Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z1ProductSampleRequirement.exe

Overview

General Information

Sample name:z1ProductSampleRequirement.exe
Analysis ID:1546626
MD5:2b3aa1b01d8963ed35a0050f793b4811
SHA1:34df4ca808f2d35290d4008f2c6b3ea7e8e80d8a
SHA256:1682ee7703dd036cbdf6ad6daa38ddb7a4e7ab567b273f9ee209672f339feb2d
Tags:exeRemcosRATuser-Porcupine
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • z1ProductSampleRequirement.exe (PID: 1892 cmdline: "C:\Users\user\Desktop\z1ProductSampleRequirement.exe" MD5: 2B3AA1B01D8963ED35A0050F793B4811)
    • powershell.exe (PID: 2352 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1ProductSampleRequirement.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2200 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XyLTxdgHV.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6540 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 6484 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyLTxdgHV" /XML "C:\Users\user\AppData\Local\Temp\tmpD6AD.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • XyLTxdgHV.exe (PID: 7248 cmdline: C:\Users\user\AppData\Roaming\XyLTxdgHV.exe MD5: 2B3AA1B01D8963ED35A0050F793B4811)
    • schtasks.exe (PID: 7344 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyLTxdgHV" /XML "C:\Users\user\AppData\Local\Temp\tmpEB9C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • XyLTxdgHV.exe (PID: 7388 cmdline: "C:\Users\user\AppData\Roaming\XyLTxdgHV.exe" MD5: 2B3AA1B01D8963ED35A0050F793B4811)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["teebro1800.dynamic-dns.net:2195:1"], "Assigned name": "3", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-HNOBUS", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000009.00000002.4498177592.0000000001197000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000009.00000002.4498721754.0000000002D2F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000009.00000002.4498177592.00000000011D7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000000E.00000002.2105358568.00000000015AA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000009.00000002.4498177592.00000000011BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 17 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              14.2.XyLTxdgHV.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                14.2.XyLTxdgHV.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x691e0:$a1: Remcos restarted by watchdog!
                • 0x69738:$a3: %02i:%02i:%02i:%03i
                • 0x69abd:$a4: * Remcos v
                14.2.XyLTxdgHV.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                • 0x641e4:$str_a1: C:\Windows\System32\cmd.exe
                • 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x6320c:$str_b2: Executing file:
                • 0x64328:$str_b3: GetDirectListeningPort
                • 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x63e30:$str_b7: \update.vbs
                • 0x63234:$str_b9: Downloaded file:
                • 0x63220:$str_b10: Downloading file:
                • 0x632c4:$str_b12: Failed to upload file:
                • 0x642f0:$str_b13: StartForward
                • 0x64310:$str_b14: StopForward
                • 0x63dd8:$str_b15: fso.DeleteFile "
                • 0x63d6c:$str_b16: On Error Resume Next
                • 0x63e08:$str_b17: fso.DeleteFolder "
                • 0x632b4:$str_b18: Uploaded file:
                • 0x63274:$str_b19: Unable to delete:
                • 0x63da0:$str_b20: while fso.FileExists("
                • 0x63749:$str_c0: [Firefox StoredLogins not found]
                14.2.XyLTxdgHV.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
                • 0x63100:$s1: \Classes\mscfile\shell\open\command
                • 0x63160:$s1: \Classes\mscfile\shell\open\command
                • 0x63148:$s2: eventvwr.exe
                11.2.XyLTxdgHV.exe.41cc6c8.1.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  Click to see the 31 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1ProductSampleRequirement.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1ProductSampleRequirement.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z1ProductSampleRequirement.exe", ParentImage: C:\Users\user\Desktop\z1ProductSampleRequirement.exe, ParentProcessId: 1892, ParentProcessName: z1ProductSampleRequirement.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1ProductSampleRequirement.exe", ProcessId: 2352, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1ProductSampleRequirement.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1ProductSampleRequirement.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z1ProductSampleRequirement.exe", ParentImage: C:\Users\user\Desktop\z1ProductSampleRequirement.exe, ParentProcessId: 1892, ParentProcessName: z1ProductSampleRequirement.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1ProductSampleRequirement.exe", ProcessId: 2352, ProcessName: powershell.exe
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyLTxdgHV" /XML "C:\Users\user\AppData\Local\Temp\tmpEB9C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyLTxdgHV" /XML "C:\Users\user\AppData\Local\Temp\tmpEB9C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\XyLTxdgHV.exe, ParentImage: C:\Users\user\AppData\Roaming\XyLTxdgHV.exe, ParentProcessId: 7248, ParentProcessName: XyLTxdgHV.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyLTxdgHV" /XML "C:\Users\user\AppData\Local\Temp\tmpEB9C.tmp", ProcessId: 7344, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyLTxdgHV" /XML "C:\Users\user\AppData\Local\Temp\tmpD6AD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyLTxdgHV" /XML "C:\Users\user\AppData\Local\Temp\tmpD6AD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\z1ProductSampleRequirement.exe", ParentImage: C:\Users\user\Desktop\z1ProductSampleRequirement.exe, ParentProcessId: 1892, ParentProcessName: z1ProductSampleRequirement.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyLTxdgHV" /XML "C:\Users\user\AppData\Local\Temp\tmpD6AD.tmp", ProcessId: 6484, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1ProductSampleRequirement.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1ProductSampleRequirement.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z1ProductSampleRequirement.exe", ParentImage: C:\Users\user\Desktop\z1ProductSampleRequirement.exe, ParentProcessId: 1892, ParentProcessName: z1ProductSampleRequirement.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1ProductSampleRequirement.exe", ProcessId: 2352, ProcessName: powershell.exe

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Scheduled temp file as task from temp location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyLTxdgHV" /XML "C:\Users\user\AppData\Local\Temp\tmpD6AD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyLTxdgHV" /XML "C:\Users\user\AppData\Local\Temp\tmpD6AD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\z1ProductSampleRequirement.exe", ParentImage: C:\Users\user\Desktop\z1ProductSampleRequirement.exe, ParentProcessId: 1892, ParentProcessName: z1ProductSampleRequirement.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyLTxdgHV" /XML "C:\Users\user\AppData\Local\Temp\tmpD6AD.tmp", ProcessId: 6484, ProcessName: schtasks.exe

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\z1ProductSampleRequirement.exe, ProcessId: 5708, TargetFilename: C:\ProgramData\remcos\logs.dat

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-01T09:32:14.685625+010020229301A Network Trojan was detected4.175.87.197443192.168.2.549711TCP
                  2024-11-01T09:32:53.372550+010020229301A Network Trojan was detected4.175.87.197443192.168.2.549922TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-01T09:32:00.575139+010020365941Malware Command and Control Activity Detected192.168.2.54970751.75.166.982195TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-01T09:32:02.348331+010028033043Unknown Traffic192.168.2.549708178.237.33.5080TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000009.00000002.4498177592.0000000001197000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["teebro1800.dynamic-dns.net:2195:1"], "Assigned name": "3", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-HNOBUS", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeReversingLabs: Detection: 65%
                  Multi AV Scanner detection for submitted file
                  Source: z1ProductSampleRequirement.exeReversingLabs: Detection: 65%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 14.2.XyLTxdgHV.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.XyLTxdgHV.exe.41cc6c8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.XyLTxdgHV.exe.4241ce8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.z1ProductSampleRequirement.exe.499bc60.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.z1ProductSampleRequirement.exe.4a11280.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.XyLTxdgHV.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.z1ProductSampleRequirement.exe.4a11280.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.XyLTxdgHV.exe.4241ce8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.XyLTxdgHV.exe.41cc6c8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.z1ProductSampleRequirement.exe.499bc60.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.4498177592.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.4498721754.0000000002D2F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.4498177592.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.2105358568.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.4498177592.00000000011BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2129497203.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2088133445.000000000499B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: z1ProductSampleRequirement.exe PID: 1892, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: z1ProductSampleRequirement.exe PID: 5708, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: XyLTxdgHV.exe PID: 7248, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: XyLTxdgHV.exe PID: 7388, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.7% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: z1ProductSampleRequirement.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,14_2_004315EC
                  Source: z1ProductSampleRequirement.exe, 00000000.00000002.2088133445.000000000499B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_a681f401-6
                  Source: z1ProductSampleRequirement.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: z1ProductSampleRequirement.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: pYIN.pdbSHA256 source: z1ProductSampleRequirement.exe, XyLTxdgHV.exe.0.dr
                  Source: Binary string: pYIN.pdb source: z1ProductSampleRequirement.exe, XyLTxdgHV.exe.0.dr
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,14_2_0041A01B
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,14_2_0040B28E
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_0040838E
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_004087A0
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,14_2_00407848
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004068CD FindFirstFileW,FindNextFileW,14_2_004068CD
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0044BA59 FindFirstFileExA,14_2_0044BA59
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,14_2_0040AA71
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,14_2_00417AAB
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,14_2_0040AC78
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,14_2_00406D28
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 4x nop then jmp 02AD10F2h0_2_02AD11C6
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 4x nop then jmp 02AD10F2h0_2_02AD130F
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 4x nop then jmp 0AA504DAh11_2_0AA505AE

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49707 -> 51.75.166.98:2195
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: teebro1800.dynamic-dns.net
                  Source: global trafficTCP traffic: 192.168.2.5:49707 -> 51.75.166.98:2195
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49708 -> 178.237.33.50:80
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:49711
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:49922
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,14_2_0041936B
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: teebro1800.dynamic-dns.net
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.00000000011D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                  Source: z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.0000000001197000.00000004.00000020.00020000.00000000.sdmp, z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.00000000011BE000.00000004.00000020.00020000.00000000.sdmp, XyLTxdgHV.exeString found in binary or memory: http://geoplugin.net/json.gp
                  Source: z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.0000000001197000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp$
                  Source: z1ProductSampleRequirement.exe, 00000000.00000002.2088133445.000000000499B000.00000004.00000800.00020000.00000000.sdmp, XyLTxdgHV.exe, 0000000B.00000002.2129497203.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, XyLTxdgHV.exe, 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.00000000011BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                  Source: z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.00000000011D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
                  Source: z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.00000000011BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpm
                  Source: z1ProductSampleRequirement.exe, 00000000.00000002.2087574819.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, XyLTxdgHV.exe, 0000000B.00000002.2126394543.000000000255A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: z1ProductSampleRequirement.exe, XyLTxdgHV.exe.0.drString found in binary or memory: http://tempuri.org/DataSet1.xsd

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00409340 SetWindowsHookExA 0000000D,0040932C,0000000014_2_00409340
                  Installs a global keyboard hook
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\z1ProductSampleRequirement.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,14_2_0040A65A
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,14_2_00414EC1
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,14_2_0040A65A
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,14_2_00409468

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 14.2.XyLTxdgHV.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.XyLTxdgHV.exe.41cc6c8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.XyLTxdgHV.exe.4241ce8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.z1ProductSampleRequirement.exe.499bc60.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.z1ProductSampleRequirement.exe.4a11280.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.XyLTxdgHV.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.z1ProductSampleRequirement.exe.4a11280.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.XyLTxdgHV.exe.4241ce8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.XyLTxdgHV.exe.41cc6c8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.z1ProductSampleRequirement.exe.499bc60.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.4498177592.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.4498721754.0000000002D2F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.4498177592.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.2105358568.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.4498177592.00000000011BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2129497203.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2088133445.000000000499B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: z1ProductSampleRequirement.exe PID: 1892, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: z1ProductSampleRequirement.exe PID: 5708, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: XyLTxdgHV.exe PID: 7248, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: XyLTxdgHV.exe PID: 7388, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0041A76C SystemParametersInfoW,14_2_0041A76C

