ID:
                      • API String ID: 1539411459-0
                      • Opcode ID: f60fbafd654e7193bc2ac181ba62db034a52f59071fa7580d6cc9acfae6bb684
                      • Instruction ID: 83a206bdfb061a448e6e0ab3f3ca90ac7a99abac07979985a72d61b2d251cbbe
                      • Opcode Fuzzy Hash: f60fbafd654e7193bc2ac181ba62db034a52f59071fa7580d6cc9acfae6bb684
                      • Instruction Fuzzy Hash: 92F03A36041298BAFF125F94AC09FCA3A59AF16714F048100FE11790E2CB7A5562CBA5
                      Function 000698B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                      Download Yara Rule
                      APIs
                      • GetSysColor.USER32(00000008), ref: 000698CC
                      • SetTextColor.GDI32(?,?), ref: 000698D6
                      • SetBkMode.GDI32(?,00000001), ref: 000698E9
                      • GetStockObject.GDI32(00000005), ref: 000698F1
                      Memory Dump Source
                      • Source File: 00000002.00000002.3702521682.0000000000051000.00000040.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                      • Associated: 00000002.00000002.3701967533.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.0000000000112000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000011C000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.000000000014D000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3702521682.00000000001D3000.00000040.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3706612761.00000000001D9000.00000080.00000001.01000000.00000004.sdmpDownload File
                      • Associated: 00000002.00000002.3708709622.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_50000_Monteverdi.jbxd
                      Similarity
                      • API ID: Color$ModeObjectStockText
                      • String ID:
                      • API String ID: 4037423528-0
                      • Opcode ID: 0dec6dec53d8222b345f8a69061fd2587ca5e489ca3cb8159c7e45347d4281b9
                      • Instruction ID: 58be94930c594168d31f6ebfff2104443f2ce321d6e1016fb217146ec65fb33a
                      • Opcode Fuzzy Hash: 0dec6dec53d8222b345f8a69061fd2587ca5e489ca3cb8159c7e45347d4281b9
                      • Instruction Fuzzy Hash: AFE065312446C0AAFB215B78EC49FD83F51EB13735F04C259F6F9680E1C37646419B10
                      Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                      Download Yara Rule
                      APIs
                      • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                      • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                      • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                        • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                      • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                      • String ID:
                      • API String ID: 1761009282-0
                      • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                      • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                      • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                      • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                      Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                      Download Yara Rule
                      APIs
                      • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorHandling__start
                      • String ID: pow
                      • API String ID: 3213639722-2276729525
                      • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                      • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                      • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                      • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                      Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                      Download Yara Rule
                      APIs
                      • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418AF9
                      • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateStream
                      • String ID: image/jpeg
                      • API String ID: 1369699375-3785015651
                      • Opcode ID: 4c0baae4c0e9e9d16754b7ecd539cceb7e47a4de3878ce98d6afbfe1b810872b
                      • Instruction ID: 4d0b5c8bb5c89928ccad9adfa1773eea8e0f3015d74a4b244142dc53e7d0f70c
                      • Opcode Fuzzy Hash: 4c0baae4c0e9e9d16754b7ecd539cceb7e47a4de3878ce98d6afbfe1b810872b
                      • Instruction Fuzzy Hash: B5316D71604300AFC301EF65C884DAFBBE9EF8A304F00496EF985A7251DB7999048BA6
                      Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                      • __Init_thread_footer.LIBCMT ref: 0040B7D2
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Init_thread_footer__onexit
                      • String ID: [End of clipboard]$[Text copied to clipboard]
                      • API String ID: 1881088180-3686566968
                      • Opcode ID: ea1e03acb1aabbc30c43d4988ee51f48618f1fe3a6a4317e4b313e3924dc3a78
                      • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                      • Opcode Fuzzy Hash: ea1e03acb1aabbc30c43d4988ee51f48618f1fe3a6a4317e4b313e3924dc3a78
                      • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                      Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: ACP$OCP
                      • API String ID: 0-711371036
                      • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                      • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                      • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                      • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                      Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                      Download Yara Rule
                      APIs
                      • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BE5
                      • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418C0A
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateStream
                      • String ID: image/png
                      • API String ID: 1369699375-2966254431
                      • Opcode ID: 7a889f2deb852e9dca1466351ef9d9e2129164c9164a110dc5b22d8ef1cd3f8f
                      • Instruction ID: 3c300d9a249dbea914adbc87700f03e6b767f6cab6163cd9bde1f728fb98d86d