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 14.2.XyLTxdgHV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 14.2.XyLTxdgHV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 14.2.XyLTxdgHV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 11.2.XyLTxdgHV.exe.41cc6c8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 11.2.XyLTxdgHV.exe.41cc6c8.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 11.2.XyLTxdgHV.exe.41cc6c8.1.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 11.2.XyLTxdgHV.exe.4241ce8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 11.2.XyLTxdgHV.exe.4241ce8.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 11.2.XyLTxdgHV.exe.4241ce8.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0.2.z1ProductSampleRequirement.exe.499bc60.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.z1ProductSampleRequirement.exe.499bc60.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0.2.z1ProductSampleRequirement.exe.499bc60.1.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0.2.z1ProductSampleRequirement.exe.4a11280.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.z1ProductSampleRequirement.exe.4a11280.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0.2.z1ProductSampleRequirement.exe.4a11280.3.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 14.2.XyLTxdgHV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 14.2.XyLTxdgHV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 14.2.XyLTxdgHV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0.2.z1ProductSampleRequirement.exe.4a11280.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.z1ProductSampleRequirement.exe.4a11280.3.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 11.2.XyLTxdgHV.exe.4241ce8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 11.2.XyLTxdgHV.exe.4241ce8.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 11.2.XyLTxdgHV.exe.41cc6c8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 11.2.XyLTxdgHV.exe.41cc6c8.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0.2.z1ProductSampleRequirement.exe.499bc60.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.z1ProductSampleRequirement.exe.499bc60.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0000000B.00000002.2129497203.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000000.00000002.2088133445.000000000499B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: z1ProductSampleRequirement.exe PID: 1892, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: XyLTxdgHV.exe PID: 7248, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: XyLTxdgHV.exe PID: 7388, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,14_2_00414DB4
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 0_2_012C42040_2_012C4204
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 0_2_012CE1340_2_012CE134
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 0_2_012C70180_2_012C7018
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 0_2_02AD2D900_2_02AD2D90
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 0_2_02AD43A80_2_02AD43A8
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 0_2_07540E280_2_07540E28
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 0_2_07546AC90_2_07546AC9
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 0_2_0754A6180_2_0754A618
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 0_2_0754B2C00_2_0754B2C0
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 0_2_075430D00_2_075430D0
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 0_2_07543F770_2_07543F77
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 0_2_07543F880_2_07543F88
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 0_2_0754AE780_2_0754AE78
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 0_2_07540E210_2_07540E21
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 0_2_0754AE880_2_0754AE88
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 0_2_07543CF00_2_07543CF0
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 0_2_07543CEA0_2_07543CEA
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 0_2_0754AA500_2_0754AA50
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 0_2_07547A410_2_07547A41
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 0_2_0754CAC80_2_0754CAC8
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_0086420411_2_00864204
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_0086E13411_2_0086E134
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_008625D811_2_008625D8
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_0086701811_2_00867018
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BA0E2811_2_06BA0E28
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BA6AD311_2_06BA6AD3
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BAA61811_2_06BAA618
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BAA61311_2_06BAA613
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BAB2BB11_2_06BAB2BB
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BAB2C011_2_06BAB2C0
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BA30D011_2_06BA30D0
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BAAE8811_2_06BAAE88
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BAAE8011_2_06BAAE80
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BA0E2111_2_06BA0E21
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BA3F8811_2_06BA3F88
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BA3F8711_2_06BA3F87
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BA3CF011_2_06BA3CF0
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BA3CEF11_2_06BA3CEF
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BACAC811_2_06BACAC8
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BAAA5011_2_06BAAA50
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BA7A4B11_2_06BA7A4B
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_0AA5217011_2_0AA52170
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_0AA5378811_2_0AA53788
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0042515214_2_00425152
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0043528614_2_00435286
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004513D414_2_004513D4
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0045050B14_2_0045050B
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0043651014_2_00436510
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004316FB14_2_004316FB
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0043569E14_2_0043569E
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0044370014_2_00443700
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004257FB14_2_004257FB
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004128E314_2_004128E3
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0042596414_2_00425964
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0041B91714_2_0041B917
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0043D9CC14_2_0043D9CC
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00435AD314_2_00435AD3
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00424BC314_2_00424BC3
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0043DBFB14_2_0043DBFB
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0044ABA914_2_0044ABA9
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00433C0B14_2_00433C0B
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00434D8A14_2_00434D8A
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0043DE2A14_2_0043DE2A
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0041CEAF14_2_0041CEAF
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00435F0814_2_00435F08
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: String function: 00402073 appears 51 times
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: String function: 00432B90 appears 53 times
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: String function: 00432525 appears 41 times
                  Source: z1ProductSampleRequirement.exe, 00000000.00000002.2088133445.00000000044FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs z1ProductSampleRequirement.exe
                  Source: z1ProductSampleRequirement.exe, 00000000.00000002.2094168963.000000000B800000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs z1ProductSampleRequirement.exe
                  Source: z1ProductSampleRequirement.exe, 00000000.00000000.2032655761.000000000099C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamepYIN.exe: vs z1ProductSampleRequirement.exe
                  Source: z1ProductSampleRequirement.exe, 00000000.00000002.2085668864.0000000000EEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs z1ProductSampleRequirement.exe
                  Source: z1ProductSampleRequirement.exeBinary or memory string: OriginalFilenamepYIN.exe: vs z1ProductSampleRequirement.exe
                  Source: z1ProductSampleRequirement.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 14.2.XyLTxdgHV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 14.2.XyLTxdgHV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 14.2.XyLTxdgHV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 11.2.XyLTxdgHV.exe.41cc6c8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 11.2.XyLTxdgHV.exe.41cc6c8.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 11.2.XyLTxdgHV.exe.41cc6c8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 11.2.XyLTxdgHV.exe.4241ce8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 11.2.XyLTxdgHV.exe.4241ce8.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 11.2.XyLTxdgHV.exe.4241ce8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0.2.z1ProductSampleRequirement.exe.499bc60.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.z1ProductSampleRequirement.exe.499bc60.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0.2.z1ProductSampleRequirement.exe.499bc60.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0.2.z1ProductSampleRequirement.exe.4a11280.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.z1ProductSampleRequirement.exe.4a11280.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0.2.z1ProductSampleRequirement.exe.4a11280.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 14.2.XyLTxdgHV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 14.2.XyLTxdgHV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 14.2.XyLTxdgHV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0.2.z1ProductSampleRequirement.exe.4a11280.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.z1ProductSampleRequirement.exe.4a11280.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 11.2.XyLTxdgHV.exe.4241ce8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 11.2.XyLTxdgHV.exe.4241ce8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 11.2.XyLTxdgHV.exe.41cc6c8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 11.2.XyLTxdgHV.exe.41cc6c8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0.2.z1ProductSampleRequirement.exe.499bc60.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.z1ProductSampleRequirement.exe.499bc60.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0000000B.00000002.2129497203.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000000.00000002.2088133445.000000000499B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: z1ProductSampleRequirement.exe PID: 1892, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: XyLTxdgHV.exe PID: 7248, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: XyLTxdgHV.exe PID: 7388, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: z1ProductSampleRequirement.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: XyLTxdgHV.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, PFcomyYKW8In80MFZA.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, PFcomyYKW8In80MFZA.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, fqDlm59RUfhkRlIwqb.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, fqDlm59RUfhkRlIwqb.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, fqDlm59RUfhkRlIwqb.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, fqDlm59RUfhkRlIwqb.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, fqDlm59RUfhkRlIwqb.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, fqDlm59RUfhkRlIwqb.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, fqDlm59RUfhkRlIwqb.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, fqDlm59RUfhkRlIwqb.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, fqDlm59RUfhkRlIwqb.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, PFcomyYKW8In80MFZA.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@19/17@2/2
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,14_2_00415C90
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,14_2_0040E2E7
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,14_2_00419493
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,14_2_00418A00
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeFile created: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeMutant created: NULL
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeMutant created: \Sessions\1\BaseNamedObjects\BPbXAoupxfCN
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-HNOBUS
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1440:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_03
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD6AD.tmpJump to behavior
                  Source: z1ProductSampleRequirement.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: z1ProductSampleRequirement.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: z1ProductSampleRequirement.exeReversingLabs: Detection: 65%
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeFile read: C:\Users\user\Desktop\z1ProductSampleRequirement.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\z1ProductSampleRequirement.exe "C:\Users\user\Desktop\z1ProductSampleRequirement.exe"
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1ProductSampleRequirement.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XyLTxdgHV.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyLTxdgHV" /XML "C:\Users\user\AppData\Local\Temp\tmpD6AD.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess created: C:\Users\user\Desktop\z1ProductSampleRequirement.exe "C:\Users\user\Desktop\z1ProductSampleRequirement.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\XyLTxdgHV.exe C:\Users\user\AppData\Roaming\XyLTxdgHV.exe
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyLTxdgHV" /XML "C:\Users\user\AppData\Local\Temp\tmpEB9C.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess created: C:\Users\user\AppData\Roaming\XyLTxdgHV.exe "C:\Users\user\AppData\Roaming\XyLTxdgHV.exe"
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1ProductSampleRequirement.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XyLTxdgHV.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyLTxdgHV" /XML "C:\Users\user\AppData\Local\Temp\tmpD6AD.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess created: C:\Users\user\Desktop\z1ProductSampleRequirement.exe "C:\Users\user\Desktop\z1ProductSampleRequirement.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyLTxdgHV" /XML "C:\Users\user\AppData\Local\Temp\tmpEB9C.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess created: C:\Users\user\AppData\Roaming\XyLTxdgHV.exe "C:\Users\user\AppData\Roaming\XyLTxdgHV.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: wininet.dll
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: z1ProductSampleRequirement.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: z1ProductSampleRequirement.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: z1ProductSampleRequirement.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: pYIN.pdbSHA256 source: z1ProductSampleRequirement.exe, XyLTxdgHV.exe.0.dr
                  Source: Binary string: pYIN.pdb source: z1ProductSampleRequirement.exe, XyLTxdgHV.exe.0.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: 0.2.z1ProductSampleRequirement.exe.7510000.4.raw.unpack, XlF5VlCIHRSQX8M5eh.cs.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, fqDlm59RUfhkRlIwqb.cs.Net Code: EeFpeWbbEG System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, fqDlm59RUfhkRlIwqb.cs.Net Code: EeFpeWbbEG System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, fqDlm59RUfhkRlIwqb.cs.Net Code: EeFpeWbbEG System.Reflection.Assembly.Load(byte[])
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,14_2_0041A8DA
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BAE7A9 push ss; ret 11_2_06BAE7AA
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BAE7E3 push ss; ret 11_2_06BAE7E6
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BAE758 push ss; ret 11_2_06BAE75A
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BAD470 push cs; ret 11_2_06BAD472
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BAC2B3 push es; ret 11_2_06BAC4D2
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BAD28B push cs; ret 11_2_06BAD292
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BAD2E9 push cs; ret 11_2_06BAD2EA
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BAD23B push cs; ret 11_2_06BAD242
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BAD239 push cs; ret 11_2_06BAD23A
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BAD398 push cs; ret 11_2_06BAD39A
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BAD10F push cs; ret 11_2_06BAD112
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BA8CE1 push edi; retn 0006h11_2_06BA8CE2
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BA8D10 push edi; retn 0006h11_2_06BA8D12
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BA8AE0 push esi; retn 0006h11_2_06BA8AE2
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BA8A21 push esi; retn 0006h11_2_06BA8A22
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BA8BE8 push edi; retn 0006h11_2_06BA8BEA
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BA8B4F push esi; retn 0006h11_2_06BA8B52
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BA88A9 push ebp; retn 0006h11_2_06BA88AA
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BA8929 push ebp; retn 0006h11_2_06BA892A
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 11_2_06BA9940 pushad ; retn 0006h11_2_06BA9942
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004000D8 push es; iretd 14_2_004000D9
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0040008C push es; iretd 14_2_0040008D
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004542E6 push ecx; ret 14_2_004542F9
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0045B4FD push esi; ret 14_2_0045B506
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00432BD6 push ecx; ret 14_2_00432BE9
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00454C08 push eax; ret 14_2_00454C26
                  Source: z1ProductSampleRequirement.exeStatic PE information: section name: .text entropy: 7.778861872488694
                  Source: XyLTxdgHV.exe.0.drStatic PE information: section name: .text entropy: 7.778861872488694
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, OfkPs5c2FItUjMOkhc.csHigh entropy of concatenated method names: 'VGLRUFfaK6', 'NF1R2ABrXu', 'z7CR47fRI7', 'IqHRsIq7ul', 'WlTRQa70tn', 'sqoR8XqK1D', 'onvR9CsJvo', 'E1YRdFUeKu', 'aiwRgsvfDV', 'c2kRWaJW0k'
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, b4dvvSzGgAHJKe1Bl7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'W5axGKtIFf', 'q06xDOOjPD', 'MSYxjk0p0m', 'Gjyx6YLpfe', 'pN7xRIB0Lm', 'zDFxxfgTVR', 'S4GxyyJco7'
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, MW4SVWppeY7JLecETy.csHigh entropy of concatenated method names: 'soTZ8Fcomy', 'uW8Z9In80M', 'aGVZgYIuZ6', 'H7tZWVS8Oc', 'QtmZDQosNn', 'R8uZj08kTX', 'ooUKr5nrE1oPLPYDfo', 'RngN5nuxnur7KKc9Rj', 'gJrZZO1GP6', 'WbBZiw7QZa'
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, sGav03ZZZr0Km5DWInu.csHigh entropy of concatenated method names: 'ToString', 'wpGyiKIt85', 'r2HypMXdLU', 'lbIyoOIdZR', 'k4cyUj7Pep', 'q7qy2CVsLT', 'Vgyy4bDXdM', 'rDIyswEgLK', 'cBnDhw7oky6FqLcTndh', 'RFTbYs7QSgPmbwQQ1uJ'
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, H7dlL2ZiNN5JYsKhXxs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'j9wyn8d06p', 'pV7yMlJvm1', 'UUAyugBkYs', 'gCtyLFKDy3', 'IY4yInAipO', 'jYTy1tBwbj', 'YZayk4uDZP'
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, PFcomyYKW8In80MFZA.csHigh entropy of concatenated method names: 'HbM2nrx6hn', 's012MJ7Bj4', 'pxY2u6POQC', 'FFg2L21t17', 'vt12I2xeno', 'hAV2121vKI', 'RV42kPE6eA', 'Ing2cXgGQw', 'VJJ2S0Tq3A', 'lnh2BTJ19Q'
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, fqDlm59RUfhkRlIwqb.csHigh entropy of concatenated method names: 'DKnioPLkLg', 'Tv6iUnRXtN', 'EJei2fboqi', 'EA6i4CED9E', 'aPkis4ocyF', 'eoOiQhFlVB', 'cmPi8bS51G', 'rtji9xEBuF', 'nmUidwiKKR', 'qpAigmsQti'
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, wIC62lOY9n5xvKiwqZ.csHigh entropy of concatenated method names: 'U7YeuIZZf', 'ahkbn8RVc', 'clRCmj6AL', 'Oh9v1GEhq', 'ISb3RousB', 'E3afJKEvQ', 'HOdNNfS4CWwJbCh4Sh', 'GiW2CooXU85mj0LInc', 'tAvRnFRND', 'QLfy7hhUY'
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, byeapU11Mu2jVxe52d.csHigh entropy of concatenated method names: 'svS6cYiyi1', 'gr46BIhT7k', 'wj4R0XcALR', 'RlyRZN7oFv', 'fA165AAYjV', 'wtU6XDBcbL', 'ivJ6TJ00Ne', 'JCr6n7FHHN', 'SaC6MKojK0', 'DJN6uD86Fp'
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, tPh9SCVZWXZq2HRuVp.csHigh entropy of concatenated method names: 'bf08FS8ibg', 'BU58qhF28I', 'f0m8eqdja1', 'Vqy8bgeWMO', 'sjX8AcMMPk', 'eE88Ckxrgj', 'a088vVLpIF', 'r3O8YR3k27', 'q6s83XXeW1', 'wbU8flWd76'
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, uDM1012wTsu4vnsxhg.csHigh entropy of concatenated method names: 'Dispose', 'jjgZSccotV', 'GQtOlZl8wk', 'clpooMNPt9', 'P5fZBkPs52', 'xItZzUjMOk', 'ProcessDialogKey', 'FcPO0QuHcE', 'ctCOZbOG0L', 'OgROOtPIW9'
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, wQuHcESOtCbOG0L5gR.csHigh entropy of concatenated method names: 'zaWRhLpk2h', 'VTNRlnUXSU', 'IWYRaqUucR', 'ILORrXZPTm', 'giDRnVnTPp', 'AL3RNI1KVL', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, vPIW9NB61QOJnLALyg.csHigh entropy of concatenated method names: 'TVsxZdOwLk', 'wCOxiU3a4M', 'M1Txp8i2lG', 'x5CxUJC8uO', 'Y37x2o9yew', 'a3Axseul7L', 'chSxQ5ucvT', 'ihnRkxohkJ', 'x4yRcd7qNn', 'tt3RSvvcBV'
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, AbkTh6Z0xiJv4l4MUOf.csHigh entropy of concatenated method names: 'pDFxFAFmMw', 'lXmxqRQ0l2', 'hrqxe9gtka', 'Jsoxbhmha5', 'iQtxAAaXOR', 'LYvxCYAVUY', 'XJyxveuEPP', 'LOfxY8g6bM', 'aD5x3TrHWa', 'Q6mxffrTI1'
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, S7W1wJrvpPySfdXAnQ.csHigh entropy of concatenated method names: 'T9QQwVNULu', 'vhAQFdLSpj', 'zj8QeOgAjL', 'ROxQbBmdlB', 's7HQCWqbt8', 'jU5Qvf6T8g', 'tZaQ3Ho5gc', 'TThQfcUfT0', 'xVu0kNlr5JihBUvdEUW', 'LIBQ71ltkP0Xcy45VS4'
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, hNnM8uh08kTXFPWkdH.csHigh entropy of concatenated method names: 'cLUQoaQgv9', 'dEBQ2k8O0R', 'cp5QsnrvrH', 'OhDQ8a51b3', 'lr7Q9Krf0S', 'gVZsItwUyq', 'BQcs1dfq2S', 'MxAsk3UPrr', 'TBLscMDwxe', 'zqJsS4htf2'
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, sEqge03GVYIuZ6l7tV.csHigh entropy of concatenated method names: 'qcj4b8WQ7o', 'hZN4C1Hsh2', 'jyV4YBU7CN', 'O6i43TF7Dw', 'EsZ4DC8aWv', 'xSQ4jN2O7N', 'pBN4649L1p', 'pcB4RSmF3o', 'WnC4xb3f2F', 'G8T4yViZWf'
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, UcK0VRmsrV2qTEWOX4.csHigh entropy of concatenated method names: 'Rp48UH9d1q', 'nMH84bV8yr', 'sYS8QmGWAR', 'xXkQBmN114', 'nWMQzwKt4c', 'VCf80KiBUk', 'WPR8ZNZ9ct', 'FCy8ONFQac', 'y2C8ihL7v6', 'vQc8pjve41'
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, PwZBsGT1XHuRCDQqu9.csHigh entropy of concatenated method names: 'FvYGY3LfCL', 'HOiG3bXqCh', 'Oy4GhWJy7D', 'xVmGlnAUiU', 'aiIGrj1TMQ', 'KYdGNop1uL', 'yK0GmmGrjI', 'iqtGHVwZT8', 'OwqG7KcqMo', 'GP1G5dVDF1'
                  Source: 0.2.z1ProductSampleRequirement.exe.b800000.5.raw.unpack, Y8OcsIfTSE2S4TtmQo.csHigh entropy of concatenated method names: 'oWIsAa8Xgg', 'NBCsvIclTl', 'UuV4aTjBlO', 'hJ84rHOiQ8', 'Kca4NtYQDq', 'CjN4JUNhkj', 'Wqx4mC83sg', 'EDe4HcaDWW', 'fwT4VnIj7o', 'S4S47Dv5Zp'
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, OfkPs5c2FItUjMOkhc.csHigh entropy of concatenated method names: 'VGLRUFfaK6', 'NF1R2ABrXu', 'z7CR47fRI7', 'IqHRsIq7ul', 'WlTRQa70tn', 'sqoR8XqK1D', 'onvR9CsJvo', 'E1YRdFUeKu', 'aiwRgsvfDV', 'c2kRWaJW0k'
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, b4dvvSzGgAHJKe1Bl7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'W5axGKtIFf', 'q06xDOOjPD', 'MSYxjk0p0m', 'Gjyx6YLpfe', 'pN7xRIB0Lm', 'zDFxxfgTVR', 'S4GxyyJco7'
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, MW4SVWppeY7JLecETy.csHigh entropy of concatenated method names: 'soTZ8Fcomy', 'uW8Z9In80M', 'aGVZgYIuZ6', 'H7tZWVS8Oc', 'QtmZDQosNn', 'R8uZj08kTX', 'ooUKr5nrE1oPLPYDfo', 'RngN5nuxnur7KKc9Rj', 'gJrZZO1GP6', 'WbBZiw7QZa'
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, sGav03ZZZr0Km5DWInu.csHigh entropy of concatenated method names: 'ToString', 'wpGyiKIt85', 'r2HypMXdLU', 'lbIyoOIdZR', 'k4cyUj7Pep', 'q7qy2CVsLT', 'Vgyy4bDXdM', 'rDIyswEgLK', 'cBnDhw7oky6FqLcTndh', 'RFTbYs7QSgPmbwQQ1uJ'
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, H7dlL2ZiNN5JYsKhXxs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'j9wyn8d06p', 'pV7yMlJvm1', 'UUAyugBkYs', 'gCtyLFKDy3', 'IY4yInAipO', 'jYTy1tBwbj', 'YZayk4uDZP'
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, PFcomyYKW8In80MFZA.csHigh entropy of concatenated method names: 'HbM2nrx6hn', 's012MJ7Bj4', 'pxY2u6POQC', 'FFg2L21t17', 'vt12I2xeno', 'hAV2121vKI', 'RV42kPE6eA', 'Ing2cXgGQw', 'VJJ2S0Tq3A', 'lnh2BTJ19Q'
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, fqDlm59RUfhkRlIwqb.csHigh entropy of concatenated method names: 'DKnioPLkLg', 'Tv6iUnRXtN', 'EJei2fboqi', 'EA6i4CED9E', 'aPkis4ocyF', 'eoOiQhFlVB', 'cmPi8bS51G', 'rtji9xEBuF', 'nmUidwiKKR', 'qpAigmsQti'
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, wIC62lOY9n5xvKiwqZ.csHigh entropy of concatenated method names: 'U7YeuIZZf', 'ahkbn8RVc', 'clRCmj6AL', 'Oh9v1GEhq', 'ISb3RousB', 'E3afJKEvQ', 'HOdNNfS4CWwJbCh4Sh', 'GiW2CooXU85mj0LInc', 'tAvRnFRND', 'QLfy7hhUY'
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, byeapU11Mu2jVxe52d.csHigh entropy of concatenated method names: 'svS6cYiyi1', 'gr46BIhT7k', 'wj4R0XcALR', 'RlyRZN7oFv', 'fA165AAYjV', 'wtU6XDBcbL', 'ivJ6TJ00Ne', 'JCr6n7FHHN', 'SaC6MKojK0', 'DJN6uD86Fp'
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, tPh9SCVZWXZq2HRuVp.csHigh entropy of concatenated method names: 'bf08FS8ibg', 'BU58qhF28I', 'f0m8eqdja1', 'Vqy8bgeWMO', 'sjX8AcMMPk', 'eE88Ckxrgj', 'a088vVLpIF', 'r3O8YR3k27', 'q6s83XXeW1', 'wbU8flWd76'
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, uDM1012wTsu4vnsxhg.csHigh entropy of concatenated method names: 'Dispose', 'jjgZSccotV', 'GQtOlZl8wk', 'clpooMNPt9', 'P5fZBkPs52', 'xItZzUjMOk', 'ProcessDialogKey', 'FcPO0QuHcE', 'ctCOZbOG0L', 'OgROOtPIW9'
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, wQuHcESOtCbOG0L5gR.csHigh entropy of concatenated method names: 'zaWRhLpk2h', 'VTNRlnUXSU', 'IWYRaqUucR', 'ILORrXZPTm', 'giDRnVnTPp', 'AL3RNI1KVL', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, vPIW9NB61QOJnLALyg.csHigh entropy of concatenated method names: 'TVsxZdOwLk', 'wCOxiU3a4M', 'M1Txp8i2lG', 'x5CxUJC8uO', 'Y37x2o9yew', 'a3Axseul7L', 'chSxQ5ucvT', 'ihnRkxohkJ', 'x4yRcd7qNn', 'tt3RSvvcBV'
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, AbkTh6Z0xiJv4l4MUOf.csHigh entropy of concatenated method names: 'pDFxFAFmMw', 'lXmxqRQ0l2', 'hrqxe9gtka', 'Jsoxbhmha5', 'iQtxAAaXOR', 'LYvxCYAVUY', 'XJyxveuEPP', 'LOfxY8g6bM', 'aD5x3TrHWa', 'Q6mxffrTI1'
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, S7W1wJrvpPySfdXAnQ.csHigh entropy of concatenated method names: 'T9QQwVNULu', 'vhAQFdLSpj', 'zj8QeOgAjL', 'ROxQbBmdlB', 's7HQCWqbt8', 'jU5Qvf6T8g', 'tZaQ3Ho5gc', 'TThQfcUfT0', 'xVu0kNlr5JihBUvdEUW', 'LIBQ71ltkP0Xcy45VS4'
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, hNnM8uh08kTXFPWkdH.csHigh entropy of concatenated method names: 'cLUQoaQgv9', 'dEBQ2k8O0R', 'cp5QsnrvrH', 'OhDQ8a51b3', 'lr7Q9Krf0S', 'gVZsItwUyq', 'BQcs1dfq2S', 'MxAsk3UPrr', 'TBLscMDwxe', 'zqJsS4htf2'
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, sEqge03GVYIuZ6l7tV.csHigh entropy of concatenated method names: 'qcj4b8WQ7o', 'hZN4C1Hsh2', 'jyV4YBU7CN', 'O6i43TF7Dw', 'EsZ4DC8aWv', 'xSQ4jN2O7N', 'pBN4649L1p', 'pcB4RSmF3o', 'WnC4xb3f2F', 'G8T4yViZWf'
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, UcK0VRmsrV2qTEWOX4.csHigh entropy of concatenated method names: 'Rp48UH9d1q', 'nMH84bV8yr', 'sYS8QmGWAR', 'xXkQBmN114', 'nWMQzwKt4c', 'VCf80KiBUk', 'WPR8ZNZ9ct', 'FCy8ONFQac', 'y2C8ihL7v6', 'vQc8pjve41'
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, PwZBsGT1XHuRCDQqu9.csHigh entropy of concatenated method names: 'FvYGY3LfCL', 'HOiG3bXqCh', 'Oy4GhWJy7D', 'xVmGlnAUiU', 'aiIGrj1TMQ', 'KYdGNop1uL', 'yK0GmmGrjI', 'iqtGHVwZT8', 'OwqG7KcqMo', 'GP1G5dVDF1'
                  Source: 0.2.z1ProductSampleRequirement.exe.47eeed0.2.raw.unpack, Y8OcsIfTSE2S4TtmQo.csHigh entropy of concatenated method names: 'oWIsAa8Xgg', 'NBCsvIclTl', 'UuV4aTjBlO', 'hJ84rHOiQ8', 'Kca4NtYQDq', 'CjN4JUNhkj', 'Wqx4mC83sg', 'EDe4HcaDWW', 'fwT4VnIj7o', 'S4S47Dv5Zp'
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, OfkPs5c2FItUjMOkhc.csHigh entropy of concatenated method names: 'VGLRUFfaK6', 'NF1R2ABrXu', 'z7CR47fRI7', 'IqHRsIq7ul', 'WlTRQa70tn', 'sqoR8XqK1D', 'onvR9CsJvo', 'E1YRdFUeKu', 'aiwRgsvfDV', 'c2kRWaJW0k'
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, b4dvvSzGgAHJKe1Bl7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'W5axGKtIFf', 'q06xDOOjPD', 'MSYxjk0p0m', 'Gjyx6YLpfe', 'pN7xRIB0Lm', 'zDFxxfgTVR', 'S4GxyyJco7'
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, MW4SVWppeY7JLecETy.csHigh entropy of concatenated method names: 'soTZ8Fcomy', 'uW8Z9In80M', 'aGVZgYIuZ6', 'H7tZWVS8Oc', 'QtmZDQosNn', 'R8uZj08kTX', 'ooUKr5nrE1oPLPYDfo', 'RngN5nuxnur7KKc9Rj', 'gJrZZO1GP6', 'WbBZiw7QZa'
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, sGav03ZZZr0Km5DWInu.csHigh entropy of concatenated method names: 'ToString', 'wpGyiKIt85', 'r2HypMXdLU', 'lbIyoOIdZR', 'k4cyUj7Pep', 'q7qy2CVsLT', 'Vgyy4bDXdM', 'rDIyswEgLK', 'cBnDhw7oky6FqLcTndh', 'RFTbYs7QSgPmbwQQ1uJ'
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, H7dlL2ZiNN5JYsKhXxs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'j9wyn8d06p', 'pV7yMlJvm1', 'UUAyugBkYs', 'gCtyLFKDy3', 'IY4yInAipO', 'jYTy1tBwbj', 'YZayk4uDZP'
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, PFcomyYKW8In80MFZA.csHigh entropy of concatenated method names: 'HbM2nrx6hn', 's012MJ7Bj4', 'pxY2u6POQC', 'FFg2L21t17', 'vt12I2xeno', 'hAV2121vKI', 'RV42kPE6eA', 'Ing2cXgGQw', 'VJJ2S0Tq3A', 'lnh2BTJ19Q'
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, fqDlm59RUfhkRlIwqb.csHigh entropy of concatenated method names: 'DKnioPLkLg', 'Tv6iUnRXtN', 'EJei2fboqi', 'EA6i4CED9E', 'aPkis4ocyF', 'eoOiQhFlVB', 'cmPi8bS51G', 'rtji9xEBuF', 'nmUidwiKKR', 'qpAigmsQti'
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, wIC62lOY9n5xvKiwqZ.csHigh entropy of concatenated method names: 'U7YeuIZZf', 'ahkbn8RVc', 'clRCmj6AL', 'Oh9v1GEhq', 'ISb3RousB', 'E3afJKEvQ', 'HOdNNfS4CWwJbCh4Sh', 'GiW2CooXU85mj0LInc', 'tAvRnFRND', 'QLfy7hhUY'
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, byeapU11Mu2jVxe52d.csHigh entropy of concatenated method names: 'svS6cYiyi1', 'gr46BIhT7k', 'wj4R0XcALR', 'RlyRZN7oFv', 'fA165AAYjV', 'wtU6XDBcbL', 'ivJ6TJ00Ne', 'JCr6n7FHHN', 'SaC6MKojK0', 'DJN6uD86Fp'
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, tPh9SCVZWXZq2HRuVp.csHigh entropy of concatenated method names: 'bf08FS8ibg', 'BU58qhF28I', 'f0m8eqdja1', 'Vqy8bgeWMO', 'sjX8AcMMPk', 'eE88Ckxrgj', 'a088vVLpIF', 'r3O8YR3k27', 'q6s83XXeW1', 'wbU8flWd76'
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, uDM1012wTsu4vnsxhg.csHigh entropy of concatenated method names: 'Dispose', 'jjgZSccotV', 'GQtOlZl8wk', 'clpooMNPt9', 'P5fZBkPs52', 'xItZzUjMOk', 'ProcessDialogKey', 'FcPO0QuHcE', 'ctCOZbOG0L', 'OgROOtPIW9'
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, wQuHcESOtCbOG0L5gR.csHigh entropy of concatenated method names: 'zaWRhLpk2h', 'VTNRlnUXSU', 'IWYRaqUucR', 'ILORrXZPTm', 'giDRnVnTPp', 'AL3RNI1KVL', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, vPIW9NB61QOJnLALyg.csHigh entropy of concatenated method names: 'TVsxZdOwLk', 'wCOxiU3a4M', 'M1Txp8i2lG', 'x5CxUJC8uO', 'Y37x2o9yew', 'a3Axseul7L', 'chSxQ5ucvT', 'ihnRkxohkJ', 'x4yRcd7qNn', 'tt3RSvvcBV'
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, AbkTh6Z0xiJv4l4MUOf.csHigh entropy of concatenated method names: 'pDFxFAFmMw', 'lXmxqRQ0l2', 'hrqxe9gtka', 'Jsoxbhmha5', 'iQtxAAaXOR', 'LYvxCYAVUY', 'XJyxveuEPP', 'LOfxY8g6bM', 'aD5x3TrHWa', 'Q6mxffrTI1'
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, S7W1wJrvpPySfdXAnQ.csHigh entropy of concatenated method names: 'T9QQwVNULu', 'vhAQFdLSpj', 'zj8QeOgAjL', 'ROxQbBmdlB', 's7HQCWqbt8', 'jU5Qvf6T8g', 'tZaQ3Ho5gc', 'TThQfcUfT0', 'xVu0kNlr5JihBUvdEUW', 'LIBQ71ltkP0Xcy45VS4'
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, hNnM8uh08kTXFPWkdH.csHigh entropy of concatenated method names: 'cLUQoaQgv9', 'dEBQ2k8O0R', 'cp5QsnrvrH', 'OhDQ8a51b3', 'lr7Q9Krf0S', 'gVZsItwUyq', 'BQcs1dfq2S', 'MxAsk3UPrr', 'TBLscMDwxe', 'zqJsS4htf2'
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, sEqge03GVYIuZ6l7tV.csHigh entropy of concatenated method names: 'qcj4b8WQ7o', 'hZN4C1Hsh2', 'jyV4YBU7CN', 'O6i43TF7Dw', 'EsZ4DC8aWv', 'xSQ4jN2O7N', 'pBN4649L1p', 'pcB4RSmF3o', 'WnC4xb3f2F', 'G8T4yViZWf'
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, UcK0VRmsrV2qTEWOX4.csHigh entropy of concatenated method names: 'Rp48UH9d1q', 'nMH84bV8yr', 'sYS8QmGWAR', 'xXkQBmN114', 'nWMQzwKt4c', 'VCf80KiBUk', 'WPR8ZNZ9ct', 'FCy8ONFQac', 'y2C8ihL7v6', 'vQc8pjve41'
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, PwZBsGT1XHuRCDQqu9.csHigh entropy of concatenated method names: 'FvYGY3LfCL', 'HOiG3bXqCh', 'Oy4GhWJy7D', 'xVmGlnAUiU', 'aiIGrj1TMQ', 'KYdGNop1uL', 'yK0GmmGrjI', 'iqtGHVwZT8', 'OwqG7KcqMo', 'GP1G5dVDF1'
                  Source: 0.2.z1ProductSampleRequirement.exe.48a5ef0.0.raw.unpack, Y8OcsIfTSE2S4TtmQo.csHigh entropy of concatenated method names: 'oWIsAa8Xgg', 'NBCsvIclTl', 'UuV4aTjBlO', 'hJ84rHOiQ8', 'Kca4NtYQDq', 'CjN4JUNhkj', 'Wqx4mC83sg', 'EDe4HcaDWW', 'fwT4VnIj7o', 'S4S47Dv5Zp'
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004063C6 ShellExecuteW,URLDownloadToFileW,14_2_004063C6
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeFile created: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyLTxdgHV" /XML "C:\Users\user\AppData\Local\Temp\tmpD6AD.tmp"
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,14_2_00418A00

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,14_2_0041A8DA
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: z1ProductSampleRequirement.exe PID: 1892, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: XyLTxdgHV.exe PID: 7248, type: MEMORYSTR
                  Delayed program exit found
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0040E18D Sleep,ExitProcess,14_2_0040E18D
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeMemory allocated: 12C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeMemory allocated: 2CA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeMemory allocated: 2AD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeMemory allocated: 8F80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeMemory allocated: 9F80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeMemory allocated: A190000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeMemory allocated: B190000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeMemory allocated: B8C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeMemory allocated: C8C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeMemory allocated: D8C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeMemory allocated: 860000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeMemory allocated: 24D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeMemory allocated: 2300000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeMemory allocated: 82F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeMemory allocated: 92F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeMemory allocated: 94E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeMemory allocated: A4E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeMemory allocated: ABD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeMemory allocated: BBD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeMemory allocated: CBD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,14_2_004186FE
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6646Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1188Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6650Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 851Jump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeWindow / User API: threadDelayed 2295Jump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeWindow / User API: threadDelayed 7152Jump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeWindow / User API: foregroundWindowGot 1768Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeAPI coverage: 5.1 %
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exe TID: 6716Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5428Thread sleep count: 6646 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1496Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2876Thread sleep count: 1188 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6592Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1812Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2972Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exe TID: 6528Thread sleep count: 261 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exe TID: 6528Thread sleep time: -130500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exe TID: 6688Thread sleep count: 2295 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exe TID: 6688Thread sleep time: -6885000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exe TID: 6688Thread sleep count: 7152 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exe TID: 6688Thread sleep time: -21456000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exe TID: 7284Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,14_2_0041A01B
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,14_2_0040B28E
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_0040838E
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,14_2_004087A0
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,14_2_00407848
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004068CD FindFirstFileW,FindNextFileW,14_2_004068CD
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0044BA59 FindFirstFileExA,14_2_0044BA59
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,14_2_0040AA71
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,14_2_00417AAB
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,14_2_0040AC78
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,14_2_00406D28
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.0000000001197000.00000004.00000020.00020000.00000000.sdmp, z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.0000000001210000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeCode function: 9_2_02F2FA00 LdrInitializeThunk,9_2_02F2FA00
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_004327AE
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,14_2_0041A8DA
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004407B5 mov eax, dword ptr fs:[00000030h]14_2_004407B5
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,14_2_00410763
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_004327AE
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004328FC SetUnhandledExceptionFilter,14_2_004328FC
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_004398AC
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00432D5C
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1ProductSampleRequirement.exe"
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XyLTxdgHV.exe"
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1ProductSampleRequirement.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XyLTxdgHV.exe"Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeMemory written: C:\Users\user\Desktop\z1ProductSampleRequirement.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeMemory written: C:\Users\user\AppData\Roaming\XyLTxdgHV.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe14_2_00410B5C
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004175E1 mouse_event,14_2_004175E1
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1ProductSampleRequirement.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XyLTxdgHV.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyLTxdgHV" /XML "C:\Users\user\AppData\Local\Temp\tmpD6AD.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeProcess created: C:\Users\user\Desktop\z1ProductSampleRequirement.exe "C:\Users\user\Desktop\z1ProductSampleRequirement.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyLTxdgHV" /XML "C:\Users\user\AppData\Local\Temp\tmpEB9C.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeProcess created: C:\Users\user\AppData\Roaming\XyLTxdgHV.exe "C:\Users\user\AppData\Roaming\XyLTxdgHV.exe"Jump to behavior
                  Source: z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.0000000001203000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerUS\27
                  Source: z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.0000000001203000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerUS\8
                  Source: z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.0000000001203000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerUS\
                  Source: z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.00000000011BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.0000000001203000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                  Source: z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.0000000001203000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerUS\'
                  Source: z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.0000000001203000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerUS\L
                  Source: z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.0000000001203000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager1
                  Source: z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.0000000001203000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerUS\
                  Source: z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.00000000011BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.0000000001197000.00000004.00000020.00020000.00000000.sdmp, logs.dat.9.drBinary or memory string: [Program Manager]
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004329DA cpuid 14_2_004329DA
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: EnumSystemLocalesW,14_2_0044F17B
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: EnumSystemLocalesW,14_2_0044F130
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: EnumSystemLocalesW,14_2_0044F216
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,14_2_0044F2A3
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: GetLocaleInfoA,14_2_0040E2BB
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: GetLocaleInfoW,14_2_0044F4F3
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,14_2_0044F61C
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: GetLocaleInfoW,14_2_0044F723
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,14_2_0044F7F0
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: EnumSystemLocalesW,14_2_00445914
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: GetLocaleInfoW,14_2_00445E1C
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,14_2_0044EEB8
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeQueries volume information: C:\Users\user\Desktop\z1ProductSampleRequirement.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeQueries volume information: C:\Users\user\AppData\Roaming\XyLTxdgHV.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_0040A0B0 GetLocalTime,wsprintfW,14_2_0040A0B0
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004195F8 GetUserNameW,14_2_004195F8
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: 14_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,14_2_004466BF
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 14.2.XyLTxdgHV.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.XyLTxdgHV.exe.41cc6c8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.XyLTxdgHV.exe.4241ce8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.z1ProductSampleRequirement.exe.499bc60.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.z1ProductSampleRequirement.exe.4a11280.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.XyLTxdgHV.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.z1ProductSampleRequirement.exe.4a11280.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.XyLTxdgHV.exe.4241ce8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.XyLTxdgHV.exe.41cc6c8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.z1ProductSampleRequirement.exe.499bc60.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.4498177592.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.4498721754.0000000002D2F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.4498177592.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.2105358568.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.4498177592.00000000011BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2129497203.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2088133445.000000000499B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: z1ProductSampleRequirement.exe PID: 1892, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: z1ProductSampleRequirement.exe PID: 5708, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: XyLTxdgHV.exe PID: 7248, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: XyLTxdgHV.exe PID: 7388, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data14_2_0040A953
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\14_2_0040AA71
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: \key3.db14_2_0040AA71

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Users\user\Desktop\z1ProductSampleRequirement.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-HNOBUSJump to behavior
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-HNOBUS
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 14.2.XyLTxdgHV.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.XyLTxdgHV.exe.41cc6c8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.XyLTxdgHV.exe.4241ce8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.z1ProductSampleRequirement.exe.499bc60.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.z1ProductSampleRequirement.exe.4a11280.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.XyLTxdgHV.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.z1ProductSampleRequirement.exe.4a11280.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.XyLTxdgHV.exe.4241ce8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.XyLTxdgHV.exe.41cc6c8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.z1ProductSampleRequirement.exe.499bc60.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.4498177592.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.4498721754.0000000002D2F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.4498177592.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.2105358568.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.4498177592.00000000011BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2129497203.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2088133445.000000000499B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: z1ProductSampleRequirement.exe PID: 1892, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: z1ProductSampleRequirement.exe PID: 5708, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: XyLTxdgHV.exe PID: 7248, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: XyLTxdgHV.exe PID: 7388, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Source: C:\Users\user\AppData\Roaming\XyLTxdgHV.exeCode function: cmd.exe14_2_0040567A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		1
                  Access Token Manipulation                  		1
                  Deobfuscate/Decode Files or Information                  		211
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol211
                  Input Capture                  		2
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		1
                  Windows Service                  		4
                  Obfuscated Files or Information                  		2
                  Credentials In Files                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Service Execution                  		Login Hook122
                  Process Injection                  		12
                  Software Packing                  		NTDS3
                  File and Directory Discovery                  		Distributed Component Object ModelInput Capture1
                  Remote Access Software                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                  Scheduled Task/Job                  		1
                  DLL Side-Loading                  		LSA Secrets33
                  System Information Discovery                  		SSHKeylogging2
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials121
                  Security Software Discovery                  		VNCGUI Input Capture12
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                  Virtualization/Sandbox Evasion                  		DCSync31
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Access Token Manipulation                  		Proc Filesystem3
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt122
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546626 Sample: z1ProductSampleRequirement.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 100 49 teebro1800.dynamic-dns.net 2->49 51 geoplugin.net 2->51 63 Suricata IDS alerts for network traffic 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 10 other signatures 2->69 8 z1ProductSampleRequirement.exe 7 2->8         started        12 XyLTxdgHV.exe 5 2->12         started        signatures3 process4 file5 39 C:\Users\user\AppData\Roaming\XyLTxdgHV.exe, PE32 8->39 dropped 41 C:\Users\...\XyLTxdgHV.exe:Zone.Identifier, ASCII 8->41 dropped 43 C:\Users\user\AppData\Local\...\tmpD6AD.tmp, XML 8->43 dropped 45 C:\...\z1ProductSampleRequirement.exe.log, ASCII 8->45 dropped 71 Uses schtasks.exe or at.exe to add and modify task schedules 8->71 73 Adds a directory exclusion to Windows Defender 8->73 75 Injects a PE file into a foreign processes 8->75 14 z1ProductSampleRequirement.exe 2 16 8->14         started        19 powershell.exe 23 8->19         started        21 powershell.exe 23 8->21         started        23 schtasks.exe 1 8->23         started        77 Multi AV Scanner detection for dropped file 12->77 79 Contains functionalty to change the wallpaper 12->79 81 Machine Learning detection for dropped file 12->81 83 4 other signatures 12->83 25 XyLTxdgHV.exe 12->25         started        27 schtasks.exe 12->27         started        signatures6 process7 dnsIp8 53 teebro1800.dynamic-dns.net 51.75.166.98, 2195, 49707 OVHFR France 14->53 55 geoplugin.net 178.237.33.50, 49708, 80 ATOM86-ASATOM86NL Netherlands 14->55 47 C:\ProgramData\remcos\logs.dat, data 14->47 dropped 57 Detected Remcos RAT 14->57 59 Installs a global keyboard hook 14->59 61 Loading BitLocker PowerShell Module 19->61 29 WmiPrvSE.exe 19->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 27->37         started        file9 signatures10 process11

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  z1ProductSampleRequirement.exe66%ReversingLabsByteCode-MSIL.Backdoor.Remcos
                  z1ProductSampleRequirement.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\XyLTxdgHV.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\XyLTxdgHV.exe66%ReversingLabsByteCode-MSIL.Backdoor.Remcos

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://geoplugin.net/json.gp0%URL Reputationsafe
                  http://geoplugin.net/json.gp/C0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  teebro1800.dynamic-dns.net
                  		51.75.166.98
                  		truetrue
                    		unknown
                    geoplugin.net
                    		178.237.33.50
                    		truefalse
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://geoplugin.net/json.gpfalse
                      • URL Reputation: safe
                      		unknown
                      teebro1800.dynamic-dns.nettrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://geoplugin.net/json.gp$z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.0000000001197000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://geoplugin.net/z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.00000000011D7000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://geoplugin.net/json.gp/Cz1ProductSampleRequirement.exe, 00000000.00000002.2088133445.000000000499B000.00000004.00000800.00020000.00000000.sdmp, XyLTxdgHV.exe, 0000000B.00000002.2129497203.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, XyLTxdgHV.exe, 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://geoplugin.net/json.gplz1ProductSampleRequirement.exe, 00000009.00000002.4498177592.00000000011D7000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namez1ProductSampleRequirement.exe, 00000000.00000002.2087574819.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, XyLTxdgHV.exe, 0000000B.00000002.2126394543.000000000255A000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://geoplugin.net/json.gpSystem32z1ProductSampleRequirement.exe, 00000009.00000002.4498177592.00000000011BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://tempuri.org/DataSet1.xsdz1ProductSampleRequirement.exe, XyLTxdgHV.exe.0.drfalse
                                  		unknown
                                  http://geoplugin.net/json.gpmz1ProductSampleRequirement.exe, 00000009.00000002.4498177592.00000000011BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    51.75.166.98
                                    		teebro1800.dynamic-dns.netFrance
                                    		16276OVHFRtrue
                                    178.237.33.50
                                    		geoplugin.netNetherlands
                                    		8455ATOM86-ASATOM86NLfalse

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1546626
                                    Start date and time:2024-11-01 09:31:06 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 8m 11s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:17
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:z1ProductSampleRequirement.exe
                                    Detection:MAL
                                    Classification:mal100.rans.troj.spyw.evad.winEXE@19/17@2/2
                                    EGA Information:
                                    • Successful, ratio: 75%
                                    HCA Information:
                                    • Successful, ratio: 99%
                                    • Number of executed functions: 77
                                    • Number of non-executed functions: 197
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target z1ProductSampleRequirement.exe, PID 5708 because there are no executed function
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: z1ProductSampleRequirement.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    04:31:55API Interceptor7433102x Sleep call for process: z1ProductSampleRequirement.exe modified
                                    04:31:58API Interceptor27x Sleep call for process: powershell.exe modified
                                    04:32:01API Interceptor2x Sleep call for process: XyLTxdgHV.exe modified
                                    09:32:00Task SchedulerRun new task: XyLTxdgHV path: C:\Users\user\AppData\Roaming\XyLTxdgHV.exe

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    178.237.33.5017304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    5Tqze.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    PO-33463334788.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • geoplugin.net/json.gp
                                    A & C Metrology OC 545714677889Materiale.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                    • geoplugin.net/json.gp
                                    QUOTE #46789_AL_JAMEELA24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • geoplugin.net/json.gp
                                    0001.xlsGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    1.rtfGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    HSBC Payment Swift Copy.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    ingswhic.docGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    swithnew.docGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    teebro1800.dynamic-dns.netHSBC Payment Swift Copy.exeGet hashmaliciousRemcosBrowse
                                    • 140.228.29.6
                                    geoplugin.net17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    5Tqze.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    PO-33463334788.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    A & C Metrology OC 545714677889Materiale.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                    • 178.237.33.50
                                    QUOTE #46789_AL_JAMEELA24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    0001.xlsGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    1.rtfGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    HSBC Payment Swift Copy.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    ingswhic.docGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    swithnew.docGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    OVHFRfile.exeGet hashmaliciousWhiteSnake StealerBrowse
                                    • 51.255.106.85
                                    https://send-space.s3.eu-north-1.amazonaws.com/de.htmlGet hashmaliciousUnknownBrowse
                                    • 51.91.79.17
                                    VkTNb6p288.exeGet hashmaliciousFormBookBrowse
                                    • 5.39.10.93
                                    12Jh49DCAj.exeGet hashmaliciousXmrigBrowse
                                    • 54.37.232.103
                                    El9HaBFrFM.exeGet hashmaliciousBlank GrabberBrowse
                                    • 51.89.9.252
                                    https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                    • 54.37.62.77
                                    http://3d1.gmobb.jp/dcm299ccyag4e/gov/Get hashmaliciousPhisherBrowse
                                    • 178.32.210.226
                                    https://www.kwconnect.com/redirect?url=https%3A%2F%2Fwww.ingenieriawj.com/trx/#XdGFtYXJhLnBlcmVpcmFkZWplc3VzQGRhaWljaGktc2Fua3lvLmV1Get hashmaliciousHTMLPhisherBrowse
                                    • 149.56.200.84
                                    segura.vbsGet hashmaliciousRemcosBrowse
                                    • 164.132.58.105
                                    asegurar.vbsGet hashmaliciousRemcosBrowse
                                    • 164.132.58.105
                                    ATOM86-ASATOM86NL17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    5Tqze.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    PO-33463334788.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    A & C Metrology OC 545714677889Materiale.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                    • 178.237.33.50
                                    QUOTE #46789_AL_JAMEELA24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    0001.xlsGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    1.rtfGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    HSBC Payment Swift Copy.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    ingswhic.docGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    swithnew.docGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\remcos\logs.dat

                                    Download File
                                    Process:C:\Users\user\Desktop\z1ProductSampleRequirement.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):224
                                    Entropy (8bit):3.4209319376574494
                                    Encrypted:false
                                    SSDEEP:3:rhlKlfjxnftb5JWRal2Jl+7R0DAlBG45klovDl65lQWluEkiEW/ufWPlgMlRQlRR:6lfnb5YcIeeDAlOWA7DxbN2fBMMm0v
                                    MD5:DAF843AC217A76264985783FCD76A522
                                    SHA1:2ED6A3993A21DDAE8FDA9B6A0B25318A92A01A09
                                    SHA-256:8FDE9C59D1D63E159EF293EC4087636FB529A01D746C36D57811602155AC0BC5
                                    SHA-512:DE5413AC1A594FE8F175FF0C104097EBD5CB3434C55C33ADAB933B21E578F4AD0E7798598EAA41830D47F3C22A2A940535595E5644EB1CFC680106EFE4C2452E
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                    Reputation:low
                                    Preview:....[.2.0.2.4./.1.1./.0.1. .0.4.:.3.1.:.5.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .0. .m.i.n.u.t.e.s. .}.....

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XyLTxdgHV.exe.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\XyLTxdgHV.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.34331486778365
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z1ProductSampleRequirement.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\z1ProductSampleRequirement.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.34331486778365
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                    Malicious:true
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                    Download File
                                    Process:C:\Users\user\Desktop\z1ProductSampleRequirement.exe
                                    File Type:JSON data
                                    Category:dropped
                                    Size (bytes):957
                                    Entropy (8bit):5.008295404649503
                                    Encrypted:false
                                    SSDEEP:24:qXdRNuKyGX85jHf3SvXhNlT3/7YvfbYro:6PN0GX85mvhjTkvfEro
                                    MD5:96B063F9C5EF78A161994420DFEC25F2
                                    SHA1:FCFF5C810833BB7C878D9D74E1468E1347C75230
                                    SHA-256:2F61ACE63CC007BF73EA371A90020323E8252EB4D0274162CE31E5F45E09740E
                                    SHA-512:A8630CBFD24959CFCDDE23F10515F7D4CA50A83F63B7B6EA233EB09AFCA121008A8AA5214E81B64776E8331741BD57A9BD18C89399B7F9C076A666BEF1CD4BC1
                                    Malicious:false
                                    Preview:{. "geoplugin_request":"173.254.250.82",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Killeen",. "geoplugin_region":"Texas",. "geoplugin_regionCode":"TX",. "geoplugin_regionName":"Texas",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"625",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"31.0065",. "geoplugin_longitude":"-97.8406",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Chicago",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2232
                                    Entropy (8bit):5.379736180876081
                                    Encrypted:false
                                    SSDEEP:48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8PUyus:tLHyIFKL3IZ2KRH9Oug8s
                                    MD5:6826FE6ABAF3CE3CD345B5433F8715E5
                                    SHA1:FD4601A7FC9A41EBADE5E185DA0927E4D9A72FBF
                                    SHA-256:6C6BECB629E8CA772941CF328E222C3A5D3620B8683BA896395291589AF0DAE9
                                    SHA-512:9DA9FFCD5B8E1E774183485E99834F003F50B459B341E4211B5F9C408ECF260505A75CF08BFB41C23C310209A755FF2156A0A6E66999B0F36776AA1EF0E4B562
                                    Malicious:false
                                    Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1sbinw2s.obi.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbzovge2.xyy.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gfyrjtpj.55g.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k32bucgb.nl2.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4djtcyi.buw.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_omv1kqfp.3zm.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sjx5xepu.z2j.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1pkaw5e.tuk.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\tmpD6AD.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\z1ProductSampleRequirement.exe
                                    File Type:XML 1.0 document, ASCII text
                                    Category:dropped
                                    Size (bytes):1582
                                    Entropy (8bit):5.1080279957434715
                                    Encrypted:false
                                    SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtJxAxvn:cgergYrFdOFzOzN33ODOiDdKrsuTJKv
                                    MD5:116CDCB91C6AB7CCA8CCFAF2BFF55587
                                    SHA1:F3491A2D000BD269CC63F0FAF7A34214ED0E5FB4
                                    SHA-256:D3CE7BAFBE9F86B1C4C58249C44519489B04B0CAF43EBA03FF067ADFD677706A
                                    SHA-512:4B268E5D81CD1A12D3C551E9EB5344BEB631B3452F201B7A2989DA3E6123D66FCFC7A0A5992B5A3A4EE2FF03448A5BE81EC745A3004A284634477087D1941478
                                    Malicious:true
                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                    C:\Users\user\AppData\Local\Temp\tmpEB9C.tmp

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\XyLTxdgHV.exe
                                    File Type:XML 1.0 document, ASCII text
                                    Category:dropped
                                    Size (bytes):1582
                                    Entropy (8bit):5.1080279957434715
                                    Encrypted:false
                                    SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtJxAxvn:cgergYrFdOFzOzN33ODOiDdKrsuTJKv
                                    MD5:116CDCB91C6AB7CCA8CCFAF2BFF55587
                                    SHA1:F3491A2D000BD269CC63F0FAF7A34214ED0E5FB4
                                    SHA-256:D3CE7BAFBE9F86B1C4C58249C44519489B04B0CAF43EBA03FF067ADFD677706A
                                    SHA-512:4B268E5D81CD1A12D3C551E9EB5344BEB631B3452F201B7A2989DA3E6123D66FCFC7A0A5992B5A3A4EE2FF03448A5BE81EC745A3004A284634477087D1941478
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                    C:\Users\user\AppData\Roaming\XyLTxdgHV.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\z1ProductSampleRequirement.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1022464
                                    Entropy (8bit):7.7739166723261475
                                    Encrypted:false
                                    SSDEEP:24576:XwKjd3QboMkqo8VnR4la8/GmLVqugzVdy/d:Ayd3QboMkqOla8VMVdy
                                    MD5:2B3AA1B01D8963ED35A0050F793B4811
                                    SHA1:34DF4CA808F2D35290D4008F2C6B3EA7E8E80D8A
                                    SHA-256:1682EE7703DD036CBDF6AD6DAA38DDB7A4E7AB567B273F9EE209672F339FEB2D
                                    SHA-512:B42D1B09FB0C092074E38A2E885C959D12A63C5E7741EC976EC507CF2F7A14B6DCE7E40E9BEA7EB0D55CAF6ACBECE8D1DD841427E43041CB8F7E742DFBCF67B4
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 66%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....#g..............0.................. ........@.. ....................................@.....................................O...................................@z..T............................................ ............... ..H............text...P.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......P...........Y....[..h............................................0..L.........}.....( ......(!.....(............s".....(#....o$.....(%....o&.....('....*.0............}........((........().....,5...(............s".....(.....o$.....(.....o&....85....r...p.o...(*...o+...to.......(,..........9.....s ........s-...s....o/......o#...r...po0..........,$..(#.....o#...r...po0...s....o1........o2...(3.......o4...(5.......o6...(7.......o8...(9.......o:...(;.......o<...(=.........

                                    C:\Users\user\AppData\Roaming\XyLTxdgHV.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\z1ProductSampleRequirement.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:true
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.7739166723261475
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    File name:z1ProductSampleRequirement.exe
                                    File size:1'022'464 bytes
                                    MD5:2b3aa1b01d8963ed35a0050f793b4811
                                    SHA1:34df4ca808f2d35290d4008f2c6b3ea7e8e80d8a
                                    SHA256:1682ee7703dd036cbdf6ad6daa38ddb7a4e7ab567b273f9ee209672f339feb2d
                                    SHA512:b42d1b09fb0c092074e38a2e885c959d12a63c5e7741ec976ec507cf2f7a14b6dce7e40e9bea7eb0d55caf6acbece8d1dd841427e43041cb8f7e742dfbcf67b4
                                    SSDEEP:24576:XwKjd3QboMkqo8VnR4la8/GmLVqugzVdy/d:Ayd3QboMkqOla8VMVdy
                                    TLSH:7325DFD03A767319DEB44AB89528DDB543B52E69B010FAE61DCC3BD739AD3009E08F46
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....#g..............0.................. ........@.. ....................................@................................

                                    File Icon

                                    Icon Hash:00928e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0x4fae12
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x67231AD6 [Thu Oct 31 05:51:18 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    push ebx
                                    add byte ptr [ecx+00h], bh
                                    jnc 00007FDDED1037C2h
                                    je 00007FDDED1037C2h
                                    add byte ptr [ebp+00h], ch
                                    add byte ptr [ecx+00h], al
                                    arpl word ptr [eax], ax
                                    je 00007FDDED1037C2h
                                    imul eax, dword ptr [eax], 00610076h
                                    je 00007FDDED1037C2h
                                    outsd
                                    add byte ptr [edx+00h], dh
                                    add dword ptr [eax], eax
                                    add byte ptr [eax], al
                                    add al, byte ptr [eax]
                                    add byte ptr [eax], al
                                    add eax, dword ptr [eax]
                                    add byte ptr [eax], al
                                    add al, 00h
                                    add byte ptr [eax], al
                                    add eax, 00000000h
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xfadc00x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xfc0000x5ac.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xfe0000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xf7a400x54.text
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xf8e500xf9000fd534b529b24f3041d53d11395a1c912False0.8818173082956827data7.778861872488694IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0xfc0000x5ac0x60069ee05e44e2112ba54e5f3095b6c9750False0.4212239583333333data4.087576745907995IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xfe0000xc0x200ec29b6749c3c1ce2255ba0319198d251False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_VERSION0xfc0900x31cdata0.4321608040201005
                                    RT_MANIFEST0xfc3bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-11-01T09:32:00.575139+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54970751.75.166.982195TCP
                                    2024-11-01T09:32:02.348331+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549708178.237.33.5080TCP
                                    2024-11-01T09:32:14.685625+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.175.87.197443192.168.2.549711TCP
                                    2024-11-01T09:32:53.372550+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.175.87.197443192.168.2.549922TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Nov 1, 2024 09:31:59.724946976 CET497072195192.168.2.551.75.166.98
                                    Nov 1, 2024 09:31:59.729753971 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:31:59.730119944 CET497072195192.168.2.551.75.166.98
                                    Nov 1, 2024 09:31:59.735193014 CET497072195192.168.2.551.75.166.98
                                    Nov 1, 2024 09:31:59.740237951 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:32:00.528578997 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:32:00.575139046 CET497072195192.168.2.551.75.166.98
                                    Nov 1, 2024 09:32:00.630790949 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:32:00.649257898 CET497072195192.168.2.551.75.166.98
                                    Nov 1, 2024 09:32:00.656404018 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:32:00.656502962 CET497072195192.168.2.551.75.166.98
                                    Nov 1, 2024 09:32:00.664402962 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:32:00.911179066 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:32:00.930330992 CET497072195192.168.2.551.75.166.98
                                    Nov 1, 2024 09:32:00.935193062 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:32:01.013417006 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:32:01.075941086 CET497072195192.168.2.551.75.166.98
                                    Nov 1, 2024 09:32:01.500919104 CET4970880192.168.2.5178.237.33.50
                                    Nov 1, 2024 09:32:01.505716085 CET8049708178.237.33.50192.168.2.5
                                    Nov 1, 2024 09:32:01.505827904 CET4970880192.168.2.5178.237.33.50
                                    Nov 1, 2024 09:32:01.524656057 CET4970880192.168.2.5178.237.33.50
                                    Nov 1, 2024 09:32:01.529526949 CET8049708178.237.33.50192.168.2.5
                                    Nov 1, 2024 09:32:02.348257065 CET8049708178.237.33.50192.168.2.5
                                    Nov 1, 2024 09:32:02.348330975 CET4970880192.168.2.5178.237.33.50
                                    Nov 1, 2024 09:32:02.375124931 CET497072195192.168.2.551.75.166.98
                                    Nov 1, 2024 09:32:02.380006075 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:32:03.472436905 CET8049708178.237.33.50192.168.2.5
                                    Nov 1, 2024 09:32:03.472507954 CET4970880192.168.2.5178.237.33.50
                                    Nov 1, 2024 09:32:31.371165037 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:32:31.372873068 CET497072195192.168.2.551.75.166.98
                                    Nov 1, 2024 09:32:31.377768040 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:33:01.840245962 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:33:01.841527939 CET497072195192.168.2.551.75.166.98
                                    Nov 1, 2024 09:33:01.846473932 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:33:32.309000969 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:33:32.310551882 CET497072195192.168.2.551.75.166.98
                                    Nov 1, 2024 09:33:32.315320015 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:33:51.231524944 CET4970880192.168.2.5178.237.33.50
                                    Nov 1, 2024 09:33:51.670126915 CET4970880192.168.2.5178.237.33.50
                                    Nov 1, 2024 09:33:52.316121101 CET4970880192.168.2.5178.237.33.50
                                    Nov 1, 2024 09:33:53.528300047 CET4970880192.168.2.5178.237.33.50
                                    Nov 1, 2024 09:33:56.028415918 CET4970880192.168.2.5178.237.33.50
                                    Nov 1, 2024 09:34:00.919241905 CET4970880192.168.2.5178.237.33.50
                                    Nov 1, 2024 09:34:02.778143883 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:34:02.779532909 CET497072195192.168.2.551.75.166.98
                                    Nov 1, 2024 09:34:02.784332991 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:34:10.528275967 CET4970880192.168.2.5178.237.33.50
                                    Nov 1, 2024 09:34:33.371174097 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:34:33.372807026 CET497072195192.168.2.551.75.166.98
                                    Nov 1, 2024 09:34:33.377804995 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:35:03.716877937 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:35:03.719146013 CET497072195192.168.2.551.75.166.98
                                    Nov 1, 2024 09:35:03.724013090 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:35:34.153378010 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:35:34.154725075 CET497072195192.168.2.551.75.166.98
                                    Nov 1, 2024 09:35:34.160110950 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:36:04.669101000 CET21954970751.75.166.98192.168.2.5
                                    Nov 1, 2024 09:36:04.715929985 CET497072195192.168.2.551.75.166.98

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Nov 1, 2024 09:31:59.406703949 CET5825553192.168.2.51.1.1.1
                                    Nov 1, 2024 09:31:59.716320992 CET53582551.1.1.1192.168.2.5
                                    Nov 1, 2024 09:32:01.488461018 CET5737253192.168.2.51.1.1.1
                                    Nov 1, 2024 09:32:01.496764898 CET53573721.1.1.1192.168.2.5

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Nov 1, 2024 09:31:59.406703949 CET192.168.2.51.1.1.10x34caStandard query (0)teebro1800.dynamic-dns.netA (IP address)IN (0x0001)false
                                    Nov 1, 2024 09:32:01.488461018 CET192.168.2.51.1.1.10x92abStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Nov 1, 2024 09:31:59.716320992 CET1.1.1.1192.168.2.50x34caNo error (0)teebro1800.dynamic-dns.net51.75.166.98A (IP address)IN (0x0001)false
                                    Nov 1, 2024 09:32:01.496764898 CET1.1.1.1192.168.2.50x92abNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • geoplugin.net