                      • Opcode Fuzzy Hash: 7a889f2deb852e9dca1466351ef9d9e2129164c9164a110dc5b22d8ef1cd3f8f
                      • Instruction Fuzzy Hash: ED219071204211AFC701AB61CC88CBFBBACEFCA754F10052EF54693261DB399955CBA6
                      Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                        • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                      • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                      Strings
                      • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: LocalTime
                      • String ID: KeepAlive | Enabled | Timeout:
                      • API String ID: 481472006-1507639952
                      • Opcode ID: 1183f192522e4df64eb5f92206734bd19d1223fd61879706f910d0ae6d0fd28e
                      • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                      • Opcode Fuzzy Hash: 1183f192522e4df64eb5f92206734bd19d1223fd61879706f910d0ae6d0fd28e
                      • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                      Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32 ref: 0041667B
                      • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: DownloadFileSleep
                      • String ID: !D@
                      • API String ID: 1931167962-604454484
                      • Opcode ID: 2b9ba62bc202f7e2056aea50ccc6e79447f9f21ac4e8ba002f447834f5353cfc
                      • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                      • Opcode Fuzzy Hash: 2b9ba62bc202f7e2056aea50ccc6e79447f9f21ac4e8ba002f447834f5353cfc
                      • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                      Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: LocalTime
                      • String ID: | $%02i:%02i:%02i:%03i
                      • API String ID: 481472006-2430845779
                      • Opcode ID: 32400ea054816a1706cfb277acda767debc223c00efd77583625c389be65a1fa
                      • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                      • Opcode Fuzzy Hash: 32400ea054816a1706cfb277acda767debc223c00efd77583625c389be65a1fa
                      • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                      Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                      Download Yara Rule
                      APIs
                      • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExistsFilePath
                      • String ID: alarm.wav$hYG
                      • API String ID: 1174141254-2782910960
                      • Opcode ID: 69b7eb2f27b5cce8024157c56b71f7d8473ce5491271ee9472b6b0c2a7432126
                      • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                      • Opcode Fuzzy Hash: 69b7eb2f27b5cce8024157c56b71f7d8473ce5491271ee9472b6b0c2a7432126
                      • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                      Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                        • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                        • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                      • CloseHandle.KERNEL32(?), ref: 0040B0EF
                      • UnhookWindowsHookEx.USER32 ref: 0040B102
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                      • String ID: Online Keylogger Stopped
                      • API String ID: 1623830855-1496645233
                      • Opcode ID: ff12478fca0cc0ee65e468d4b02be0ed9388a302ab9613c2ecf4daa20a289438
                      • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                      • Opcode Fuzzy Hash: ff12478fca0cc0ee65e468d4b02be0ed9388a302ab9613c2ecf4daa20a289438
                      • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                      Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • waveInPrepareHeader.WINMM(01144ED0,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                      • waveInAddBuffer.WINMM(01144ED0,00000020,?,00000000,00401A15), ref: 0040185F
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: wave$BufferHeaderPrepare
                      • String ID: XMG
                      • API String ID: 2315374483-813777761
                      • Opcode ID: 6b361a9a65100065d0f16949ce50c41ad3dfbb509ee012d82c6f106022a5639b
                      • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                      • Opcode Fuzzy Hash: 6b361a9a65100065d0f16949ce50c41ad3dfbb509ee012d82c6f106022a5639b
                      • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                      Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: LocaleValid
                      • String ID: IsValidLocaleName$kKD
                      • API String ID: 1901932003-3269126172
                      • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                      • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                      • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                      • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                      Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExistsFilePath
                      • String ID: UserProfile$\AppData\Local\Google\Chrome\
                      • API String ID: 1174141254-4188645398
                      • Opcode ID: 4248f78c0f0ab2772c6ae10e335970d70a91011477b7d9840934789724483141
                      • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                      • Opcode Fuzzy Hash: 4248f78c0f0ab2772c6ae10e335970d70a91011477b7d9840934789724483141
                      • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                      Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExistsFilePath
                      • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                      • API String ID: 1174141254-2800177040
                      • Opcode ID: e7e2c1d35b3f93631141f173570c859944d7b59136427c301e93fe4173e28835
                      • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                      • Opcode Fuzzy Hash: e7e2c1d35b3f93631141f173570c859944d7b59136427c301e93fe4173e28835
                      • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                      Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                      • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExistsFilePath
                      • String ID: AppData$\Opera Software\Opera Stable\