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.549708178.237.33.50805708C:\Users\user\Desktop\z1ProductSampleRequirement.exe
                                    TimestampBytes transferredDirectionData
                                    Nov 1, 2024 09:32:01.524656057 CET71OUTGET /json.gp HTTP/1.1
                                    Host: geoplugin.net
                                    Cache-Control: no-cache
                                    Nov 1, 2024 09:32:02.348257065 CET1165INHTTP/1.1 200 OK
                                    date: Fri, 01 Nov 2024 08:32:02 GMT
                                    server: Apache
                                    content-length: 957
                                    content-type: application/json; charset=utf-8
                                    cache-control: public, max-age=300
                                    access-control-allow-origin: *
                                    Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 [TRUNCATED]
                                    Data Ascii: { "geoplugin_request":"173.254.250.82", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Killeen", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"625", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"31.0065", "geoplugin_longitude":"-97.8406", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:04:31:55
                                    Start date:01/11/2024
                                    Path:C:\Users\user\Desktop\z1ProductSampleRequirement.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\z1ProductSampleRequirement.exe"
                                    Imagebase:0x8a0000
                                    File size:1'022'464 bytes
                                    MD5 hash:2B3AA1B01D8963ED35A0050F793B4811
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2088133445.000000000499B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2088133445.000000000499B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:04:31:56
                                    Start date:01/11/2024
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1ProductSampleRequirement.exe"
                                    Imagebase:0x690000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:04:31:56
                                    Start date:01/11/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:04:31:56
                                    Start date:01/11/2024
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XyLTxdgHV.exe"
                                    Imagebase:0x690000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:04:31:56
                                    Start date:01/11/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:04:31:56
                                    Start date:01/11/2024
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyLTxdgHV" /XML "C:\Users\user\AppData\Local\Temp\tmpD6AD.tmp"
                                    Imagebase:0x600000
                                    File size:187'904 bytes
                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:04:31:57
                                    Start date:01/11/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:04:31:58
                                    Start date:01/11/2024
                                    Path:C:\Users\user\Desktop\z1ProductSampleRequirement.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\z1ProductSampleRequirement.exe"
                                    Imagebase:0x9a0000
                                    File size:1'022'464 bytes
                                    MD5 hash:2B3AA1B01D8963ED35A0050F793B4811
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.4498177592.0000000001197000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.4498721754.0000000002D2F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.4498177592.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.4498177592.00000000011BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:10
                                    Start time:04:31:59
                                    Start date:01/11/2024
                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                    Imagebase:0x7ff6ef0c0000
                                    File size:496'640 bytes
                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                    Has elevated privileges:true
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:04:32:00
                                    Start date:01/11/2024
                                    Path:C:\Users\user\AppData\Roaming\XyLTxdgHV.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\AppData\Roaming\XyLTxdgHV.exe
                                    Imagebase:0x50000
                                    File size:1'022'464 bytes
                                    MD5 hash:2B3AA1B01D8963ED35A0050F793B4811
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.2129497203.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.2129497203.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    Antivirus matches:
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 66%, ReversingLabs
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:04:32:02
                                    Start date:01/11/2024
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyLTxdgHV" /XML "C:\Users\user\AppData\Local\Temp\tmpEB9C.tmp"
                                    Imagebase:0x600000
                                    File size:187'904 bytes
                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:13
                                    Start time:04:32:02
                                    Start date:01/11/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:14
                                    Start time:04:32:02
                                    Start date:01/11/2024
                                    Path:C:\Users\user\AppData\Roaming\XyLTxdgHV.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Roaming\XyLTxdgHV.exe"
                                    Imagebase:0xec0000
                                    File size:1'022'464 bytes
                                    MD5 hash:2B3AA1B01D8963ED35A0050F793B4811
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.2105358568.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    Reputation:low
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:10.8%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:1.4%
                                      Total number of Nodes:214
                                      Total number of Limit Nodes:14
                                      execution_graph 28729 12c4668 28730 12c467a 28729->28730 28731 12c4686 28730->28731 28735 12c4778 28730->28735 28740 12c4204 28731->28740 28733 12c46a5 28736 12c479d 28735->28736 28744 12c4878 28736->28744 28748 12c4888 28736->28748 28741 12c420f 28740->28741 28756 12c59fc 28741->28756 28743 12c7084 28743->28733 28746 12c4888 28744->28746 28745 12c498c 28745->28745 28746->28745 28752 12c4560 28746->28752 28750 12c48af 28748->28750 28749 12c498c 28749->28749 28750->28749 28751 12c4560 CreateActCtxA 28750->28751 28751->28749 28753 12c5d18 CreateActCtxA 28752->28753 28755 12c5ddb 28753->28755 28757 12c5a07 28756->28757 28760 12c5a1c 28757->28760 28759 12c7425 28759->28743 28761 12c5a27 28760->28761 28764 12c5a4c 28761->28764 28763 12c7502 28763->28759 28765 12c5a57 28764->28765 28768 12c5a7c 28765->28768 28767 12c7605 28767->28763 28769 12c5a87 28768->28769 28771 12c8b6b 28769->28771 28775 12cae10 28769->28775 28770 12c8ba9 28770->28767 28771->28770 28779 12ccf00 28771->28779 28784 12ccf10 28771->28784 28789 12cb218 28775->28789 28793 12cb250 28775->28793 28776 12cae26 28776->28771 28780 12ccf10 28779->28780 28781 12ccf55 28780->28781 28801 12cd4c8 28780->28801 28805 12cd4b9 28780->28805 28781->28770 28786 12ccf31 28784->28786 28785 12ccf55 28785->28770 28786->28785 28787 12cd4c8 GetModuleHandleW 28786->28787 28788 12cd4b9 GetModuleHandleW 28786->28788 28787->28785 28788->28785 28790 12cb21d 28789->28790 28796 12cb33a 28790->28796 28791 12cb25f 28791->28776 28794 12cb25f 28793->28794 28795 12cb33a GetModuleHandleW 28793->28795 28794->28776 28795->28794 28797 12cb37c 28796->28797 28798 12cb359 28796->28798 28797->28791 28798->28797 28799 12cb580 GetModuleHandleW 28798->28799 28800 12cb5ad 28799->28800 28800->28791 28802 12cd4d5 28801->28802 28803 12cd50f 28802->28803 28809 12cd2f0 28802->28809 28803->28781 28806 12cd4c8 28805->28806 28807 12cd50f 28806->28807 28808 12cd2f0 GetModuleHandleW 28806->28808 28807->28781 28808->28807 28810 12cd2fb 28809->28810 28812 12cde20 28810->28812 28813 12cd40c 28810->28813 28812->28812 28814 12cd417 28813->28814 28815 12c5a7c GetModuleHandleW 28814->28815 28816 12cde8f 28815->28816 28816->28812 28831 2ad1e18 28832 2ad1fa3 28831->28832 28833 2ad1e3e 28831->28833 28833->28832 28836 2ad2098 PostMessageW 28833->28836 28838 2ad2090 28833->28838 28837 2ad2104 28836->28837 28837->28833 28839 2ad2098 PostMessageW 28838->28839 28840 2ad2104 28839->28840 28840->28833 28841 754dcaf 28842 754dc57 28841->28842 28843 754dbdc 28842->28843 28847 2ad0c5e 28842->28847 28852 2ad0bf8 28842->28852 28856 2ad0be9 28842->28856 28848 2ad0bec 28847->28848 28850 2ad0c61 28847->28850 28860 2ad0f11 28848->28860 28849 2ad0c1a 28849->28843 28850->28843 28853 2ad0c12 28852->28853 28855 2ad0f11 12 API calls 28853->28855 28854 2ad0c1a 28854->28843 28855->28854 28857 2ad0bec 28856->28857 28859 2ad0f11 12 API calls 28857->28859 28858 2ad0c1a 28858->28843 28859->28858 28861 2ad0f35 28860->28861 28863 2ad0f47 28861->28863 28878 2ad1224 28861->28878 28882 2ad126d 28861->28882 28887 2ad1330 28861->28887 28892 2ad1371 28861->28892 28897 2ad1151 28861->28897 28902 2ad1051 28861->28902 28907 2ad1457 28861->28907 28912 2ad115b 28861->28912 28917 2ad1979 28861->28917 28922 2ad125e 28861->28922 28927 2ad119f 28861->28927 28935 2ad1463 28861->28935 28942 2ad13c0 28861->28942 28947 2ad14e7 28861->28947 28952 2ad1747 28861->28952 28863->28849 28957 754d3a0 28878->28957 28961 754d398 28878->28961 28879 2ad123e 28879->28863 28883 2ad1273 28882->28883 28965 754d530 28883->28965 28969 754d538 28883->28969 28884 2ad12a5 28884->28863 28888 2ad1339 28887->28888 28890 754d530 WriteProcessMemory 28888->28890 28891 754d538 WriteProcessMemory 28888->28891 28889 2ad1384 28889->28863 28890->28889 28891->28889 28893 2ad1713 28892->28893 28973 2ad1c78 28893->28973 28978 2ad1c88 28893->28978 28894 2ad1732 28898 2ad1147 28897->28898 28899 2ad1159 28898->28899 28991 754d2f0 28898->28991 28995 754d2e9 28898->28995 28899->28863 28903 2ad105b 28902->28903 28999 754d7b7 28903->28999 29003 754d7c0 28903->29003 28908 2ad199d 28907->28908 29007 754d623 28908->29007 29011 754d628 28908->29011 28909 2ad19bf 28913 2ad1284 28912->28913 28914 2ad12a5 28913->28914 28915 754d530 WriteProcessMemory 28913->28915 28916 754d538 WriteProcessMemory 28913->28916 28914->28863 28915->28914 28916->28914 28919 2ad1147 28917->28919 28918 2ad1159 28918->28863 28919->28918 28920 754d2f0 ResumeThread 28919->28920 28921 754d2e9 ResumeThread 28919->28921 28920->28919 28921->28919 28923 2ad123e 28922->28923 28924 2ad1223 28922->28924 28923->28863 28925 754d3a0 Wow64SetThreadContext 28924->28925 28926 754d398 Wow64SetThreadContext 28924->28926 28925->28923 28926->28923 28928 2ad11bf 28927->28928 28930 2ad1147 28927->28930 28931 754d3a0 Wow64SetThreadContext 28928->28931 28932 754d398 Wow64SetThreadContext 28928->28932 28929 2ad1159 28929->28863 28930->28929 28933 754d2f0 ResumeThread 28930->28933 28934 754d2e9 ResumeThread 28930->28934 28931->28930 28932->28930 28933->28930 28934->28930 28940 754d530 WriteProcessMemory 28935->28940 28941 754d538 WriteProcessMemory 28935->28941 28936 2ad1159 28936->28863 28937 2ad1147 28937->28936 28938 754d2f0 ResumeThread 28937->28938 28939 754d2e9 ResumeThread 28937->28939 28938->28937 28939->28937 28940->28937 28941->28937 28943 2ad1147 28942->28943 28943->28942 28944 2ad1159 28943->28944 28945 754d2f0 ResumeThread 28943->28945 28946 754d2e9 ResumeThread 28943->28946 28944->28863 28945->28943 28946->28943 28949 2ad1147 28947->28949 28948 2ad1159 28948->28863 28949->28948 28950 754d2f0 ResumeThread 28949->28950 28951 754d2e9 ResumeThread 28949->28951 28950->28949 28951->28949 28953 2ad1147 28952->28953 28954 2ad1159 28953->28954 28955 754d2f0 ResumeThread 28953->28955 28956 754d2e9 ResumeThread 28953->28956 28954->28863 28955->28953 28956->28953 28958 754d3e5 Wow64SetThreadContext 28957->28958 28960 754d42d 28958->28960 28960->28879 28962 754d3a0 Wow64SetThreadContext 28961->28962 28964 754d42d 28962->28964 28964->28879 28966 754d538 WriteProcessMemory 28965->28966 28968 754d5d7 28966->28968 28968->28884 28970 754d580 WriteProcessMemory 28969->28970 28972 754d5d7 28970->28972 28972->28884 28974 2ad1c88 28973->28974 28983 754d470 28974->28983 28987 754d478 28974->28987 28975 2ad1cbc 28975->28894 28979 2ad1c9d 28978->28979 28981 754d470 VirtualAllocEx 28979->28981 28982 754d478 VirtualAllocEx 28979->28982 28980 2ad1cbc 28980->28894 28981->28980 28982->28980 28984 754d478 VirtualAllocEx 28983->28984 28986 754d4f5 28984->28986 28986->28975 28988 754d4b8 VirtualAllocEx 28987->28988 28990 754d4f5 28988->28990 28990->28975 28992 754d330 ResumeThread 28991->28992 28994 754d361 28992->28994 28994->28898 28996 754d2f0 ResumeThread 28995->28996 28998 754d361 28996->28998 28998->28898 29000 754d7c0 CreateProcessA 28999->29000 29002 754da0b 29000->29002 29004 754d849 CreateProcessA 29003->29004 29006 754da0b 29004->29006 29008 754d628 ReadProcessMemory 29007->29008 29010 754d6b7 29008->29010 29010->28909 29012 754d673 ReadProcessMemory 29011->29012 29014 754d6b7 29012->29014 29014->28909 28817 12cd5e0 28818 12cd626 28817->28818 28822 12cd7c0 28818->28822 28825 12cd7b1 28818->28825 28819 12cd713 28824 12cd7ee 28822->28824 28828 12cb234 28822->28828 28824->28819 28826 12cb234 DuplicateHandle 28825->28826 28827 12cd7ee 28826->28827 28827->28819 28829 12cd828 DuplicateHandle 28828->28829 28830 12cd8be 28829->28830 28830->28824