                      • API String ID: 1174141254-1629609700
                      • Opcode ID: e1827d774f8c21ad400d97979f690ec14b92786fc0f365bec16e3623a9506e3a
                      • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                      • Opcode Fuzzy Hash: e1827d774f8c21ad400d97979f690ec14b92786fc0f365bec16e3623a9506e3a
                      • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                      Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyState.USER32(00000011), ref: 0040B686
                        • Part of subcall function 0040A41B: GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A451
                        • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                        • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                        • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                        • Part of subcall function 0040A41B: GetKeyboardState.USER32(?,?,004750F0), ref: 0040A479
                        • Part of subcall function 0040A41B: ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A49C
                        • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                        • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                      • String ID: [AltL]$[AltR]
                      • API String ID: 2738857842-2658077756
                      • Opcode ID: 2bdc01cacd876c0b350abb7d408e8864ecff36be759564c8f89a1257273347cd
                      • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                      • Opcode Fuzzy Hash: 2bdc01cacd876c0b350abb7d408e8864ecff36be759564c8f89a1257273347cd
                      • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                      Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExecuteShell
                      • String ID: !D@$open
                      • API String ID: 587946157-1586967515
                      • Opcode ID: 5e4ae80a57af5f421dd8abb03d3f1b3a46d64c017cfe5a59df252d73b604f3a8
                      • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                      • Opcode Fuzzy Hash: 5e4ae80a57af5f421dd8abb03d3f1b3a46d64c017cfe5a59df252d73b604f3a8
                      • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                      Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyState.USER32(00000012), ref: 0040B6E0
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: State
                      • String ID: [CtrlL]$[CtrlR]
                      • API String ID: 1649606143-2446555240
                      • Opcode ID: 5e9c90a2b5f30f0669b27174b58f532bfe2dc3a0439e10c0f003492ce4cfd8eb
                      • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                      • Opcode Fuzzy Hash: 5e9c90a2b5f30f0669b27174b58f532bfe2dc3a0439e10c0f003492ce4cfd8eb
                      • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                      Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                      • __Init_thread_footer.LIBCMT ref: 00410F64
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: Init_thread_footer__onexit
                      • String ID: ,kG$0kG
                      • API String ID: 1881088180-2015055088
                      • Opcode ID: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                      • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                      • Opcode Fuzzy Hash: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                      • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                      Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D17F,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A6C
                      • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A80
                      Strings
                      • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: DeleteOpenValue
                      • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                      • API String ID: 2654517830-1051519024
                      • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                      • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                      • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                      • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                      Function 0040B8A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                      • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: DeleteDirectoryFileRemove
                      • String ID: pth_unenc
                      • API String ID: 3325800564-4028850238
                      • Opcode ID: 6843a18af519bace195bf633597e0c2e12960de6aac63c697e565ef2fe360c3a
                      • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                      • Opcode Fuzzy Hash: 6843a18af519bace195bf633597e0c2e12960de6aac63c697e565ef2fe360c3a
                      • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                      Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                      • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ObjectProcessSingleTerminateWait
                      • String ID: pth_unenc
                      • API String ID: 1872346434-4028850238
                      • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                      • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                      • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                      • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                      Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                      • GetLastError.KERNEL32 ref: 00440D85
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                      Memory Dump Source
                      • Source File: 00000002.00000002.3709350496.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000002.00000002.3709350496.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000002.00000002.3709350496.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_400000_Monteverdi.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide$ErrorLast
                      • String ID:
                      • API String ID: 1717984340-0
                      • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                      • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                      • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                      • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759