                                      Executed Functions

                                      Function 02AD2D90 Relevance: 1.9, Strings: 1, Instructions: 678COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 344 2ad2d90-2ad2db2 345 2ad2db8-2ad2df3 call 2ad2acc 344->345 346 2ad3162-2ad3167 344->346 356 2ad2df5-2ad2dff 345->356 357 2ad2e06-2ad2e26 345->357 347 2ad3169-2ad316b 346->347 348 2ad3171-2ad3174 346->348 347->348 350 2ad317c-2ad3184 348->350 352 2ad318a-2ad3191 350->352 356->357 359 2ad2e39-2ad2e59 357->359 360 2ad2e28-2ad2e32 357->360 362 2ad2e6c-2ad2e8c 359->362 363 2ad2e5b-2ad2e65 359->363 360->359 365 2ad2e9f-2ad2ea8 call 2ad2adc 362->365 366 2ad2e8e-2ad2e98 362->366 363->362 369 2ad2ecc-2ad2ed5 call 2ad2aec 365->369 370 2ad2eaa-2ad2ec5 call 2ad2adc 365->370 366->365 375 2ad2ef9-2ad2f02 call 2ad2afc 369->375 376 2ad2ed7-2ad2ef2 call 2ad2aec 369->376 370->369 382 2ad2f0d-2ad2f29 375->382 383 2ad2f04-2ad2f08 call 2ad2b0c 375->383 376->375 387 2ad2f2b-2ad2f31 382->387 388 2ad2f41-2ad2f45 382->388 383->382 389 2ad2f35-2ad2f37 387->389 390 2ad2f33 387->390 391 2ad2f5f-2ad2fa7 388->391 392 2ad2f47-2ad2f58 call 2ad2b1c 388->392 389->388 390->388 398 2ad2fa9 391->398 399 2ad2fcb-2ad2fd2 391->399 392->391 400 2ad2fac-2ad2fb2 398->400 401 2ad2fe9-2ad2ff7 call 2ad2b2c 399->401 402 2ad2fd4-2ad2fe3 399->402 404 2ad2fb8-2ad2fbe 400->404 405 2ad3192-2ad3198 400->405 411 2ad2ff9-2ad2ffb 401->411 412 2ad3001-2ad302b 401->412 402->401 408 2ad2fc8-2ad2fc9 404->408 409 2ad2fc0-2ad2fc2 404->409 413 2ad319a-2ad31d1 405->413 414 2ad3203-2ad3204 405->414 408->399 408->400 409->408 411->412 429 2ad302d-2ad303b 412->429 430 2ad3058-2ad3074 412->430 415 2ad3230-2ad3240 413->415 416 2ad31d3-2ad31e6 413->416 418 2ad31ee 414->418 419 2ad3205-2ad3206 414->419 425 2ad3416-2ad341d 415->425 426 2ad3246-2ad3250 415->426 416->418 418->418 420 2ad31f0-2ad31f4 418->420 428 2ad320a-2ad320f 419->428 420->415 422 2ad31f6-2ad31fc 420->422 427 2ad31fe-2ad3200 422->427 422->428 433 2ad342c-2ad343f 425->433 434 2ad341f-2ad3425 425->434 431 2ad325a-2ad3264 426->431 432 2ad3252-2ad3259 426->432 427->414 435 2ad321c-2ad3229 428->435 436 2ad3211-2ad3215 428->436 429->430 443 2ad303d-2ad3051 429->443 441 2ad3087-2ad30ae call 2ad2b3c 430->441 442 2ad3076-2ad3080 430->442 438 2ad3449-2ad34d4 431->438 439 2ad326a-2ad32aa 431->439 434->433 435->415 436->435 494 2ad34da-2ad34ec call 2ad2bf0 438->494 495 2ad35b5-2ad35cb call 2ad31a8 438->495 464 2ad32ac-2ad32b2 439->464 465 2ad32c2-2ad32c6 439->465 454 2ad30c6-2ad30ca 441->454 455 2ad30b0-2ad30b6 441->455 442->441 443->430 459 2ad30cc-2ad30de 454->459 460 2ad30e5-2ad3101 454->460 457 2ad30b8 455->457 458 2ad30ba-2ad30bc 455->458 457->454 458->454 459->460 469 2ad3119-2ad311d 460->469 470 2ad3103-2ad3109 460->470 467 2ad32b4 464->467 468 2ad32b6-2ad32b8 464->468 471 2ad32c8-2ad32ed 465->471 472 2ad32f3-2ad330b call 2ad2bc0 465->472 467->465 468->465 469->352 476 2ad311f-2ad312d 469->476 474 2ad310d-2ad310f 470->474 475 2ad310b 470->475 471->472 487 2ad330d-2ad3312 472->487 488 2ad3318-2ad3320 472->488 474->469 475->469 483 2ad313f-2ad3143 476->483 484 2ad312f-2ad313d 476->484 489 2ad3149-2ad3161 483->489 484->483 484->489 487->488 491 2ad3336-2ad3355 488->491 492 2ad3322-2ad3330 488->492 502 2ad336d-2ad3371 491->502 503 2ad3357-2ad335d 491->503 492->491 512 2ad357e-2ad3587 call 2ad2c10 494->512 513 2ad34f2-2ad350a call 2ad2bf0 494->513 504 2ad33ca-2ad3413 502->504 505 2ad3373-2ad3380 502->505 507 2ad335f 503->507 508 2ad3361-2ad3363 503->508 504->425 515 2ad33b6-2ad33c3 505->515 516 2ad3382-2ad33b4 505->516 507->502 508->502 520 2ad3589-2ad3593 512->520 521 2ad359a-2ad359f 512->521 530 2ad350c 513->530 531 2ad3513-2ad3548 call 2ad2bf0 513->531 515->504 516->515 520->521 525 2ad35ae 521->525 526 2ad35a1-2ad35ab 521->526 525->495 526->525 530->531 541 2ad354a 531->541 542 2ad3551-2ad3577 call 2ad2c00 531->542 541->542 542->512
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087469755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2ad0000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: U
                                      • API String ID: 0-3372436214
                                      • Opcode ID: 143406d77db41e82fa5fdefaaf073121eacdc737c953f110622469c8fc81d64a
                                      • Instruction ID: 031e329da99956399e9adcb9e422e8852ba935fd4058c2cd877a6d131633532f
                                      • Opcode Fuzzy Hash: 143406d77db41e82fa5fdefaaf073121eacdc737c953f110622469c8fc81d64a
                                      • Instruction Fuzzy Hash: F5429830B012058FDB19DB79C5A0BAEBBF6AF88704F1484ADE5469B3A1DF34E801CB51
                                      Function 07546AC9 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Te]q
                                      • API String ID: 0-52440209
                                      • Opcode ID: f437aabda2f0ad68cf0418342d3bb8c395b2b53c8d7387b8ff2bca856aaadd3c
                                      • Instruction ID: 58e341159e6ecfcd1e25499d53d64f72c40cb1c5579c0900bcbe9e7fbbfd172c
                                      • Opcode Fuzzy Hash: f437aabda2f0ad68cf0418342d3bb8c395b2b53c8d7387b8ff2bca856aaadd3c
                                      • Instruction Fuzzy Hash: D75116B4E15218CFDB18CFAAC9446EEBBFAFF8A304F10942AD409AB355DB345945CB50
                                      Function 07540E28 Relevance: .5, Instructions: 506COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 686d920777ce2388969febbbb9b91559edbc9adbcd295ba09207e8fbe5fa196a
                                      • Instruction ID: 957db402246d5a5c450dfb6d05ce419c7b2b22434938f8dab73908de2b1a6a94
                                      • Opcode Fuzzy Hash: 686d920777ce2388969febbbb9b91559edbc9adbcd295ba09207e8fbe5fa196a
                                      • Instruction Fuzzy Hash: E64280B4E01219CFDB64CFA9C984BDDBBB2BF48310F1081A9D809A7395D735AA85CF50
                                      Function 012C7018 Relevance: .2, Instructions: 229COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087365218.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12c0000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0081ae838db871814697b6156f5eba9c94474e0a1b9b7826650891886ce6f30f
                                      • Instruction ID: 782f7c7fd61ac19a93d06583d89eca831bcd146fcf6857292c1a6b453d5639e5
                                      • Opcode Fuzzy Hash: 0081ae838db871814697b6156f5eba9c94474e0a1b9b7826650891886ce6f30f
                                      • Instruction Fuzzy Hash: F9A1E674E01219DFDB05DFA9D894AADBBB2FF88300F108529E909A7354DB316D96CF40
                                      Function 012C4204 Relevance: .2, Instructions: 228COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087365218.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12c0000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 19b4fd8d892ac292f02905c238eedf9a7d1159330f61eb723918635582e5f461
                                      • Instruction ID: acbddb9add15da748134acd2e79aef25c087007734833625ba821d3f25765d04
                                      • Opcode Fuzzy Hash: 19b4fd8d892ac292f02905c238eedf9a7d1159330f61eb723918635582e5f461
                                      • Instruction Fuzzy Hash: 7AA1C678E01219DFDB05DFA9D894AAEBBB2FF88300F108529E509A7354DB356D96CF40
                                      Function 07540E21 Relevance: .1, Instructions: 148COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 53cdf2e47f58e0e3d00f0cc929489c7b1a77d06bcebc4ed770ea5731b082289c
                                      • Instruction ID: 632c172b1de4536be71ed20b04c4ccf6f8d7a560e2b6c427096b617183a1c487
                                      • Opcode Fuzzy Hash: 53cdf2e47f58e0e3d00f0cc929489c7b1a77d06bcebc4ed770ea5731b082289c
                                      • Instruction Fuzzy Hash: 706192B4E01618DBDB18CF6AD984BDDBBF2BF88310F1481A9D809A7394D7359985CF50
                                      Function 07547A41 Relevance: .1, Instructions: 58COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a6ac25ea2bd6f4e886024526eb56bf1ad8f319c7a7cb7dc73ff8da729dd90ddb
                                      • Instruction ID: bdb636496938fc8cb19584d5978ea6ee953a59cc064f9029053c11fde345cbe2
                                      • Opcode Fuzzy Hash: a6ac25ea2bd6f4e886024526eb56bf1ad8f319c7a7cb7dc73ff8da729dd90ddb
                                      • Instruction Fuzzy Hash: 5F21E2B1D016189BEB18CFABC9453DEFBF6BFC9304F14C06AD508A6264DB75094A8F90
                                      Function 02AD11C6 Relevance: .0, Instructions: 16COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087469755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2ad0000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0c32cd54b0529f42c37fab49b887d173da28f883955a35059470488d795b89b5
                                      • Instruction ID: 7e025d7864af654fba5832dd1236a98f7ff798b1ef95424f2bd629917cb045aa
                                      • Opcode Fuzzy Hash: 0c32cd54b0529f42c37fab49b887d173da28f883955a35059470488d795b89b5
                                      • Instruction Fuzzy Hash: C8D0927480A358CBCB40DF64D8859F8BBB8BB0A300F0520A9A41EA3361DA769884DE54
                                      Function 02AD130F Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087469755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2ad0000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9848655db7b9815a190698fdb8aba01b64ccf5ede79efbf45cf0c8ca78e8fdfd
                                      • Instruction ID: feb2d9550e24e4bf2350e55c499e770cc90d7d18b0e56d70a4deb13b962be544
                                      • Opcode Fuzzy Hash: 9848655db7b9815a190698fdb8aba01b64ccf5ede79efbf45cf0c8ca78e8fdfd
                                      • Instruction Fuzzy Hash: 47B00161C8F2E9AAD6436B6854520F59A7C6A4B044F897182B06F770A34848C608C5EE
                                      Function 0754D7B7 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 546 754d7b7-754d855 549 754d857-754d861 546->549 550 754d88e-754d8ae 546->550 549->550 551 754d863-754d865 549->551 557 754d8e7-754d916 550->557 558 754d8b0-754d8ba 550->558 552 754d867-754d871 551->552 553 754d888-754d88b 551->553 555 754d875-754d884 552->555 556 754d873 552->556 553->550 555->555 559 754d886 555->559 556->555 566 754d94f-754da09 CreateProcessA 557->566 567 754d918-754d922 557->567 558->557 560 754d8bc-754d8be 558->560 559->553 562 754d8c0-754d8ca 560->562 563 754d8e1-754d8e4 560->563 564 754d8cc 562->564 565 754d8ce-754d8dd 562->565 563->557 564->565 565->565 568 754d8df 565->568 578 754da12-754da98 566->578 579 754da0b-754da11 566->579 567->566 569 754d924-754d926 567->569 568->563 571 754d928-754d932 569->571 572 754d949-754d94c 569->572 573 754d934 571->573 574 754d936-754d945 571->574 572->566 573->574 574->574 576 754d947 574->576 576->572 589 754daa8-754daac 578->589 590 754da9a-754da9e 578->590 579->578 592 754dabc-754dac0 589->592 593 754daae-754dab2 589->593 590->589 591 754daa0 590->591 591->589 594 754dad0-754dad4 592->594 595 754dac2-754dac6 592->595 593->592 596 754dab4 593->596 598 754dae6-754daed 594->598 599 754dad6-754dadc 594->599 595->594 597 754dac8 595->597 596->592 597->594 600 754db04 598->600 601 754daef-754dafe 598->601 599->598 603 754db05 600->603 601->600 603->603
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0754D9F6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: c1bcf67dd5cb6303ca929b30a56f68f53189b636a89f221b39e474d4ea5a2c19
                                      • Instruction ID: 7bfbae7f1db18f9c1947111c920307be11ba73c3f5e3d860d0119ac90be2d507
                                      • Opcode Fuzzy Hash: c1bcf67dd5cb6303ca929b30a56f68f53189b636a89f221b39e474d4ea5a2c19
                                      • Instruction Fuzzy Hash: F8A15EB1E0031ADFDB24DF69C8417EDBBB2BF44314F1485AAD909A7240DB749985CF92
                                      Function 0754D7C0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 604 754d7c0-754d855 606 754d857-754d861 604->606 607 754d88e-754d8ae 604->607 606->607 608 754d863-754d865 606->608 614 754d8e7-754d916 607->614 615 754d8b0-754d8ba 607->615 609 754d867-754d871 608->609 610 754d888-754d88b 608->610 612 754d875-754d884 609->612 613 754d873 609->613 610->607 612->612 616 754d886 612->616 613->612 623 754d94f-754da09 CreateProcessA 614->623 624 754d918-754d922 614->624 615->614 617 754d8bc-754d8be 615->617 616->610 619 754d8c0-754d8ca 617->619 620 754d8e1-754d8e4 617->620 621 754d8cc 619->621 622 754d8ce-754d8dd 619->622 620->614 621->622 622->622 625 754d8df 622->625 635 754da12-754da98 623->635 636 754da0b-754da11 623->636 624->623 626 754d924-754d926 624->626 625->620 628 754d928-754d932 626->628 629 754d949-754d94c 626->629 630 754d934 628->630 631 754d936-754d945 628->631 629->623 630->631 631->631 633 754d947 631->633 633->629 646 754daa8-754daac 635->646 647 754da9a-754da9e 635->647 636->635 649 754dabc-754dac0 646->649 650 754daae-754dab2 646->650 647->646 648 754daa0 647->648 648->646 651 754dad0-754dad4 649->651 652 754dac2-754dac6 649->652 650->649 653 754dab4 650->653 655 754dae6-754daed 651->655 656 754dad6-754dadc 651->656 652->651 654 754dac8 652->654 653->649 654->651 657 754db04 655->657 658 754daef-754dafe 655->658 656->655 660 754db05 657->660 658->657 660->660
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0754D9F6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: eccd48b30bb408a176093462299955b80ab55dbc837897a289c72f4ee96ed1ff
                                      • Instruction ID: 64db0f1cb75430e87d1c11ed353ac1a8f06aa3bfa49ded004f5ec24076f1a813
                                      • Opcode Fuzzy Hash: eccd48b30bb408a176093462299955b80ab55dbc837897a289c72f4ee96ed1ff
                                      • Instruction Fuzzy Hash: CC914DB1E0031ADFDB24DF69C8417EDBBB2BF44314F1485AAD909A7240DB749985CF92
                                      Function 012CB33A Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 661 12cb33a-12cb357 662 12cb359-12cb366 call 12c9db8 661->662 663 12cb383-12cb387 661->663 668 12cb37c 662->668 669 12cb368 662->669 665 12cb389-12cb393 663->665 666 12cb39b-12cb3dc 663->666 665->666 672 12cb3de-12cb3e6 666->672 673 12cb3e9-12cb3f7 666->673 668->663 716 12cb36e call 12cb5e0 669->716 717 12cb36e call 12cb5d0 669->717 672->673 674 12cb3f9-12cb3fe 673->674 675 12cb41b-12cb41d 673->675 677 12cb409 674->677 678 12cb400-12cb407 call 12cb000 674->678 680 12cb420-12cb427 675->680 676 12cb374-12cb376 676->668 679 12cb4b8-12cb578 676->679 682 12cb40b-12cb419 677->682 678->682 711 12cb57a-12cb57d 679->711 712 12cb580-12cb5ab GetModuleHandleW 679->712 683 12cb429-12cb431 680->683 684 12cb434-12cb43b 680->684 682->680 683->684 686 12cb43d-12cb445 684->686 687 12cb448-12cb451 call 12cb010 684->687 686->687 692 12cb45e-12cb463 687->692 693 12cb453-12cb45b 687->693 694 12cb465-12cb46c 692->694 695 12cb481-12cb48e 692->695 693->692 694->695 697 12cb46e-12cb47e call 12cb020 call 12cb030 694->697 702 12cb490-12cb4ae 695->702 703 12cb4b1-12cb4b7 695->703 697->695 702->703 711->712 713 12cb5ad-12cb5b3 712->713 714 12cb5b4-12cb5c8 712->714 713->714 716->676 717->676
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 012CB59E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087365218.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12c0000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 82e332bbca8982a2c135bf35239da5e4b58a22145578d76f7eefdd0821546500
                                      • Instruction ID: 6e761aee30194118f9948a9bb8c5736d73f36efd76df7eba690f153a372ee6b0
                                      • Opcode Fuzzy Hash: 82e332bbca8982a2c135bf35239da5e4b58a22145578d76f7eefdd0821546500
                                      • Instruction Fuzzy Hash: FC814870A10B468FD724DF29D05576ABBF1FF48740F008A2DD68AD7A40D735E949CB91
                                      Function 012C4560 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 826 12c4560-12c5dd9 CreateActCtxA 829 12c5ddb-12c5de1 826->829 830 12c5de2-12c5e3c 826->830 829->830 837 12c5e3e-12c5e41 830->837 838 12c5e4b-12c5e4f 830->838 837->838 839 12c5e60 838->839 840 12c5e51-12c5e5d 838->840 842 12c5e61 839->842 840->839 842->842
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 012C5DC9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087365218.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12c0000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: d83e01da4ae8428c6ddce52f209e926b545da24f88a66255f896ba4601999f4f
                                      • Instruction ID: 4a14526e4ec5c05b1fcaa11194f0fb804f61b75f2c3bbd05b6dd75f60d2638a2
                                      • Opcode Fuzzy Hash: d83e01da4ae8428c6ddce52f209e926b545da24f88a66255f896ba4601999f4f
                                      • Instruction Fuzzy Hash: 144102B0D00719CBDB25DFA9C884BCDBBB5BF48704F20815AD508AB251DBB56946CF91
                                      Function 012C5D0C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 843 12c5d0c-12c5dd9 CreateActCtxA 845 12c5ddb-12c5de1 843->845 846 12c5de2-12c5e3c 843->846 845->846 853 12c5e3e-12c5e41 846->853 854 12c5e4b-12c5e4f 846->854 853->854 855 12c5e60 854->855 856 12c5e51-12c5e5d 854->856 858 12c5e61 855->858 856->855 858->858
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 012C5DC9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087365218.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12c0000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 4ffdfb71b109292d3cd9e0d188f821dcd99393a3b272ee7f82c048a3b8385d07
                                      • Instruction ID: 88e3c6895a1d16b8083d69bad70a4fcbf03f5a46aba05844e1c0f7741774b343
                                      • Opcode Fuzzy Hash: 4ffdfb71b109292d3cd9e0d188f821dcd99393a3b272ee7f82c048a3b8385d07
                                      • Instruction Fuzzy Hash: AB4101B0D00719CEDB25CFA9C884BDEBBB1BF49704F20815AD508AB255DB71694ACF91
                                      Function 0754D530 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 859 754d530-754d586 862 754d596-754d5d5 WriteProcessMemory 859->862 863 754d588-754d594 859->863 865 754d5d7-754d5dd 862->865 866 754d5de-754d60e 862->866 863->862 865->866
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0754D5C8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: 239b45be34866c48d8df1810ec930527f7b1566f8d2a5ab920d6559f32df85f7
                                      • Instruction ID: 05204c1af5b664696765a04a7d0591feb7c959dc9005cfa153742736f6eaef8e
                                      • Opcode Fuzzy Hash: 239b45be34866c48d8df1810ec930527f7b1566f8d2a5ab920d6559f32df85f7
                                      • Instruction Fuzzy Hash: AC2137B5D003499FCB10DFA9C885BDEBBF5FF48314F10842AE919A7240C7789555DBA1
                                      Function 0754D538 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 870 754d538-754d586 872 754d596-754d5d5 WriteProcessMemory 870->872 873 754d588-754d594 870->873 875 754d5d7-754d5dd 872->875 876 754d5de-754d60e 872->876 873->872 875->876
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0754D5C8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: f522551477497548e7d140b8dc5a931ad216224f90d0445e3ca36acf8c4f274c
                                      • Instruction ID: 922d126465e736655c94d1a883d54cb6cd337b013de39401d8ce8426e7d19af4
                                      • Opcode Fuzzy Hash: f522551477497548e7d140b8dc5a931ad216224f90d0445e3ca36acf8c4f274c
                                      • Instruction Fuzzy Hash: 3C2127B5D003499FCB10DFA9C885BEEBBF5FF48314F10842AE919A7240C7789945DBA1
                                      Function 0754D623 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 891 754d623-754d6b5 ReadProcessMemory 895 754d6b7-754d6bd 891->895 896 754d6be-754d6ee 891->896 895->896
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0754D6A8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: 2ebf58214b8fd3897a5388d15e1c5f8e1c10217abf3249422f1295d173f35589
                                      • Instruction ID: 943aecf64fe9f8f54240dea60d81f9269ae1fcd472b47c803d8460c8ccf35edc
                                      • Opcode Fuzzy Hash: 2ebf58214b8fd3897a5388d15e1c5f8e1c10217abf3249422f1295d173f35589
                                      • Instruction Fuzzy Hash: 042159B5D00349AFCB10DFAAC885AEEFBF5FF88310F10842AE519A7240C7389541DBA1
                                      Function 0754D398 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 880 754d398-754d3eb 883 754d3ed-754d3f9 880->883 884 754d3fb-754d42b Wow64SetThreadContext 880->884 883->884 886 754d434-754d464 884->886 887 754d42d-754d433 884->887 887->886
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0754D41E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: 7c499745517cadc87e3035a11cf8268f1dc513a7e0b7c7eb25cd7faa8e10a534
                                      • Instruction ID: 57a65cf45cfaa04dd2aa08ef7dab44f287218c3fcf9f16bda4b5115d341af62f
                                      • Opcode Fuzzy Hash: 7c499745517cadc87e3035a11cf8268f1dc513a7e0b7c7eb25cd7faa8e10a534
                                      • Instruction Fuzzy Hash: DB2125B1D003099FDB10DFAAC485BEEBBF4EF88314F14842AD559A7241C778A945CFA1
                                      Function 012CB234 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 900 12cb234-12cd8bc DuplicateHandle 902 12cd8be-12cd8c4 900->902 903 12cd8c5-12cd8e2 900->903 902->903
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012CD7EE,?,?,?,?,?), ref: 012CD8AF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087365218.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12c0000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 345c86023dc78becd11f521129f0ff33f60ba7e6e15d8703cb3d4df8c2fb1ff0
                                      • Instruction ID: 620eff8c818206664f6e1bae46892c13b5fcf2fd242ef639a1270d5f4fbe9094
                                      • Opcode Fuzzy Hash: 345c86023dc78becd11f521129f0ff33f60ba7e6e15d8703cb3d4df8c2fb1ff0
                                      • Instruction Fuzzy Hash: 692105B5D10209AFDB10CF99D484ADEBFF4EB48310F10852AE918A3310D374A954CFA1
                                      Function 012CD820 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012CD7EE,?,?,?,?,?), ref: 012CD8AF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087365218.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12c0000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: b799ed8195433793228929f51c0b9fca6f4b2034b6c74b9a57499a683aebf2a4
                                      • Instruction ID: 8563f2eb11142f1221fe0cae09ae97f75d1fa7872e9f83b27f23afa1340fff2d
                                      • Opcode Fuzzy Hash: b799ed8195433793228929f51c0b9fca6f4b2034b6c74b9a57499a683aebf2a4
                                      • Instruction Fuzzy Hash: 3D21E4B5D11249AFDB10CFAAD884ADEBFF8FB48310F14851AE918A3350D374A945CFA5
                                      Function 0754D628 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0754D6A8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: c4de77dabc1f5126c1be8fa5bcbe13dae8777df04cccc19d5b4483809488972d
                                      • Instruction ID: 2b7c483c462be62b52fd43c0e467374670663f045ed35bbeaabc9d898fda92e2
                                      • Opcode Fuzzy Hash: c4de77dabc1f5126c1be8fa5bcbe13dae8777df04cccc19d5b4483809488972d
                                      • Instruction Fuzzy Hash: D22139B1D003599FCB10DFAAC885AEEFBF5FF88310F10842AE519A7240C7389545DBA5
                                      Function 0754D3A0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0754D41E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: 713b9471d82056ca9ea64c7df10c3c591da2be8d8e5cc31290d5595ed93f7f95
                                      • Instruction ID: 4812abd64f5d55eaae31dd61b585006e1a41f72d0732e55e60f5bb51f470f62b
                                      • Opcode Fuzzy Hash: 713b9471d82056ca9ea64c7df10c3c591da2be8d8e5cc31290d5595ed93f7f95
                                      • Instruction Fuzzy Hash: B92107B1D003099FDB14DFAAC4857EEBBF4EB88314F14842AD559A7240C778A945CFA5
                                      Function 0754D470 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0754D4E6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 64496b0d06eb168269dedbcb162449417ccb84fb58b0ddcad384785f1c28b9d9
                                      • Instruction ID: 79d5da0759f5d7c5948884ade74546c078c22d3974a594cf351726faaa08728e
                                      • Opcode Fuzzy Hash: 64496b0d06eb168269dedbcb162449417ccb84fb58b0ddcad384785f1c28b9d9
                                      • Instruction Fuzzy Hash: 742156B2D002499FCB10DFA9C845ADEBFF5EB88324F208419E519A7250C775A511CBA1
                                      Function 0754D478 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0754D4E6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 7bed8581a798377766e764b4dd187f431e5cf476b8de9efecf8eb6923f72a16d
                                      • Instruction ID: a07da65d8ba552be8210c0a4e185c7a2332d45e7d5f640937ba844657f12ab8c
                                      • Opcode Fuzzy Hash: 7bed8581a798377766e764b4dd187f431e5cf476b8de9efecf8eb6923f72a16d
                                      • Instruction Fuzzy Hash: 321156B1D002499FCB10DFAAC844ADEBFF5EB88324F208419E519A7250C775A540CFA1
                                      Function 0754D2E9 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: a55b0a25a361032ff3d0d22abd75e9088b2235491af330a33aa7148464ef8bf2
                                      • Instruction ID: 30be156afeadf6bcf3468854bef34341eb2b015ae522e41a2ff7b9fafb8eff29
                                      • Opcode Fuzzy Hash: a55b0a25a361032ff3d0d22abd75e9088b2235491af330a33aa7148464ef8bf2
                                      • Instruction Fuzzy Hash: 481146B1D003498FCB20DFAAC8456DEFFF4AB88324F24841AD519A7680C779A545CBA1
                                      Function 0754D2F0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 3a43b652db506b553f79726fe8f63dea05241171f83e38531941f726eb68931d
                                      • Instruction ID: 6274b8437ee02d9e4b8c74bf0dd13e6a1b02944a49145dd34997aec1c7c0cfd5
                                      • Opcode Fuzzy Hash: 3a43b652db506b553f79726fe8f63dea05241171f83e38531941f726eb68931d
                                      • Instruction Fuzzy Hash: F71136B1D003498FCB24DFAAC4457EEFBF4EB88324F24841AD519A7240CB79A945CFA5
                                      Function 02AD2090 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,?,?,?), ref: 02AD20F5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087469755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2ad0000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: 8668980be951ecd17a623e8f09cf471939902a9461847e19af09e37395082d37
                                      • Instruction ID: bf3e38e951ab0c7dfbad4eed5c0bc7c4aa86ea72859162388d55103012eb6cb8
                                      • Opcode Fuzzy Hash: 8668980be951ecd17a623e8f09cf471939902a9461847e19af09e37395082d37
                                      • Instruction Fuzzy Hash: 1C1133B58003499FDB10DF9AD984BDEFFF8EB48320F10844AE919A7601C379A944CFA1
                                      Function 012CB538 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 012CB59E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087365218.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12c0000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 71b6032b186bfe22700393aa5fb62c924d18dd72c4dd0ae2db36de9eac3d247a
                                      • Instruction ID: 53f0f15bcde9bad02c1a0322527ce487a2f50b2923f70f4bc4bb9e93d46cb161
                                      • Opcode Fuzzy Hash: 71b6032b186bfe22700393aa5fb62c924d18dd72c4dd0ae2db36de9eac3d247a
                                      • Instruction Fuzzy Hash: D21110B5C102498FDB10CF9AD444ADEFBF8EF88710F14851AD919A7200D379A545CFA1
                                      Function 02AD2098 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,?,?,?), ref: 02AD20F5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087469755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2ad0000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: a44dfca17ecceb958eb63334d19f897732a6d538732629b865b11a11b6d59641
                                      • Instruction ID: a71025e3ee8613a0b0ecdea49a51ca3bdfdb6830c944048db002c7a64ecf9f3f
                                      • Opcode Fuzzy Hash: a44dfca17ecceb958eb63334d19f897732a6d538732629b865b11a11b6d59641
                                      • Instruction Fuzzy Hash: 2F1112B5C003499FCB10DF9AC988BDEFBF8EB48320F10841AE919A3200C375A944CFA1
                                      Function 0126D4C4 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087151560.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_126d000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4a25521e861322f32a0e0887dbb684f8847fbb59035bdee3d909e2b638c5fb1b
                                      • Instruction ID: 9585ab502026c2c0cc7b22843b8fd22a24c69da785b5013f3cc28de14b3edef5
                                      • Opcode Fuzzy Hash: 4a25521e861322f32a0e0887dbb684f8847fbb59035bdee3d909e2b638c5fb1b
                                      • Instruction Fuzzy Hash: 502178B161024CDFCB01DF58E8C0B26BF69FB88318F24C569D9450B686C336D486C6A1
                                      Function 0126D3D8 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087151560.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_126d000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 089d966428e5cdd3c152427e49b776fcb8b1fb6e9931166358550b2fc3b22994
                                      • Instruction ID: fe27fd25e1b0d994701ded7d628ab09300e7e4fb56aa580888f9beae3600c5ac
                                      • Opcode Fuzzy Hash: 089d966428e5cdd3c152427e49b776fcb8b1fb6e9931166358550b2fc3b22994
                                      • Instruction Fuzzy Hash: 132148B561024DDFDB01DF48D9C0B56BF69FB88314F24C56DD9490B286C336E896CAA1
                                      Function 0127D1D4 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087190490.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_127d000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 225dab70b1c9ad3e480f202697366f7d2eeaa4e0f32bec4a0483cc36c76c4499
                                      • Instruction ID: 6dbabb59f6d5205a4cd2995067c5346b37bae59b757e265e6df159914c8fdc23
                                      • Opcode Fuzzy Hash: 225dab70b1c9ad3e480f202697366f7d2eeaa4e0f32bec4a0483cc36c76c4499
                                      • Instruction Fuzzy Hash: 252125B1614209EFDB01DF98D5C0B26BBA5FF84324F24C56DD9094B243C376D407CA61
                                      Function 0127D01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087190490.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_127d000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f6ddb13dcdada5a21c7bdecbb814cee9eca93afd11904bfbcea0d15f1cf9b4eb
                                      • Instruction ID: f71519a600140ed07f6a45923b87f6a507d54eb10c256c332277395314f652c8
                                      • Opcode Fuzzy Hash: f6ddb13dcdada5a21c7bdecbb814cee9eca93afd11904bfbcea0d15f1cf9b4eb
                                      • Instruction Fuzzy Hash: 632122B5614208DFDB16DF68D9C0B27BBA5EF84314F24C96DD90A0B246C37AD407CA61
                                      Function 0127D006 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087190490.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_127d000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6b82dd502619242e3e7d6c39a5df6b2c01694c60b0b7dee311dcb3f81e00d66d
                                      • Instruction ID: 27a664f741e2fa2bbc949e708e0eeba28f764387345052a43a257b44ae79555b
                                      • Opcode Fuzzy Hash: 6b82dd502619242e3e7d6c39a5df6b2c01694c60b0b7dee311dcb3f81e00d66d
                                      • Instruction Fuzzy Hash: 4E218E755093848FDB03CF24D994716BF71EF46314F28C5EAD9498B6A7C33A980ACB62
                                      Function 0126D4BF Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087151560.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_126d000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                      • Instruction ID: 206af96c0513a444b8e2bae00c5ea5f7694dc3a3fad1fbb992f8f51bbc2036e1
                                      • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                      • Instruction Fuzzy Hash: FA112676904288CFCB12CF54E5C4B16BF71FB84314F24C6A9D9490B657C336D45ACBA1
                                      Function 0126D3D3 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087151560.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_126d000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                      • Instruction ID: 5a8fbf5df9cb7fea12cbb1c3fa058fc94621c6208f5b2fcd5882b7b4a7d2063a
                                      • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                      • Instruction Fuzzy Hash: 6E112676504288CFDB02CF44D5C4B56BF71FB84324F24C2A9D9490B697C33AE85ACBA1
                                      Function 0127D1CF Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087190490.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_127d000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                      • Instruction ID: 92a09e1b3494c68a122c6ddcaf66349e6f830493d63ada3a6b2c87871f69a793
                                      • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                      • Instruction Fuzzy Hash: 3D11BB75904284DFDB02CF54D5C4B16BFA1FF84224F28C6A9D9494B697C33AD40ACB61
                                      Function 0126D745 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087151560.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_126d000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b8f40e6fff34f560bea620db6e8375ad65d5ff9082f5d558bd2fe2a818fa49d6
                                      • Instruction ID: 33cffadd46e7744d08e7476984a5eb352b1df66df52230b3d4ba0aff051740ae
                                      • Opcode Fuzzy Hash: b8f40e6fff34f560bea620db6e8375ad65d5ff9082f5d558bd2fe2a818fa49d6
                                      • Instruction Fuzzy Hash: FF017B7121438C9AE7164E99CCC4B37BFACDF41320F18C41AEE480A2C6C37C9884CA72
                                      Function 0126D744 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087151560.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_126d000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f81fcfe6039a88f59b2a996c1d26ddfc34e045ba97ce388020bc3cbc56ceade4
                                      • Instruction ID: 0e0d15da9e07f2261a36cdb97cdf8e9a293314bd4b86adcbb2674f13e401c2db
                                      • Opcode Fuzzy Hash: f81fcfe6039a88f59b2a996c1d26ddfc34e045ba97ce388020bc3cbc56ceade4
                                      • Instruction Fuzzy Hash: A2F0C271504388AEE7158E19DC88B62FFACEB41634F18C45AEE480A286C3799884CAB1

                                      Non-executed Functions

                                      Function 02AD43A8 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087469755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2ad0000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: PH]q$PH]q
                                      • API String ID: 0-1166926398
                                      • Opcode ID: b461dec6e83aaea84589b0040ab701a8810f6571c3716bdd983c37dc4849c158
                                      • Instruction ID: 48b4ef8ae480ed5fb0fb17b8ff9359b310f96b8cf38540ed31f988a71a13b5b7
                                      • Opcode Fuzzy Hash: b461dec6e83aaea84589b0040ab701a8810f6571c3716bdd983c37dc4849c158
                                      • Instruction Fuzzy Hash: 99D1D474A00608CFDB18DF69D598AA9B7F1BF8D705F2580A8E406EB361DB31AD40CF60
                                      Function 075430D0 Relevance: .3, Instructions: 316COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0fa56c59d79fac9b47fddb8a0b25c65fd4cf2159e2851ecf667569b69eb2e700
                                      • Instruction ID: adcc57be6c804ab5ee14d717a0c8382100cd1e59d62b6540930d746acbad97e6
                                      • Opcode Fuzzy Hash: 0fa56c59d79fac9b47fddb8a0b25c65fd4cf2159e2851ecf667569b69eb2e700
                                      • Instruction Fuzzy Hash: F3E1F8B4E042198FCB14DFA9C984AAEFBB2BF89304F24C16AD454AB355D731AD41CF61
                                      Function 0754A618 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 36b32f6bc603666543a13b2fe9cff8c5f6fbbfd4c443237fb31d4d1bc3732b00
                                      • Instruction ID: 737e2bd93cabc10a71a225f85edf9d88d619a4772e499c1b20a517faa31d73e5
                                      • Opcode Fuzzy Hash: 36b32f6bc603666543a13b2fe9cff8c5f6fbbfd4c443237fb31d4d1bc3732b00
                                      • Instruction Fuzzy Hash: CFE1E7B4E501198FDB14DFA9C580AAEBBB2FF89308F24C16AD415AB355D730AD41CFA1
                                      Function 0754B2C0 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e4692a855f521494200c6dcdaf35d216fdbd7a181d037c0420ab181cda9b416d
                                      • Instruction ID: bf605914885053bc7beef0bc401bfc720126cff2e6649f45304cdc2e4c34291c
                                      • Opcode Fuzzy Hash: e4692a855f521494200c6dcdaf35d216fdbd7a181d037c0420ab181cda9b416d
                                      • Instruction Fuzzy Hash: 0DE1F8B4E006598FCB14DFA9C580AAEFBB2FF89308F24816AD415AB355D731AD41CF61
                                      Function 0754AE88 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bf4c28ad28d892fdf0e01a6075a46bf4b6141a476187e48400192d9148d72cef
                                      • Instruction ID: b2ba306bb38ba64e4e46ccdcf5375deecfe89095bce5a4fe200b52c1b9b60148
                                      • Opcode Fuzzy Hash: bf4c28ad28d892fdf0e01a6075a46bf4b6141a476187e48400192d9148d72cef
                                      • Instruction Fuzzy Hash: 50E1F8B4E101198FCB14DFA9C580AAEFBF2BF89305F24816AD415AB355D731AD42CFA1
                                      Function 0754AA50 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6967f9d6a05b9b883f10fde2fc0c55dc48523ccdab65677f8eb01ab9739be5d0
                                      • Instruction ID: d383106d4045cc170dd56af92ece9aec84e20cbd12cd0796e697fbdd73c76ddf
                                      • Opcode Fuzzy Hash: 6967f9d6a05b9b883f10fde2fc0c55dc48523ccdab65677f8eb01ab9739be5d0
                                      • Instruction Fuzzy Hash: A7E1F8B4E402198FCB54DFA8C580AAEFBB2BF89305F64C16AE415AB355D730AD41CF61
                                      Function 0754CAC8 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 340b7645c490ca4a8e3a7944bc874b5b5708db7e1db50901acaa62d7c51fd569
                                      • Instruction ID: 7ed1001236da0de3893935ae24fac77fd2ef37ca9fa204656ceaa999b89c3b66
                                      • Opcode Fuzzy Hash: 340b7645c490ca4a8e3a7944bc874b5b5708db7e1db50901acaa62d7c51fd569
                                      • Instruction Fuzzy Hash: ECE1F9B4E112198FCB14DFA9C580AAEFBB2FF89304F24816AD415AB355D731AD41CFA1
                                      Function 012CE134 Relevance: .3, Instructions: 264COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2087365218.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12c0000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bcc6e96683b91bcc7972d7fcf719fc67baaf568a48ca5f5aa1c8630f9e71587e
                                      • Instruction ID: d79d77d2a1613d544f2bdd219dc5077a4270cda169b9c241c26509f9f5b39fdb
                                      • Opcode Fuzzy Hash: bcc6e96683b91bcc7972d7fcf719fc67baaf568a48ca5f5aa1c8630f9e71587e
                                      • Instruction Fuzzy Hash: 10A17032E202168FCF09DFB8C9805EEBBB2FF85700B15466DEA05AB255DB71D955CB80
                                      Function 07543F88 Relevance: .2, Instructions: 169COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2bd6532d1f81e06e63de19001a53118cabf6ab5ecb99e958b97e24353433dab8
                                      • Instruction ID: 5c0cb19e7e0081c479be16042d78ab34dda266c1eeae0edf053e8345120f19ed
                                      • Opcode Fuzzy Hash: 2bd6532d1f81e06e63de19001a53118cabf6ab5ecb99e958b97e24353433dab8
                                      • Instruction Fuzzy Hash: 807190B4E016598FCB04DFAAC584AEEFBF2BF88300F24D166D418AB255D7349942CF50
                                      Function 07543CF0 Relevance: .1, Instructions: 140COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ad6f4a78543fbca2b2f6d0fa80841964b236ff604abd3bb28e21bab5e7e0c8b7
                                      • Instruction ID: dde4c6316912532d397ae0b0353e8fd10ede4ec98e7cc2c73751e569eb9c5600
                                      • Opcode Fuzzy Hash: ad6f4a78543fbca2b2f6d0fa80841964b236ff604abd3bb28e21bab5e7e0c8b7
                                      • Instruction Fuzzy Hash: 2A5180B5D016199FDF08DFEAC9846EEBBB2BF89300F10902AE519BB254DB345946CF40
                                      Function 0754AE78 Relevance: .1, Instructions: 132COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 414de0360105d049de94dee59b0839dbf3eb78d0deba42d64a09720f3d14d0d0
                                      • Instruction ID: 1be22adc8140ac04f2f2b00bb6bf7a6bf63070bab4e3eb0e0162f8da27756a50
                                      • Opcode Fuzzy Hash: 414de0360105d049de94dee59b0839dbf3eb78d0deba42d64a09720f3d14d0d0
                                      • Instruction Fuzzy Hash: A25106B4E102198FCB14DFA9C5846AEFBF2BF89305F24C16AD418AB355D7319942CFA1
                                      Function 07543F77 Relevance: .1, Instructions: 128COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cde34cc95c27b77efc474745fe94dbd5952fb33850d4884d104f04dce6551d6e
                                      • Instruction ID: 9f07d1ba8748fc6d8c9b9c6195f9a601554b7044242e5518282c8d1e23f8c037
                                      • Opcode Fuzzy Hash: cde34cc95c27b77efc474745fe94dbd5952fb33850d4884d104f04dce6551d6e
                                      • Instruction Fuzzy Hash: 975180B5E006598FDB08CFAAC9856DEFBF2BF88300F14C16AD419AB354DB349946CB50
                                      Function 07543CEA Relevance: .1, Instructions: 97COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2093451549.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7540000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2d487c35e84e30ea22f27d07ab6bf66ea55fc865ded161cd7cb193d732b62151
                                      • Instruction ID: bad479809f6dc7e62725268ae864d86ef3738f8037e9ecc286995273f55b050e
                                      • Opcode Fuzzy Hash: 2d487c35e84e30ea22f27d07ab6bf66ea55fc865ded161cd7cb193d732b62151
                                      • Instruction Fuzzy Hash: 494171B5E006199BDB08DFEAC9856EEFBF6BF88300F14D02AD519AB254DB345946CF40

                                      Non-executed Functions

                                      Function 02F2FA00 Relevance: 1.6, APIs: 1, Instructions: 132libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.4498769929.0000000002F2F000.00000004.00000010.00020000.00000000.sdmp, Offset: 02F2F000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_2f2f000_z1ProductSampleRequirement.jbxd
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: f25f8e66db786bd475896d7c315c657094b1779260b0cbdfeb6c92039be1a5ca
                                      • Instruction ID: 5439b80096b71b6ea6bbcc4990511de8ec1844e66f2f1a4e591c760133304b9c
                                      • Opcode Fuzzy Hash: f25f8e66db786bd475896d7c315c657094b1779260b0cbdfeb6c92039be1a5ca
                                      • Instruction Fuzzy Hash: 1E4163525AE3D21FD30347B448B62907FB0AD13168B1E46EBC4D5CF8E3D209585BCB62

                                      Execution Graph

                                      Execution Coverage:10.4%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:217
                                      Total number of Limit Nodes:8
                                      execution_graph 26647 6badcaf 26648 6badc57 26647->26648 26649 6badbdc 26648->26649 26652 6bafeb8 26648->26652 26657 6bafeb3 26648->26657 26653 6bafed2 26652->26653 26662 aa50308 26653->26662 26679 aa502f8 26653->26679 26654 6bafeda 26654->26649 26658 6bafed2 26657->26658 26660 aa502f8 12 API calls 26658->26660 26661 aa50308 12 API calls 26658->26661 26659 6bafeda 26659->26649 26660->26659 26661->26659 26663 aa5031d 26662->26663 26670 aa5032f 26663->26670 26696 aa50646 26663->26696 26701 aa50718 26663->26701 26706 aa50759 26663->26706 26711 aa50539 26663->26711 26715 aa50439 26663->26715 26720 aa5083f 26663->26720 26725 aa50b30 26663->26725 26729 aa5084b 26663->26729 26736 aa507a8 26663->26736 26740 aa508cf 26663->26740 26744 aa5058c 26663->26744 26752 aa5060c 26663->26752 26756 aa50d62 26663->26756 26760 aa50543 26663->26760 26670->26654 26680 aa502fd 26679->26680 26681 aa5032f 26680->26681 26682 aa50646 2 API calls 26680->26682 26683 aa50543 2 API calls 26680->26683 26684 aa50d62 2 API calls 26680->26684 26685 aa5060c 2 API calls 26680->26685 26686 aa5058c 4 API calls 26680->26686 26687 aa508cf 2 API calls 26680->26687 26688 aa507a8 2 API calls 26680->26688 26689 aa5084b 4 API calls 26680->26689 26690 aa50b30 2 API calls 26680->26690 26691 aa5083f 2 API calls 26680->26691 26692 aa50439 2 API calls 26680->26692 26693 aa50539 2 API calls 26680->26693 26694 aa50759 2 API calls 26680->26694 26695 aa50718 2 API calls 26680->26695 26681->26654 26682->26681 26683->26681 26684->26681 26685->26681 26686->26681 26687->26681 26688->26681 26689->26681 26690->26681 26691->26681 26692->26681 26693->26681 26694->26681 26695->26681 26697 aa5066c 26696->26697 26765 6bad538 26697->26765 26769 6bad533 26697->26769 26698 aa5068d 26698->26670 26702 aa50721 26701->26702 26704 6bad538 WriteProcessMemory 26702->26704 26705 6bad533 WriteProcessMemory 26702->26705 26703 aa5076c 26703->26670 26704->26703 26705->26703 26707 aa50afc 26706->26707 26773 aa51061 26707->26773 26778 aa51070 26707->26778 26708 aa50b1b 26712 aa5052f 26711->26712 26712->26670 26791 6bad2eb 26712->26791 26795 6bad2f0 26712->26795 26716 aa50443 26715->26716 26799 6bad7bb 26716->26799 26803 6bad7c0 26716->26803 26721 aa50d86 26720->26721 26807 6bad628 26721->26807 26811 6bad623 26721->26811 26722 aa50da8 26726 aa5052f 26725->26726 26726->26670 26726->26725 26727 6bad2eb ResumeThread 26726->26727 26728 6bad2f0 ResumeThread 26726->26728 26727->26726 26728->26726 26732 6bad538 WriteProcessMemory 26729->26732 26733 6bad533 WriteProcessMemory 26729->26733 26730 aa50dcd 26730->26670 26731 aa5052f 26731->26670 26731->26730 26734 6bad2eb ResumeThread 26731->26734 26735 6bad2f0 ResumeThread 26731->26735 26732->26731 26733->26731 26734->26731 26735->26731 26737 aa5052f 26736->26737 26737->26670 26738 6bad2eb ResumeThread 26737->26738 26739 6bad2f0 ResumeThread 26737->26739 26738->26737 26739->26737 26741 aa5052f 26740->26741 26741->26670 26742 6bad2eb ResumeThread 26741->26742 26743 6bad2f0 ResumeThread 26741->26743 26742->26741 26743->26741 26745 aa505a7 26744->26745 26747 aa5052f 26744->26747 26815 6bad39b 26745->26815 26819 6bad3a0 26745->26819 26746 aa50c42 26746->26670 26747->26670 26747->26746 26748 6bad2eb ResumeThread 26747->26748 26749 6bad2f0 ResumeThread 26747->26749 26748->26747 26749->26747 26754 6bad39b Wow64SetThreadContext 26752->26754 26755 6bad3a0 Wow64SetThreadContext 26752->26755 26753 aa50626 26753->26670 26754->26753 26755->26753 26757 aa5052f 26756->26757 26757->26670 26758 6bad2eb ResumeThread 26757->26758 26759 6bad2f0 ResumeThread 26757->26759 26758->26757 26759->26757 26761 aa5066c 26760->26761 26762 aa5068d 26761->26762 26763 6bad538 WriteProcessMemory 26761->26763 26764 6bad533 WriteProcessMemory 26761->26764 26762->26670 26763->26762 26764->26762 26766 6bad580 WriteProcessMemory 26765->26766 26768 6bad5d7 26766->26768 26768->26698 26770 6bad538 WriteProcessMemory 26769->26770 26772 6bad5d7 26770->26772 26772->26698 26774 aa51085 26773->26774 26783 6bad478 26774->26783 26787 6bad473 26774->26787 26775 aa510a4 26775->26708 26779 aa51085 26778->26779 26781 6bad478 VirtualAllocEx 26779->26781 26782 6bad473 VirtualAllocEx 26779->26782 26780 aa510a4 26780->26708 26781->26780 26782->26780 26784 6bad4b8 VirtualAllocEx 26783->26784 26786 6bad4f5 26784->26786 26786->26775 26788 6bad4b8 VirtualAllocEx 26787->26788 26790 6bad4f5 26788->26790 26790->26775 26792 6bad330 ResumeThread 26791->26792 26794 6bad361 26792->26794 26794->26712 26796 6bad330 ResumeThread 26795->26796 26798 6bad361 26796->26798 26798->26712 26800 6bad849 CreateProcessA 26799->26800 26802 6bada0b 26800->26802 26802->26802 26804 6bad849 26803->26804 26804->26804 26805 6bad9ae CreateProcessA 26804->26805 26806 6bada0b 26805->26806 26808 6bad673 ReadProcessMemory 26807->26808 26810 6bad6b7 26808->26810 26810->26722 26812 6bad673 ReadProcessMemory 26811->26812 26814 6bad6b7 26812->26814 26814->26722 26816 6bad3e5 Wow64SetThreadContext 26815->26816 26818 6bad42d 26816->26818 26818->26747 26820 6bad3e5 Wow64SetThreadContext 26819->26820 26822 6bad42d 26820->26822 26822->26747 26823 aa51200 26824 aa5138b 26823->26824 26825 aa51226 26823->26825 26825->26824 26828 aa51480 PostMessageW 26825->26828 26830 aa5147b PostMessageW 26825->26830 26829 aa514ec 26828->26829 26829->26825 26831 aa514ec 26830->26831 26831->26825 26832 86d5e0 26833 86d626 26832->26833 26837 86d7c0 26833->26837 26840 86d7b1 26833->26840 26834 86d713 26838 86d7ee 26837->26838 26843 86b234 26837->26843 26838->26834 26841 86b234 DuplicateHandle 26840->26841 26842 86d7ee 26841->26842 26842->26834 26844 86d828 DuplicateHandle 26843->26844 26845 86d8be 26844->26845 26845->26838 26846 864668 26847 86467a 26846->26847 26848 864686 26847->26848 26852 864778 26847->26852 26857 864204 26848->26857 26850 8646a5 26853 86479d 26852->26853 26861 864888 26853->26861 26865 864878 26853->26865 26858 86420f 26857->26858 26873 8659fc 26858->26873 26860 867084 26860->26850 26862 8648af 26861->26862 26864 86498c 26862->26864 26869 864560 26862->26869 26867 8648af 26865->26867 26866 86498c 26866->26866 26867->26866 26868 864560 CreateActCtxA 26867->26868 26868->26866 26870 865d18 CreateActCtxA 26869->26870 26872 865ddb 26870->26872 26874 865a07 26873->26874 26877 865a1c 26874->26877 26876 867425 26876->26860 26878 865a27 26877->26878 26881 865a4c 26878->26881 26880 867502 26880->26876 26882 865a57 26881->26882 26885 865a7c 26882->26885 26884 867605 26884->26880 26886 865a87 26885->26886 26888 868b6b 26886->26888 26892 86ae10 26886->26892 26887 868ba9 26887->26884 26888->26887 26896 86cf10 26888->26896 26901 86cf00 26888->26901 26906 86b240 26892->26906 26910 86b250 26892->26910 26893 86ae26 26893->26888 26897 86cf31 26896->26897 26898 86cf55 26897->26898 26918 86d4c8 26897->26918 26922 86d4b9 26897->26922 26898->26887 26902 86cf31 26901->26902 26903 86cf55 26902->26903 26904 86d4c8 GetModuleHandleW 26902->26904 26905 86d4b9 GetModuleHandleW 26902->26905 26903->26887 26904->26903 26905->26903 26907 86b250 26906->26907 26913 86b33a 26907->26913 26908 86b25f 26908->26893 26912 86b33a GetModuleHandleW 26910->26912 26911 86b25f 26911->26893 26912->26911 26914 86b37c 26913->26914 26915 86b359 26913->26915 26914->26908 26915->26914 26916 86b580 GetModuleHandleW 26915->26916 26917 86b5ad 26916->26917 26917->26908 26920 86d4d5 26918->26920 26919 86d50f 26919->26898 26920->26919 26926 86d2f0 26920->26926 26923 86d4d5 26922->26923 26924 86d2f0 GetModuleHandleW 26923->26924 26925 86d50f 26923->26925 26924->26925 26925->26898 26927 86d2fb 26926->26927 26929 86de20 26927->26929 26930 86d40c 26927->26930 26929->26929 26931 86d417 26930->26931 26932 865a7c GetModuleHandleW 26931->26932 26933 86de8f 26932->26933 26933->26929

                                      Executed Functions

                                      Function 06BAD7BB Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 317 6bad7bb-6bad855 319 6bad88e-6bad8ae 317->319 320 6bad857-6bad861 317->320 327 6bad8b0-6bad8ba 319->327 328 6bad8e7-6bad916 319->328 320->319 321 6bad863-6bad865 320->321 322 6bad888-6bad88b 321->322 323 6bad867-6bad871 321->323 322->319 325 6bad873 323->325 326 6bad875-6bad884 323->326 325->326 326->326 330 6bad886 326->330 327->328 329 6bad8bc-6bad8be 327->329 336 6bad918-6bad922 328->336 337 6bad94f-6bada09 CreateProcessA 328->337 331 6bad8c0-6bad8ca 329->331 332 6bad8e1-6bad8e4 329->332 330->322 334 6bad8ce-6bad8dd 331->334 335 6bad8cc 331->335 332->328 334->334 338 6bad8df 334->338 335->334 336->337 339 6bad924-6bad926 336->339 348 6bada0b-6bada11 337->348 349 6bada12-6bada98 337->349 338->332 341 6bad928-6bad932 339->341 342 6bad949-6bad94c 339->342 343 6bad936-6bad945 341->343 344 6bad934 341->344 342->337 343->343 346 6bad947 343->346 344->343 346->342 348->349 359 6bada9a-6bada9e 349->359 360 6badaa8-6badaac 349->360 359->360 361 6badaa0 359->361 362 6badaae-6badab2 360->362 363 6badabc-6badac0 360->363 361->360 362->363 366 6badab4 362->366 364 6badac2-6badac6 363->364 365 6badad0-6badad4 363->365 364->365 367 6badac8 364->367 368 6badae6-6badaed 365->368 369 6badad6-6badadc 365->369 366->363 367->365 370 6badaef-6badafe 368->370 371 6badb04 368->371 369->368 370->371 373 6badb05 371->373 373->373
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06BAD9F6
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2133893802.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_6ba0000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: d102b7a442597c0db18519e2d76929371166fa688a68d2ad6e4118811a11218c
                                      • Instruction ID: 9b0fe5a0b3506385ace9aefbb76612e4b77af62511f5ee8242adc542a930df1b
                                      • Opcode Fuzzy Hash: d102b7a442597c0db18519e2d76929371166fa688a68d2ad6e4118811a11218c
                                      • Instruction Fuzzy Hash: F1915AB1D043198FDB64CF68C8417EDBBB2FF48310F1485A9E809A7240DB749985CF92
                                      Function 06BAD7C0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 374 6bad7c0-6bad855 376 6bad88e-6bad8ae 374->376 377 6bad857-6bad861 374->377 384 6bad8b0-6bad8ba 376->384 385 6bad8e7-6bad916 376->385 377->376 378 6bad863-6bad865 377->378 379 6bad888-6bad88b 378->379 380 6bad867-6bad871 378->380 379->376 382 6bad873 380->382 383 6bad875-6bad884 380->383 382->383 383->383 387 6bad886 383->387 384->385 386 6bad8bc-6bad8be 384->386 393 6bad918-6bad922 385->393 394 6bad94f-6bada09 CreateProcessA 385->394 388 6bad8c0-6bad8ca 386->388 389 6bad8e1-6bad8e4 386->389 387->379 391 6bad8ce-6bad8dd 388->391 392 6bad8cc 388->392 389->385 391->391 395 6bad8df 391->395 392->391 393->394 396 6bad924-6bad926 393->396 405 6bada0b-6bada11 394->405 406 6bada12-6bada98 394->406 395->389 398 6bad928-6bad932 396->398 399 6bad949-6bad94c 396->399 400 6bad936-6bad945 398->400 401 6bad934 398->401 399->394 400->400 403 6bad947 400->403 401->400 403->399 405->406 416 6bada9a-6bada9e 406->416 417 6badaa8-6badaac 406->417 416->417 418 6badaa0 416->418 419 6badaae-6badab2 417->419 420 6badabc-6badac0 417->420 418->417 419->420 423 6badab4 419->423 421 6badac2-6badac6 420->421 422 6badad0-6badad4 420->422 421->422 424 6badac8 421->424 425 6badae6-6badaed 422->425 426 6badad6-6badadc 422->426 423->420 424->422 427 6badaef-6badafe 425->427 428 6badb04 425->428 426->425 427->428 430 6badb05 428->430 430->430
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06BAD9F6
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2133893802.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_6ba0000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: 4aa442c151a2d4fea1e5e4a20c5f4df8f9968a70c1c305afba419cd1aa8b68b3
                                      • Instruction ID: 95f2a76a667d8317f761f68abd5e19a44d5fa846b867735bec4e119511701a98
                                      • Opcode Fuzzy Hash: 4aa442c151a2d4fea1e5e4a20c5f4df8f9968a70c1c305afba419cd1aa8b68b3
                                      • Instruction Fuzzy Hash: CC915AB1D043198FDB64CF68C881BEDBBB2FF48314F1485A9E849A7240DB749985CF92
                                      Function 0086B33A Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 431 86b33a-86b357 432 86b383-86b387 431->432 433 86b359-86b366 call 869db8 431->433 435 86b39b-86b3dc 432->435 436 86b389-86b393 432->436 438 86b37c 433->438 439 86b368 433->439 442 86b3de-86b3e6 435->442 443 86b3e9-86b3f7 435->443 436->435 438->432 486 86b36e call 86b5d0 439->486 487 86b36e call 86b5e0 439->487 442->443 444 86b41b-86b41d 443->444 445 86b3f9-86b3fe 443->445 450 86b420-86b427 444->450 447 86b400-86b407 call 86b000 445->447 448 86b409 445->448 446 86b374-86b376 446->438 449 86b4b8-86b578 446->449 452 86b40b-86b419 447->452 448->452 481 86b580-86b5ab GetModuleHandleW 449->481 482 86b57a-86b57d 449->482 453 86b434-86b43b 450->453 454 86b429-86b431 450->454 452->450 456 86b43d-86b445 453->456 457 86b448-86b451 call 86b010 453->457 454->453 456->457 462 86b453-86b45b 457->462 463 86b45e-86b463 457->463 462->463 464 86b465-86b46c 463->464 465 86b481-86b48e 463->465 464->465 467 86b46e-86b47e call 86b020 call 86b030 464->467 472 86b490-86b4ae 465->472 473 86b4b1-86b4b7 465->473 467->465 472->473 483 86b5b4-86b5c8 481->483 484 86b5ad-86b5b3 481->484 482->481 484->483 486->446 487->446
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0086B59E
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2125285726.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_860000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 2706bce342cb0ec4724b8e59d5ce452ccab30465a219b4ce4647091f5b06698e
                                      • Instruction ID: 8269d7c50afb8dd7fe3ba0384b627532e5562309baaccc30ccff5916adcd3579
                                      • Opcode Fuzzy Hash: 2706bce342cb0ec4724b8e59d5ce452ccab30465a219b4ce4647091f5b06698e
                                      • Instruction Fuzzy Hash: 7F814470A00B058FD724DF29C45479ABBF1FF88304F118A2AE486DBB41DB34E989CB95
                                      Function 00865D0C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 596 865d0c-865d10 597 865d12-865d69 596->597 598 865d6e-865dd9 CreateActCtxA 596->598 597->598 600 865de2-865e3c 598->600 601 865ddb-865de1 598->601 608 865e3e-865e41 600->608 609 865e4b-865e4f 600->609 601->600 608->609 610 865e60 609->610 611 865e51-865e5d 609->611 613 865e61 610->613 611->610 613->613
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 00865DC9
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2125285726.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_860000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: aa72b637b513576d45a096503a5f8fa322c6c2d71a3b5787de6e643ff07ae406
                                      • Instruction ID: de20805ca4f80392b3bd318394cf92c4b0dfc12d3652caf2f57026a2aad9a603
                                      • Opcode Fuzzy Hash: aa72b637b513576d45a096503a5f8fa322c6c2d71a3b5787de6e643ff07ae406
                                      • Instruction Fuzzy Hash: 4641C3B0D00619CEDB24DFA9C884BDDBBF5FF45304F2080AAD408AB255DB75694ACF91
                                      Function 00864560 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 614 864560-865dd9 CreateActCtxA 617 865de2-865e3c 614->617 618 865ddb-865de1 614->618 625 865e3e-865e41 617->625 626 865e4b-865e4f 617->626 618->617 625->626 627 865e60 626->627 628 865e51-865e5d 626->628 630 865e61 627->630 628->627 630->630
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 00865DC9
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2125285726.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_860000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: bf3c0336d64f18bfedffabea9778acf9e18b5b19433ae1394139c904744d6b98
                                      • Instruction ID: 2cd9a0cf02ee2091f1b90fd070faa6a94a743c061e626d723fdfaa3c358921eb
                                      • Opcode Fuzzy Hash: bf3c0336d64f18bfedffabea9778acf9e18b5b19433ae1394139c904744d6b98
                                      • Instruction Fuzzy Hash: 0F41BFB0C00619CBDB24DFA9C848B9DBBB5FF49304F20806AD408AB255DB756A49CF91
                                      Function 06BAD533 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 631 6bad533-6bad586 634 6bad588-6bad594 631->634 635 6bad596-6bad5d5 WriteProcessMemory 631->635 634->635 637 6bad5de-6bad60e 635->637 638 6bad5d7-6bad5dd 635->638 638->637
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06BAD5C8
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2133893802.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_6ba0000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: 66e38a817b0195412e171518d19f3cbb5c10d8d6380a0564039ddd468c4316c8
                                      • Instruction ID: 0a45548d793f008dc5595fe4a346a429c94ba5b21a2f1d9108e2c57b0a158aaf
                                      • Opcode Fuzzy Hash: 66e38a817b0195412e171518d19f3cbb5c10d8d6380a0564039ddd468c4316c8
                                      • Instruction Fuzzy Hash: 432127B5D003099FCB10CFA9C885BEEBBF5FF48324F108429E969A7240C7789945CBA1
                                      Function 06BAD538 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 642 6bad538-6bad586 644 6bad588-6bad594 642->644 645 6bad596-6bad5d5 WriteProcessMemory 642->645 644->645 647 6bad5de-6bad60e 645->647 648 6bad5d7-6bad5dd 645->648 648->647
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06BAD5C8
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2133893802.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_6ba0000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: aff558e6697780716a4591236eff1a0194d6f532c30facf51ee50cebc9a7dbef
                                      • Instruction ID: 14bef7b970ba498a32d5b84fcefaaa8a464023c269b5ce894374d76c6f59f80f
                                      • Opcode Fuzzy Hash: aff558e6697780716a4591236eff1a0194d6f532c30facf51ee50cebc9a7dbef
                                      • Instruction Fuzzy Hash: 092139B5D003099FCB10CFA9C885BEEBBF5FF48314F108429E959A7240C7789945CBA1
                                      Function 0086D820 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 652 86d820-86d8bc DuplicateHandle 653 86d8c5-86d8e2 652->653 654 86d8be-86d8c4 652->654 654->653
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0086D7EE,?,?,?,?,?), ref: 0086D8AF
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2125285726.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_860000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: e7be3d439affc3ae2cd08160bed5f8a483f103e92a49da665bfa9d4017d74c2d
                                      • Instruction ID: 6cdc85db368116230946ef4385b78f107a10e585d758785523814b0e47dcbcd4
                                      • Opcode Fuzzy Hash: e7be3d439affc3ae2cd08160bed5f8a483f103e92a49da665bfa9d4017d74c2d
                                      • Instruction Fuzzy Hash: 4021D2B5D002499FDB10CF99D884ADEBBF9FB48310F15841AE918A7350D378A945CFA1
                                      Function 0086B234 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 657 86b234-86d8bc DuplicateHandle 659 86d8c5-86d8e2 657->659 660 86d8be-86d8c4 657->660 660->659
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0086D7EE,?,?,?,?,?), ref: 0086D8AF
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2125285726.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_860000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 3e8feb3fba70f2aa12a2777cf0c0bce16211d39545815c3336c8b7608ed20c16
                                      • Instruction ID: 8fd61507ca1bbdbc28f6787790137497eac284c6ba01602d2be0213a615c1045
                                      • Opcode Fuzzy Hash: 3e8feb3fba70f2aa12a2777cf0c0bce16211d39545815c3336c8b7608ed20c16
                                      • Instruction Fuzzy Hash: C121D4B5D003099FDB10CF99D488AEEBBF4FB48310F15842AE914A7310D374A954CFA1
                                      Function 06BAD623 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 673 6bad623-6bad6b5 ReadProcessMemory 676 6bad6be-6bad6ee 673->676 677 6bad6b7-6bad6bd 673->677 677->676
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06BAD6A8
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2133893802.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_6ba0000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: b18031cdc6081f150ec8bcb29e9d592b5c257bd62b41e8812298cedeaaf0dae3
                                      • Instruction ID: ae96026ed4a71c2af5a8e18e065d94633daf2c99c82bc84d6b6f6ddb4584751d
                                      • Opcode Fuzzy Hash: b18031cdc6081f150ec8bcb29e9d592b5c257bd62b41e8812298cedeaaf0dae3
                                      • Instruction Fuzzy Hash: 742125B5D003499FCB10DFA9C984AEEFBF5FF88310F10842AE519A7250C7389945DBA1
                                      Function 06BAD39B Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 663 6bad39b-6bad3eb 665 6bad3fb-6bad42b Wow64SetThreadContext 663->665 666 6bad3ed-6bad3f9 663->666 668 6bad42d-6bad433 665->668 669 6bad434-6bad464 665->669 666->665 668->669
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06BAD41E
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2133893802.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_6ba0000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: f37e8d1ef526c315fd7e8373e348a61e8e2e4b8e5705672af6b1e2c42bd3b0f3
                                      • Instruction ID: c882807166308ff41cf5147dcbcf34216b29806a0c03e6cfebf12090ca556dea
                                      • Opcode Fuzzy Hash: f37e8d1ef526c315fd7e8373e348a61e8e2e4b8e5705672af6b1e2c42bd3b0f3
                                      • Instruction Fuzzy Hash: 232138B5D003098FDB10CFAAC4857EEBBF4EF88314F14842AD459A7240CB78AA45CFA1
                                      Function 06BAD628 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06BAD6A8
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2133893802.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_6ba0000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: 015cceb3a7efda174cf9b6f90117b9da48edae1fba8887fc78f4dab5d560c0cb
                                      • Instruction ID: cce23b11697e9d8bb81ef930ac70fc73219d62e46a112a492e951dd5185aaadc
                                      • Opcode Fuzzy Hash: 015cceb3a7efda174cf9b6f90117b9da48edae1fba8887fc78f4dab5d560c0cb
                                      • Instruction Fuzzy Hash: F8213AB5C003499FCB10DFAAC845AEEFBF5FF88310F10842AE519A7240C7389545DBA1
                                      Function 06BAD3A0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 681 6bad3a0-6bad3eb 683 6bad3fb-6bad42b Wow64SetThreadContext 681->683 684 6bad3ed-6bad3f9 681->684 686 6bad42d-6bad433 683->686 687 6bad434-6bad464 683->687 684->683 686->687
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06BAD41E
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2133893802.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_6ba0000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: 5050c9836804ac860e622f6ff288b9302632e23117f02092d2999d707bbb3b94
                                      • Instruction ID: 0f4fe04c90a3050f11e106b4d4d790dd3236fbd1dcea660150ce2ba572be7604
                                      • Opcode Fuzzy Hash: 5050c9836804ac860e622f6ff288b9302632e23117f02092d2999d707bbb3b94
                                      • Instruction Fuzzy Hash: 932147B1D003098FDB10DFAAC4857EEBBF4EF88324F10842AD459A7240CB78A945CFA1
                                      Function 06BAD473 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06BAD4E6
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2133893802.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_6ba0000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: fbcd0a6f08decd7e8a5d583e7b853fb7f0afa7af23fca4f5e4297e565c22b715
                                      • Instruction ID: 308ed028ecb67e7a7e149448aed67c253b68becb0d2e761b0963f9c86d74740c
                                      • Opcode Fuzzy Hash: fbcd0a6f08decd7e8a5d583e7b853fb7f0afa7af23fca4f5e4297e565c22b715
                                      • Instruction Fuzzy Hash: 821156B6D002098FCB20DFA9C844AEFBFF5EF88320F208419E519A7250CB35A544CBA1
                                      Function 06BAD478 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06BAD4E6
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2133893802.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_6ba0000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: ecd8bba27d1af8a6681dcd5e2b81b1c37a9d061483f6c4a81e20b48339d236d5
                                      • Instruction ID: 0be105444cf3656363f4e28fee8433ae76a493c1106416cb3b549fb42b78d6ce
                                      • Opcode Fuzzy Hash: ecd8bba27d1af8a6681dcd5e2b81b1c37a9d061483f6c4a81e20b48339d236d5
                                      • Instruction Fuzzy Hash: 731126B6D002499FCB10DFAAC845ADEBFF5EF88320F208419E519A7250CB75A544CBA1
                                      Function 06BAD2EB Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2133893802.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_6ba0000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: ba9c3e91d852cd312f4284ff1dbdc224dbb01d759f911f97e0b673489ee79d10
                                      • Instruction ID: c6ccc1f37a85ab7eb0a44b2fe37e5a37f90a7dd0b1d636183f60dfd2cef9ca78
                                      • Opcode Fuzzy Hash: ba9c3e91d852cd312f4284ff1dbdc224dbb01d759f911f97e0b673489ee79d10
                                      • Instruction Fuzzy Hash: 261146B5D003498ECB24DFAAC4496DEFBF4EF88324F208459D019A7240C7786545CBA1
                                      Function 06BAD2F0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2133893802.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_6ba0000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 3a8047240ab903252188de3bfc86330edb27cf9365245ea5716913c9765112ff
                                      • Instruction ID: b884cd3ea2507275e465ba0592895f20f4468206e282e95bb7723d307999bd50
                                      • Opcode Fuzzy Hash: 3a8047240ab903252188de3bfc86330edb27cf9365245ea5716913c9765112ff
                                      • Instruction Fuzzy Hash: 231125B5D003498FCB24DFAAC4497EEFBF4EF88324F248419D559A7240CB79A945CBA1
                                      Function 0086B538 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0086B59E
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2125285726.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_860000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: ef4f6524a0c125d528c4b58bad2d9e5dd6fc6e7e1aa0cc77a6ff81d9895c2644
                                      • Instruction ID: c671bcef20761c99b3ae0ab8da25b3c978d24f902430afb50ef8e777dde883a8
                                      • Opcode Fuzzy Hash: ef4f6524a0c125d528c4b58bad2d9e5dd6fc6e7e1aa0cc77a6ff81d9895c2644
                                      • Instruction Fuzzy Hash: E211E0B5C002498FCB10CF9AD448ADEFBF4FB88324F15841AD929A7210D379A589CFA1
                                      Function 0AA5147B Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,?,?,?), ref: 0AA514DD
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2134784792.000000000AA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_aa50000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: cb71011e4e6fad0179312da04f69d559c909bddee736cb01abb19b0500aff75c
                                      • Instruction ID: eefaeec436573ac30b69595f73b1a816b3be064bfb07a50ad57ad0ba76a348ae
                                      • Opcode Fuzzy Hash: cb71011e4e6fad0179312da04f69d559c909bddee736cb01abb19b0500aff75c
                                      • Instruction Fuzzy Hash: E11103B98002499FCB10DF99D548BEEBBF8FB48310F10840AD919A3350C379A984CFA5
                                      Function 0AA51480 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,?,?,?), ref: 0AA514DD
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2134784792.000000000AA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_aa50000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: aa391eb2a4827086906e00ef1e7cdecbabd7b7852c4de5cab6efabd4afb01ab3
                                      • Instruction ID: 812a0273ab421513fedea3326bdbcf8ceeefc471ff125482f566a4c538506e96
                                      • Opcode Fuzzy Hash: aa391eb2a4827086906e00ef1e7cdecbabd7b7852c4de5cab6efabd4afb01ab3
                                      • Instruction Fuzzy Hash: 5211D3B58003499FDB10DF9AD449BDEBBF8FB48320F108459D958A7340C379A984CFA5
                                      Function 0080D1FC Relevance: .1, Instructions: 76COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2125041944.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_80d000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 996ba0f988ded2cd21a7ac229dd8df6aca99e8d6dee2144a91e480d83ae55636
                                      • Instruction ID: 0b879fa183987d1714907977aa1fbb4e70150f32c2f5a42d64c84a6fee6968c5
                                      • Opcode Fuzzy Hash: 996ba0f988ded2cd21a7ac229dd8df6aca99e8d6dee2144a91e480d83ae55636
                                      • Instruction Fuzzy Hash: A821F4B1504344DFDB45DF94D9C0B26BB65FB88314F24C569ED054B286C336E816CBA1
                                      Function 0080D4C4 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2125041944.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_80d000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6072fa9bf39a12c3259e1d94027564fbead1337079126b5df808c3a931e8a0d4
                                      • Instruction ID: 9580a2e487013043d8ccce170eeacd5ec830bcbb48e79e06090eb0afe5c977da
                                      • Opcode Fuzzy Hash: 6072fa9bf39a12c3259e1d94027564fbead1337079126b5df808c3a931e8a0d4
                                      • Instruction Fuzzy Hash: 262100B2504344EFDB45DF94DDC0B26BF65FB98318F24C569EC098B296C336D816CAA2
                                      Function 0081D1D4 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2125089204.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_81d000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 69f64a4a3b3cb6e6db9c6b66712b2f30a7843da8f3d9efe7c3416611e788cfd4
                                      • Instruction ID: fb5ef5bbfc2f51c3cc457d9bffdfed5a47039b6ba267560c134cc68d3ec9ec79
                                      • Opcode Fuzzy Hash: 69f64a4a3b3cb6e6db9c6b66712b2f30a7843da8f3d9efe7c3416611e788cfd4
                                      • Instruction Fuzzy Hash: 422107B1504344EFDB05DF14D5C0B65BBA9FF84318F34C66DD8198B251C33AE886CA61
                                      Function 0081D01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2125089204.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_81d000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9593b7eeeb5fd4abfa30069d8bf0e2daef728739ebf3fb6b5c193376f4caa4b7
                                      • Instruction ID: 61340f3b389332d6a55e66a8d1a3f8a68c621e67bcf8ffa9c39ab0c2d170ceda
                                      • Opcode Fuzzy Hash: 9593b7eeeb5fd4abfa30069d8bf0e2daef728739ebf3fb6b5c193376f4caa4b7
                                      • Instruction Fuzzy Hash: 3E21D3B5504744DFDB14DF14D984B56BB69FF88314F24C56DD80A8B246C33AD887CA61
                                      Function 0080D1F7 Relevance: .1, Instructions: 57COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2125041944.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_80d000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 137f5766051e4324e45f0217ede9c43a14289fab1ea42f994ba2cff73d56ee7c
                                      • Instruction ID: 971a803bb8b8beb034b5fec639c4fdab121fbd79d86a075490a55273221e995c
                                      • Opcode Fuzzy Hash: 137f5766051e4324e45f0217ede9c43a14289fab1ea42f994ba2cff73d56ee7c
                                      • Instruction Fuzzy Hash: 0A219D76504340DFDB06CF54D9C4B16BF62FB84314F24C5A9DD494B696C33AE82ACBA1
                                      Function 0080D4BF Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2125041944.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_80d000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                      • Instruction ID: e889ffcb6df1280120fdff9b2bafdcd8a26b312edfd5964f350fbbced7d860cc
                                      • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                      • Instruction Fuzzy Hash: FD11DF72504280CFCB02CF54D9C4B16BF71FB98314F24C6A9DC494B696C336D85ACBA1
                                      Function 0081D017 Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2125089204.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_81d000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                      • Instruction ID: 19b68beff2ea8f6ae5831a0937ec5de3dbcdf212da5ce510704f7dd5840b19ee
                                      • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                      • Instruction Fuzzy Hash: 1311BB75504780CFCB11CF14D5C4B16BBA2FB88314F24C6AAD8498B656C33AD88BCBA2
                                      Function 0081D1CF Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2125089204.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_81d000_XyLTxdgHV.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                      • Instruction ID: 68c3ac612aa3826c6202a20333058a74896bf199386184198f387917e0843e8c
                                      • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                      • Instruction Fuzzy Hash: B911BB75904380DFCB02CF14D5C4B15BBA2FF84314F24C6A9D8498B696C33AE84ACB61

                                      Execution Graph

                                      Execution Coverage:1.8%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:3.6%
                                      Total number of Nodes:632
                                      Total number of Limit Nodes:17
                                      execution_graph 45801 404e06 WaitForSingleObject 45802 404e20 SetEvent CloseHandle 45801->45802 45803 404e37 closesocket 45801->45803 45804 404eb8 45802->45804 45805 404e44 45803->45805 45806 404e5a 45805->45806 45814 4050c4 83 API calls 45805->45814 45807 404e6c WaitForSingleObject 45806->45807 45808 404eae SetEvent CloseHandle 45806->45808 45815 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45807->45815 45808->45804 45811 404e7b SetEvent WaitForSingleObject 45816 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45811->45816 45813 404e93 SetEvent CloseHandle CloseHandle 45813->45808 45814->45806 45815->45811 45816->45813 45817 4457a9 GetLastError 45818 4457c2 45817->45818 45819 4457c8 45817->45819 45843 445ceb 11 API calls 2 library calls 45818->45843 45823 44581f SetLastError 45819->45823 45836 443005 45819->45836 45825 445828 45823->45825 45824 4457e2 45844 443c92 20 API calls __dosmaperr 45824->45844 45827 4457f7 45827->45824 45829 4457fe 45827->45829 45846 445597 20 API calls __Tolower 45829->45846 45830 4457e8 45832 445816 SetLastError 45830->45832 45832->45825 45833 445809 45847 443c92 20 API calls __dosmaperr 45833->45847 45835 44580f 45835->45823 45835->45832 45841 443012 __Getctype 45836->45841 45837 443052 45849 43ad91 20 API calls _abort 45837->45849 45838 44303d RtlAllocateHeap 45839 443050 45838->45839 45838->45841 45839->45824 45845 445d41 11 API calls 2 library calls 45839->45845 45841->45837 45841->45838 45848 440480 7 API calls 2 library calls 45841->45848 45843->45819 45844->45830 45845->45827 45846->45833 45847->45835 45848->45841 45849->45839 45850 40163e 45851 401646 45850->45851 45852 401649 45850->45852 45853 401688 45852->45853 45856 401676 45852->45856 45858 43229f 45853->45858 45855 40167c 45857 43229f new 22 API calls 45856->45857 45857->45855 45862 4322a4 45858->45862 45860 4322d0 45860->45855 45862->45860 45865 439adb 45862->45865 45872 440480 7 API calls 2 library calls 45862->45872 45873 4329bd RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45862->45873 45874 43301b RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45862->45874 45870 443649 __Getctype 45865->45870 45866 443687 45876 43ad91 20 API calls _abort 45866->45876 45867 443672 RtlAllocateHeap 45869 443685 45867->45869 45867->45870 45869->45862 45870->45866 45870->45867 45875 440480 7 API calls 2 library calls 45870->45875 45872->45862 45875->45870 45876->45869 45877 43263c 45878 432648 ___BuildCatchObject 45877->45878 45903 43234b 45878->45903 45880 43264f 45882 432678 45880->45882 46167 4327ae IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 45880->46167 45889 4326b7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 45882->45889 46168 441763 5 API calls TranslatorGuardHandler 45882->46168 45884 432691 45886 432697 ___BuildCatchObject 45884->45886 46169 441707 5 API calls TranslatorGuardHandler 45884->46169 45887 432717 45914 4328c9 45887->45914 45889->45887 46170 4408e7 35 API calls 4 library calls 45889->46170 45898 432743 45900 43274c 45898->45900 46171 4408c2 28 API calls _abort 45898->46171 46172 4324c2 13 API calls 2 library calls 45900->46172 45904 432354 45903->45904 46173 4329da IsProcessorFeaturePresent 45904->46173 45906 432360 46174 436cd1 10 API calls 4 library calls 45906->46174 45908 432365 45913 432369 45908->45913 46175 4415bf 45908->46175 45910 432380 45910->45880 45913->45880 46191 434c30 45914->46191 45917 43271d 45918 4416b4 45917->45918 46193 44c239 45918->46193 45920 4416bd 45921 432726 45920->45921 46197 443d25 35 API calls 45920->46197 45923 40d3f0 45921->45923 46199 41a8da LoadLibraryA GetProcAddress 45923->46199 45925 40d40c 46206 40dd83 45925->46206 45927 40d415 46221 4020d6 45927->46221 45930 4020d6 28 API calls 45931 40d433 45930->45931 46227 419d87 45931->46227 45935 40d445 46253 401e6d 45935->46253 45937 40d44e 45938 40d461 45937->45938 45939 40d4b8 45937->45939 46259 40e609 45938->46259 45940 401e45 22 API calls 45939->45940 45942 40d4c6 45940->45942 45946 401e45 22 API calls 45942->45946 45945 40d47f 46274 40f98d 45945->46274 45947 40d4e5 45946->45947 46290 4052fe 45947->46290 45950 40d4f4 46295 408209 45950->46295 45959 40d4a3 45961 401fb8 11 API calls 45959->45961 45963 40d4ac 45961->45963 46162 4407f6 GetModuleHandleW 45963->46162 45964 401fb8 11 API calls 45965 40d520 45964->45965 45966 401e45 22 API calls 45965->45966 45967 40d529 45966->45967 46312 401fa0 45967->46312 45969 40d534 45970 401e45 22 API calls 45969->45970 45971 40d54f 45970->45971 45972 401e45 22 API calls 45971->45972 45973 40d569 45972->45973 45974 40d5cf 45973->45974 46316 40822a 28 API calls 45973->46316 45976 401e45 22 API calls 45974->45976 45981 40d5dc 45976->45981 45977 40d594 45978 401fc2 28 API calls 45977->45978 45979 40d5a0 45978->45979 45982 401fb8 11 API calls 45979->45982 45980 40d650 45986 40d660 CreateMutexA GetLastError 45980->45986 45981->45980 45983 401e45 22 API calls 45981->45983 45984 40d5a9 45982->45984 45985 40d5f5 45983->45985 46317 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45984->46317 45989 40d5fc OpenMutexA 45985->45989 45987 40d987 45986->45987 45988 40d67f 45986->45988 45992 401fb8 11 API calls 45987->45992 46030 40d9ec 45987->46030 45990 40d688 45988->45990 45991 40d68a GetModuleFileNameW 45988->45991 45994 40d622 45989->45994 45995 40d60f WaitForSingleObject CloseHandle 45989->45995 45990->45991 46320 4192ae 33 API calls 45991->46320 46016 40d99a ___scrt_fastfail 45992->46016 46318 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45994->46318 45995->45994 45997 40d5c5 45997->45974 45999 40dd0f 45997->45999 45998 40d6a0 46000 40d6f5 45998->46000 46002 401e45 22 API calls 45998->46002 46350 41239a 30 API calls 45999->46350 46004 401e45 22 API calls 46000->46004 46010 40d6bf 46002->46010 46012 40d720 46004->46012 46005 40dd22 46351 410eda 65 API calls ___scrt_fastfail 46005->46351 46007 40d63b 46007->45980 46319 41239a 30 API calls 46007->46319 46008 40dcfa 46038 40dd6a 46008->46038 46352 402073 28 API calls 46008->46352 46010->46000 46017 40d6f7 46010->46017 46024 40d6db 46010->46024 46011 40d731 46015 401e45 22 API calls 46011->46015 46012->46011 46324 40e501 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46012->46324 46023 40d73a 46015->46023 46332 4120e8 RegOpenKeyExA RegQueryValueExA RegCloseKey 46016->46332 46322 411eea RegOpenKeyExA RegQueryValueExA RegCloseKey 46017->46322 46018 40dd3a 46353 4052dd 28 API calls 46018->46353 46029 401e45 22 API calls 46023->46029 46024->46000 46321 4067a0 36 API calls ___scrt_fastfail 46024->46321 46026 40d70d 46026->46000 46323 4066a6 58 API calls 46026->46323 46034 40d755 46029->46034 46035 401e45 22 API calls 46030->46035 46040 401e45 22 API calls 46034->46040 46037 40da10 46035->46037 46333 402073 28 API calls 46037->46333 46354 413980 161 API calls _strftime 46038->46354 46043 40d76f 46040->46043 46045 401e45 22 API calls 46043->46045 46044 40da22 46334 41215f 14 API calls 46044->46334 46047 40d789 46045->46047 46051 401e45 22 API calls 46047->46051 46048 40da38 46049 401e45 22 API calls 46048->46049 46050 40da44 46049->46050 46335 439867 39 API calls _strftime 46050->46335 46054 40d7a3 46051->46054 46053 40d810 46053->46016 46060 401e45 22 API calls 46053->46060 46093 40d89f ___scrt_fastfail 46053->46093 46054->46053 46056 401e45 22 API calls 46054->46056 46055 40da51 46057 40da7e 46055->46057 46336 41aa4f 81 API calls ___scrt_fastfail 46055->46336 46065 40d7b8 _wcslen 46056->46065 46337 402073 28 API calls 46057->46337 46063 40d831 46060->46063 46061 40da70 CreateThread 46061->46057 46591 41b212 10 API calls 46061->46591 46062 40da8d 46338 402073 28 API calls 46062->46338 46067 401e45 22 API calls 46063->46067 46065->46053 46071 401e45 22 API calls 46065->46071 46066 40da9c 46339 4194da 79 API calls 46066->46339 46069 40d843 46067->46069 46075 401e45 22 API calls 46069->46075 46070 40daa1 46072 401e45 22 API calls 46070->46072 46073 40d7d3 46071->46073 46074 40daad 46072->46074 46077 401e45 22 API calls 46073->46077 46079 401e45 22 API calls 46074->46079 46076 40d855 46075->46076 46081 401e45 22 API calls 46076->46081 46078 40d7e8 46077->46078 46325 40c5ed 31 API calls 46078->46325 46080 40dabf 46079->46080 46084 401e45 22 API calls 46080->46084 46083 40d87e 46081->46083 46089 401e45 22 API calls 46083->46089 46086 40dad5 46084->46086 46085 40d7fb 46326 401ef3 28 API calls 46085->46326 46092 401e45 22 API calls 46086->46092 46088 40d807 46327 401ee9 11 API calls 46088->46327 46091 40d88f 46089->46091 46328 40b871 46 API calls _wcslen 46091->46328 46094 40daf5 46092->46094 46329 412338 31 API calls 46093->46329 46340 439867 39 API calls _strftime 46094->46340 46097 40d942 ctype 46101 401e45 22 API calls 46097->46101 46099 40db02 46100 401e45 22 API calls 46099->46100 46102 40db0d 46100->46102 46103 40d959 46101->46103 46104 401e45 22 API calls 46102->46104 46103->46030 46106 401e45 22 API calls 46103->46106 46105 40db1e 46104->46105 46341 408f1f 166 API calls _wcslen 46105->46341 46107 40d976 46106->46107 46330 419bca 28 API calls 46107->46330 46110 40d982 46331 40de34 88 API calls 46110->46331 46111 40db33 46113 401e45 22 API calls 46111->46113 46115 40db3c 46113->46115 46114 40db83 46116 401e45 22 API calls 46114->46116 46115->46114 46117 43229f new 22 API calls 46115->46117 46122 40db91 46116->46122 46118 40db53 46117->46118 46119 401e45 22 API calls 46118->46119 46120 40db65 46119->46120 46125 40db6c CreateThread 46120->46125 46121 40dbd9 46124 401e45 22 API calls 46121->46124 46122->46121 46123 43229f new 22 API calls 46122->46123 46126 40dba5 46123->46126 46130 40dbe2 46124->46130 46125->46114 46589 417f6a 101 API calls 2 library calls 46125->46589 46127 401e45 22 API calls 46126->46127 46128 40dbb6 46127->46128 46133 40dbbd CreateThread 46128->46133 46129 40dc4c 46131 401e45 22 API calls 46129->46131 46130->46129 46132 401e45 22 API calls 46130->46132 46135 40dc55 46131->46135 46134 40dbfc 46132->46134 46133->46121 46586 417f6a 101 API calls 2 library calls 46133->46586 46137 401e45 22 API calls 46134->46137 46136 40dc99 46135->46136 46139 401e45 22 API calls 46135->46139 46347 4195f8 79 API calls 46136->46347 46140 40dc11 46137->46140 46142 40dc69 46139->46142 46342 40c5a1 31 API calls 46140->46342 46141 40dca2 46348 401ef3 28 API calls 46141->46348 46147 401e45 22 API calls 46142->46147 46144 40dcad 46349 401ee9 11 API calls 46144->46349 46150 40dc7e 46147->46150 46148 40dc24 46343 401ef3 28 API calls 46148->46343 46149 40dcb6 CreateThread 46154 40dce5 46149->46154 46155 40dcd9 CreateThread 46149->46155 46587 40e18d 122 API calls 46149->46587 46345 439867 39 API calls _strftime 46150->46345 46153 40dc30 46344 401ee9 11 API calls 46153->46344 46154->46008 46157 40dcee CreateThread 46154->46157 46155->46154 46588 410b5c 137 API calls 46155->46588 46157->46008 46590 411140 38 API calls ___scrt_fastfail 46157->46590 46159 40dc39 CreateThread 46159->46129 46592 401bc9 49 API calls _strftime 46159->46592 46160 40dc8b 46346 40b0a3 7 API calls 46160->46346 46163 432739 46162->46163 46163->45898 46164 44091f 46163->46164 46594 44069c 46164->46594 46167->45880 46168->45884 46169->45889 46170->45887 46171->45900 46172->45886 46173->45906 46174->45908 46179 44cd48 46175->46179 46178 436cfa 8 API calls 3 library calls 46178->45913 46182 44cd61 46179->46182 46181 432372 46181->45910 46181->46178 46183 432d4b 46182->46183 46184 432d56 IsProcessorFeaturePresent 46183->46184 46185 432d54 46183->46185 46187 432d98 46184->46187 46185->46181 46190 432d5c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46187->46190 46189 432e7b 46189->46181 46190->46189 46192 4328dc GetStartupInfoW 46191->46192 46192->45917 46194 44c24b 46193->46194 46195 44c242 46193->46195 46194->45920 46198 44c138 48 API calls 5 library calls 46195->46198 46197->45920 46198->46194 46200 41a919 LoadLibraryA GetProcAddress 46199->46200 46201 41a909 GetModuleHandleA GetProcAddress 46199->46201 46202 41a947 GetModuleHandleA GetProcAddress 46200->46202 46203 41a937 GetModuleHandleA GetProcAddress 46200->46203 46201->46200 46204 41a973 24 API calls 46202->46204 46205 41a95f GetModuleHandleA GetProcAddress 46202->46205 46203->46202 46204->45925 46205->46204 46355 419493 FindResourceA 46206->46355 46209 439adb new 21 API calls 46210 40ddad ctype 46209->46210 46358 402097 46210->46358 46213 401fc2 28 API calls 46214 40ddd3 46213->46214 46215 401fb8 11 API calls 46214->46215 46216 40dddc 46215->46216 46217 439adb new 21 API calls 46216->46217 46218 40dded ctype 46217->46218 46364 4062ee 46218->46364 46220 40de20 46220->45927 46222 4020ec 46221->46222 46223 4023ae 11 API calls 46222->46223 46224 402106 46223->46224 46225 402549 28 API calls 46224->46225 46226 402114 46225->46226 46226->45930 46416 4020bf 46227->46416 46229 419e0a 46230 401fb8 11 API calls 46229->46230 46231 419e3c 46230->46231 46232 401fb8 11 API calls 46231->46232 46234 419e44 46232->46234 46233 419e0c 46422 404182 28 API calls 46233->46422 46237 401fb8 11 API calls 46234->46237 46239 40d43c 46237->46239 46238 419e18 46240 401fc2 28 API calls 46238->46240 46249 40e563 46239->46249 46242 419e21 46240->46242 46241 401fc2 28 API calls 46248 419d9a 46241->46248 46243 401fb8 11 API calls 46242->46243 46245 419e29 46243->46245 46244 401fb8 11 API calls 46244->46248 46423 41ab9a 28 API calls 46245->46423 46248->46229 46248->46233 46248->46241 46248->46244 46420 404182 28 API calls 46248->46420 46421 41ab9a 28 API calls 46248->46421 46250 40e56f 46249->46250 46252 40e576 46249->46252 46424 402143 11 API calls 46250->46424 46252->45935 46254 402143 46253->46254 46255 40217f 46254->46255 46425 402710 11 API calls 46254->46425 46255->45937 46257 402164 46426 4026f2 11 API calls std::_Deallocate 46257->46426 46260 40e624 46259->46260 46427 40f57c 46260->46427 46266 40e663 46267 40d473 46266->46267 46443 40f663 46266->46443 46269 401e45 46267->46269 46270 401e4d 46269->46270 46271 401e55 46270->46271 46538 402138 22 API calls 46270->46538 46271->45945 46276 40f997 __EH_prolog 46274->46276 46539 40fcfb 46276->46539 46277 40f663 36 API calls 46278 40fb90 46277->46278 46543 40fce0 46278->46543 46280 40d491 46282 40e5ba 46280->46282 46281 40fa1a 46281->46277 46549 40f4c6 46282->46549 46285 40d49a 46287 40dd70 46285->46287 46286 40f663 36 API calls 46286->46285 46559 40e5da 70 API calls 46287->46559 46289 40dd7b 46291 4020bf 11 API calls 46290->46291 46292 40530a 46291->46292 46560 403280 46292->46560 46294 405326 46294->45950 46564 4051cf 46295->46564 46297 408217 46568 402035 46297->46568 46300 401fc2 46301 401fd1 46300->46301 46302 402019 46300->46302 46303 4023ae 11 API calls 46301->46303 46309 401fb8 46302->46309 46304 401fda 46303->46304 46305 40201c 46304->46305 46306 401ff5 46304->46306 46307 40265a 11 API calls 46305->46307 46583 403078 28 API calls 46306->46583 46307->46302 46310 4023ae 11 API calls 46309->46310 46311 401fc1 46310->46311 46311->45964 46313 401fb2 46312->46313 46314 401fa9 46312->46314 46313->45969 46584 4025c0 28 API calls 46314->46584 46316->45977 46317->45997 46318->46007 46319->45980 46320->45998 46321->46000 46322->46026 46323->46000 46324->46011 46325->46085 46326->46088 46327->46053 46328->46093 46329->46097 46330->46110 46331->45987 46332->46030 46333->46044 46334->46048 46335->46055 46336->46061 46337->46062 46338->46066 46339->46070 46340->46099 46341->46111 46342->46148 46343->46153 46344->46159 46345->46160 46346->46136 46347->46141 46348->46144 46349->46149 46350->46005 46352->46018 46585 418ccd 104 API calls 46354->46585 46356 4194b0 LoadResource LockResource SizeofResource 46355->46356 46357 40dd9e 46355->46357 46356->46357 46357->46209 46359 40209f 46358->46359 46367 4023ae 46359->46367 46361 4020aa 46371 4024ea 46361->46371 46363 4020b9 46363->46213 46365 402097 28 API calls 46364->46365 46366 406302 46365->46366 46366->46220 46368 402408 46367->46368 46369 4023b8 46367->46369 46368->46361 46369->46368 46378 402787 11 API calls std::_Deallocate 46369->46378 46372 4024fa 46371->46372 46373 402500 46372->46373 46374 402515 46372->46374 46379 402549 46373->46379 46389 4028c8 46374->46389 46377 402513 46377->46363 46378->46368 46400 402868 46379->46400 46381 40255d 46382 402572 46381->46382 46383 402587 46381->46383 46405 402a14 22 API calls 46382->46405 46385 4028c8 28 API calls 46383->46385 46388 402585 46385->46388 46386 40257b 46406 4029ba 22 API calls 46386->46406 46388->46377 46390 4028d1 46389->46390 46391 402933 46390->46391 46392 4028db 46390->46392 46414 402884 22 API calls 46391->46414 46395 4028e4 46392->46395 46397 4028f7 46392->46397 46408 402c8e 46395->46408 46398 4028f5 46397->46398 46399 4023ae 11 API calls 46397->46399 46398->46377 46399->46398 46401 402870 46400->46401 46402 402878 46401->46402 46407 402c83 22 API calls 46401->46407 46402->46381 46405->46386 46406->46388 46409 402c98 __EH_prolog 46408->46409 46415 402e34 22 API calls 46409->46415 46411 4023ae 11 API calls 46413 402d72 46411->46413 46412 402d04 46412->46411 46413->46398 46415->46412 46417 4020c7 46416->46417 46418 4023ae 11 API calls 46417->46418 46419 4020d2 46418->46419 46419->46248 46420->46248 46421->46248 46422->46238 46423->46229 46424->46252 46425->46257 46426->46255 46447 40f821 46427->46447 46430 40f55d 46525 40f7fb 46430->46525 46432 40f565 46530 40f44c 46432->46530 46434 40e651 46435 40f502 46434->46435 46436 40f510 46435->46436 46442 40f53f std::ios_base::_Ios_base_dtor 46435->46442 46535 4335cb 65 API calls 46436->46535 46438 40f51d 46439 40f44c 20 API calls 46438->46439 46438->46442 46440 40f52e 46439->46440 46536 40fbc8 77 API calls 6 library calls 46440->46536 46442->46266 46444 40f66b 46443->46444 46445 40f67e 46443->46445 46537 40f854 36 API calls 46444->46537 46445->46267 46454 40d2ce 46447->46454 46451 40f83c 46452 40e631 46451->46452 46453 40f663 36 API calls 46451->46453 46452->46430 46453->46452 46455 40d2ff 46454->46455 46456 43229f new 22 API calls 46455->46456 46457 40d306 46456->46457 46464 40cb7a 46457->46464 46460 40f887 46461 40f896 46460->46461 46499 40f8b7 46461->46499 46463 40f89c std::ios_base::_Ios_base_dtor 46463->46451 46467 4332ea 46464->46467 46466 40cb84 46466->46460 46468 4332f6 __EH_prolog3 46467->46468 46479 4330a5 46468->46479 46471 433332 46485 4330fd 46471->46485 46474 433314 46493 43347f 37 API calls _Atexit 46474->46493 46476 433370 std::locale::_Locimp::_Locimp_dtor 46476->46466 46477 43331c 46494 433240 21 API calls 2 library calls 46477->46494 46480 4330b4 46479->46480 46482 4330bb 46479->46482 46495 442df9 EnterCriticalSection _abort 46480->46495 46483 4330b9 46482->46483 46496 43393c EnterCriticalSection 46482->46496 46483->46471 46492 43345a 22 API calls 2 library calls 46483->46492 46486 433107 46485->46486 46487 442e02 46485->46487 46488 43311a 46486->46488 46497 43394a LeaveCriticalSection 46486->46497 46498 442de2 LeaveCriticalSection 46487->46498 46488->46476 46491 442e09 46491->46476 46492->46474 46493->46477 46494->46471 46495->46483 46496->46483 46497->46488 46498->46491 46500 4330a5 std::_Lockit::_Lockit 2 API calls 46499->46500 46501 40f8c9 46500->46501 46520 40cae9 4 API calls 2 library calls 46501->46520 46503 40f8dc 46504 40f8ef 46503->46504 46521 40ccd4 77 API calls new 46503->46521 46505 4330fd std::_Lockit::~_Lockit 2 API calls 46504->46505 46506 40f925 46505->46506 46506->46463 46508 40f8ff 46509 40f906 46508->46509 46510 40f92d 46508->46510 46522 4332b6 22 API calls new 46509->46522 46523 436ec6 RaiseException 46510->46523 46513 40f943 46514 40f984 46513->46514 46524 43219b EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait 46513->46524 46514->46463 46520->46503 46521->46508 46522->46504 46523->46513 46526 43229f new 22 API calls 46525->46526 46527 40f80b 46526->46527 46528 40cb7a 41 API calls 46527->46528 46529 40f813 46528->46529 46529->46432 46531 40f469 46530->46531 46532 40f48b 46531->46532 46534 43aa1a 20 API calls 2 library calls 46531->46534 46532->46434 46534->46532 46535->46438 46536->46442 46537->46445 46541 40fd0e 46539->46541 46540 40fd3c 46540->46281 46541->46540 46547 40fe14 36 API calls 46541->46547 46544 40fce8 46543->46544 46546 40fcf3 46544->46546 46548 40fe79 36 API calls __EH_prolog 46544->46548 46546->46280 46547->46540 46548->46546 46550 40f4d0 46549->46550 46551 40f4d4 46549->46551 46554 40f44c 20 API calls 46550->46554 46557 40f30b 67 API calls 46551->46557 46553 40f4d9 46558 43a716 64 API calls 3 library calls 46553->46558 46556 40e5c5 46554->46556 46556->46285 46556->46286 46557->46553 46558->46550 46559->46289 46562 40328a 46560->46562 46561 4032a9 46561->46294 46562->46561 46563 4028c8 28 API calls 46562->46563 46563->46561 46565 4051db 46564->46565 46574 405254 46565->46574 46567 4051e8 46567->46297 46569 402041 46568->46569 46570 4023ae 11 API calls 46569->46570 46571 40205b 46570->46571 46579 40265a 46571->46579 46575 405262 46574->46575 46578 402884 22 API calls 46575->46578 46580 40266b 46579->46580 46581 4023ae 11 API calls 46580->46581 46582 40206d 46581->46582 46582->46300 46583->46302 46584->46313 46593 411253 61 API calls 46588->46593 46595 4406a8 _abort 46594->46595 46596 4406c0 46595->46596 46598 4407f6 _abort GetModuleHandleW 46595->46598 46616 442d9a EnterCriticalSection 46596->46616 46599 4406b4 46598->46599 46599->46596 46628 44083a GetModuleHandleExW 46599->46628 46600 440766 46617 4407a6 46600->46617 46603 4406c8 46603->46600 46605 44073d 46603->46605 46636 441450 20 API calls _abort 46603->46636 46606 440755 46605->46606 46637 441707 5 API calls TranslatorGuardHandler 46605->46637 46638 441707 5 API calls TranslatorGuardHandler 46606->46638 46607 440783 46620 4407b5 46607->46620 46608 4407af 46639 454909 5 API calls TranslatorGuardHandler 46608->46639 46616->46603 46640 442de2 LeaveCriticalSection 46617->46640 46619 44077f 46619->46607 46619->46608 46641 4461f8 46620->46641 46623 4407e3 46625 44083a _abort 8 API calls 46623->46625 46624 4407c3 GetPEB 46624->46623 46626 4407d3 GetCurrentProcess TerminateProcess 46624->46626 46627 4407eb ExitProcess 46625->46627 46626->46623 46629 440864 GetProcAddress 46628->46629 46630 440887 46628->46630 46631 440879 46629->46631 46632 440896 46630->46632 46633 44088d FreeLibrary 46630->46633 46631->46630 46634 432d4b TranslatorGuardHandler 5 API calls 46632->46634 46633->46632 46635 4408a0 46634->46635 46635->46596 46636->46605 46637->46606 46638->46600 46640->46619 46642 44621d 46641->46642 46646 446213 46641->46646 46647 4459f9 46642->46647 46644 432d4b TranslatorGuardHandler 5 API calls 46645 4407bf 46644->46645 46645->46623 46645->46624 46646->46644 46648 445a25 46647->46648 46649 445a29 46647->46649 46648->46649 46653 445a49 46648->46653 46654 445a95 46648->46654 46649->46646 46651 445a55 GetProcAddress 46652 445a65 __crt_fast_encode_pointer 46651->46652 46652->46649 46653->46649 46653->46651 46655 445ab6 LoadLibraryExW 46654->46655 46659 445aab 46654->46659 46656 445ad3 GetLastError 46655->46656 46657 445aeb 46655->46657 46656->46657 46660 445ade LoadLibraryExW 46656->46660 46658 445b02 FreeLibrary 46657->46658 46657->46659 46658->46659 46659->46648 46660->46657

                                      Executed Functions

                                      Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                                      • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A912
                                      • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A927
                                      • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A940
                                      • GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A954
                                      • GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                                      • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A980
                                      • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                                      • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                                      • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                                      • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                                      • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
                                      • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041AA22
                                      • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041AA33
                                      • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041AA43
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$HandleModule$LibraryLoad
                                      • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
                                      • API String ID: 551388010-2474455403
                                      • Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                                      • Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
                                      • Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                                      • Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E
                                      Function 004407B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 473 4407b5-4407c1 call 4461f8 476 4407e3-4407ef call 44083a ExitProcess 473->476 477 4407c3-4407d1 GetPEB 473->477 477->476 479 4407d3-4407dd GetCurrentProcess TerminateProcess 477->479 479->476
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407D6
                                      • TerminateProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407DD
                                      • ExitProcess.KERNEL32 ref: 004407EF
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                                      • Instruction ID: 8c86c1f28e0fd2f6406888839527a8aea1509f7e03a0ffdd8510570f14deced8
                                      • Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                                      • Instruction Fuzzy Hash: 9AE04631000608ABEF017F20DD48A493B29EB40346F410029F9088B232CB3DED52CA89
                                      Function 0040D3F0 Relevance: 69.0, APIs: 16, Strings: 23, Instructions: 774COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 7 40d3f0-40d45f call 41a8da call 40dd83 call 4020d6 * 2 call 419d87 call 40e563 call 401e6d call 43a300 24 40d461-40d4b5 call 40e609 call 401e45 call 401f8b call 40f98d call 40e5ba call 40dd70 call 401fb8 7->24 25 40d4b8-40d57f call 401e45 call 401f8b call 401e45 call 4052fe call 408209 call 401fc2 call 401fb8 * 2 call 401e45 call 401fa0 call 405a86 call 401e45 call 4051c3 call 401e45 call 4051c3 7->25 70 40d581-40d5c9 call 40822a call 401fc2 call 401fb8 call 401f8b call 411f34 25->70 71 40d5cf-40d5ea call 401e45 call 40fbab 25->71 70->71 105 40dd0f-40dd27 call 401f8b call 41239a call 410eda 70->105 80 40d656-40d679 call 401f8b CreateMutexA GetLastError 71->80 81 40d5ec-40d60d call 401e45 call 401f8b OpenMutexA 71->81 90 40d991-40d99a call 401fb8 80->90 91 40d67f-40d686 80->91 98 40d622-40d63f call 401f8b call 411f34 81->98 99 40d60f-40d61c WaitForSingleObject CloseHandle 81->99 110 40d9a1-40da01 call 434c30 call 40245c call 401f8b * 2 call 4120e8 call 408093 90->110 94 40d688 91->94 95 40d68a-40d6a7 GetModuleFileNameW call 4192ae 91->95 94->95 108 40d6b0-40d6b4 95->108 109 40d6a9-40d6ab 95->109 126 40d651 98->126 127 40d641-40d650 call 401f8b call 41239a 98->127 99->98 136 40dd2c 105->136 111 40d6b6-40d6c9 call 401e45 call 401f8b 108->111 112 40d717-40d72a call 401e45 call 401f8b 108->112 109->108 177 40da06-40da5f call 401e45 call 401f8b call 402073 call 401f8b call 41215f call 401e45 call 401f8b call 439867 110->177 111->112 140 40d6cb-40d6d1 111->140 142 40d731-40d7ad call 401e45 call 401f8b call 408093 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b 112->142 143 40d72c call 40e501 112->143 126->80 127->126 141 40dd31-40dd65 call 402073 call 4052dd call 402073 call 4194da call 401fb8 136->141 140->112 146 40d6d3-40d6d9 140->146 187 40dd6a-40dd6f call 413980 141->187 216 40d815-40d819 142->216 217 40d7af-40d7c8 call 401e45 call 401f8b call 439891 142->217 143->142 151 40d6f7-40d710 call 401f8b call 411eea 146->151 152 40d6db-40d6ee call 4060ea 146->152 151->112 175 40d712 call 4066a6 151->175 152->112 168 40d6f0-40d6f5 call 4067a0 152->168 168->112 175->112 221 40da61-40da63 177->221 222 40da65-40da67 177->222 216->110 220 40d81f-40d826 216->220 217->216 250 40d7ca-40d810 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5ed call 401ef3 call 401ee9 217->250 224 40d8a7-40d8b1 call 408093 220->224 225 40d828-40d8a5 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 40b871 220->225 226 40da6b-40da7c call 41aa4f CreateThread 221->226 227 40da69 222->227 228 40da7e-40db48 call 402073 * 2 call 4194da call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 401e45 call 401f8b call 401e45 call 401f8b call 408f1f call 401e45 call 401f8b 222->228 235 40d8b6-40d8de call 40245c call 43254d 224->235 225->235 226->228 227->226 349 40db83-40db9a call 401e45 call 401f8b 228->349 350 40db4a-40db81 call 43229f call 401e45 call 401f8b CreateThread 228->350 256 40d8f0 235->256 257 40d8e0-40d8ee call 434c30 235->257 250->216 263 40d8f2-40d967 call 401ee4 call 43a796 call 40245c call 401f8b call 40245c call 401f8b call 412338 call 432556 call 401e45 call 40fbab 256->263 257->263 263->177 331 40d96d-40d98c call 401e45 call 419bca call 40de34 263->331 331->177 346 40d98e-40d990 331->346 346->90 359 40dbd9-40dbeb call 401e45 call 401f8b 349->359 360 40db9c-40dbd4 call 43229f call 401e45 call 401f8b CreateThread 349->360 350->349 371 40dc4c-40dc5e call 401e45 call 401f8b 359->371 372 40dbed-40dc47 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5a1 call 401ef3 call 401ee9 CreateThread 359->372 360->359 383 40dc60-40dc94 call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 40b0a3 371->383 384 40dc99-40dcbf call 4195f8 call 401ef3 call 401ee9 371->384 372->371 383->384 404 40dcc1 384->404 405 40dcc4-40dcd7 CreateThread 384->405 404->405 408 40dce5-40dcec 405->408 409 40dcd9-40dce3 CreateThread 405->409 412 40dcfa-40dd01 408->412 413 40dcee-40dcf8 CreateThread 408->413 409->408 412->136 416 40dd03-40dd06 412->416 413->412 416->187 418 40dd08-40dd0d 416->418 418->141
                                      APIs
                                        • Part of subcall function 0041A8DA: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
                                        • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
                                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
                                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
                                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                                        • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
                                        • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                                        • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                                      • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603
                                        • Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
                                      • String ID: (#G$0"G$0"G$0"G$Access Level: $Administrator$Exe$H"G$H"G$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$licence$license_code.txt$origmsc$!G$!G$!G$!G$!G
                                      • API String ID: 1529173511-1365410817
                                      • Opcode ID: 2dd69d7571eafc38791daeda20d7e1fab6605f3cb407cb475532d63618ebdb48
                                      • Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
                                      • Opcode Fuzzy Hash: 2dd69d7571eafc38791daeda20d7e1fab6605f3cb407cb475532d63618ebdb48
                                      • Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E
                                      Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                                      • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                                      • CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                                      • closesocket.WS2_32(?), ref: 00404E3A
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E71
                                      • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E82
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E89
                                      • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9A
                                      • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9F
                                      • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EA4
                                      • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB1
                                      • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB6
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                      • String ID:
                                      • API String ID: 3658366068-0
                                      • Opcode ID: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                                      • Instruction ID: b890c501aeabc943cf782ca315c2c368517b908ebe77e8074f52597b82095e9a
                                      • Opcode Fuzzy Hash: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                                      • Instruction Fuzzy Hash: 1B212C71000B009FDB216B26DC49B17BBE5FF40326F114A2DE2E212AF1CB79E851DB58
                                      Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 437 4457a9-4457c0 GetLastError 438 4457c2-4457cc call 445ceb 437->438 439 4457ce-4457d5 call 443005 437->439 438->439 444 44581f-445826 SetLastError 438->444 443 4457da-4457e0 439->443 445 4457e2 443->445 446 4457eb-4457f9 call 445d41 443->446 447 445828-44582d 444->447 448 4457e3-4457e9 call 443c92 445->448 452 4457fe-445814 call 445597 call 443c92 446->452 453 4457fb-4457fc 446->453 456 445816-44581d SetLastError 448->456 452->444 452->456 453->448 456->447
                                      APIs
                                      • GetLastError.KERNEL32(?,00000000,?,00439A11,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004457AE
                                      • _free.LIBCMT ref: 004457E3
                                      • _free.LIBCMT ref: 0044580A
                                      • SetLastError.KERNEL32(00000000), ref: 00445817
                                      • SetLastError.KERNEL32(00000000), ref: 00445820
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
                                      • Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
                                      • Opcode Fuzzy Hash: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
                                      • Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D
                                      Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 460 445a95-445aa9 461 445ab6-445ad1 LoadLibraryExW 460->461 462 445aab-445ab4 460->462 464 445ad3-445adc GetLastError 461->464 465 445afa-445b00 461->465 463 445b0d-445b0f 462->463 468 445ade-445ae9 LoadLibraryExW 464->468 469 445aeb 464->469 466 445b02-445b03 FreeLibrary 465->466 467 445b09 465->467 466->467 471 445b0b-445b0c 467->471 470 445aed-445aef 468->470 469->470 470->465 472 445af1-445af8 470->472 471->463 472->471
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
                                      • GetLastError.KERNEL32(?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad$ErrorLast
                                      • String ID:
                                      • API String ID: 3177248105-0
                                      • Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                                      • Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
                                      • Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                                      • Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8
                                      Function 004459F9 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 481 4459f9-445a23 482 445a25-445a27 481->482 483 445a8e 481->483 484 445a2d-445a33 482->484 485 445a29-445a2b 482->485 486 445a90-445a94 483->486 487 445a35-445a37 call 445a95 484->487 488 445a4f 484->488 485->486 491 445a3c-445a3f 487->491 490 445a51-445a53 488->490 492 445a55-445a63 GetProcAddress 490->492 493 445a7e-445a8c 490->493 494 445a70-445a76 491->494 495 445a41-445a47 491->495 496 445a65-445a6e call 432123 492->496 497 445a78 492->497 493->483 494->490 495->487 499 445a49 495->499 496->485 497->493 499->488
                                      APIs
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00445A59
                                      • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00445A66
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc__crt_fast_encode_pointer
                                      • String ID:
                                      • API String ID: 2279764990-0
                                      • Opcode ID: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                                      • Instruction ID: f797c493580bcbb57e031b514bcf368a6941c3076375826e2c1e25af396318bd
                                      • Opcode Fuzzy Hash: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                                      • Instruction Fuzzy Hash: AA113A37A009319BAF21DE69ECC086B7391AB847247164332FC15BB346E634EC0286E9
                                      Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 501 40163e-401644 502 401646-401648 501->502 503 401649-401654 501->503 504 401656 503->504 505 40165b-401665 503->505 504->505 506 401667-40166d 505->506 507 401688-401689 call 43229f 505->507 506->507 509 40166f-401674 506->509 510 40168e-40168f 507->510 509->504 511 401676-401686 call 43229f 509->511 512 401691-401693 510->512 511->512
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                                      • Instruction ID: 17b6f17919427e724365abd55f1db4a6b8769e1fa76fb76fe63095c9ff18be87
                                      • Opcode Fuzzy Hash: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                                      • Instruction Fuzzy Hash: 09F0ECB02042015BCB1C9B34CD5062B379A4BA8365F289F7FF02BD61E0C73AC895860D
                                      Function 00443005 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 515 443005-443010 516 443012-44301c 515->516 517 44301e-443024 515->517 516->517 518 443052-44305d call 43ad91 516->518 519 443026-443027 517->519 520 44303d-44304e RtlAllocateHeap 517->520 525 44305f-443061 518->525 519->520 521 443050 520->521 522 443029-443030 call 442a57 520->522 521->525 522->518 528 443032-44303b call 440480 522->528 528->518 528->520
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,?,00439A11,00000000,?,?,00439A95,00000000), ref: 00443046
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                                      • Instruction ID: 6f1ff5b5ffdcc79539d97ae047dfd157567b1d653d04e58146e0509186e3fe0c
                                      • Opcode Fuzzy Hash: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                                      • Instruction Fuzzy Hash: A0F0B43220022466FB319E229C01A5B3749AF42FA2F158227BC04E62C9CA78DE1182AD
                                      Function 00443649 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 531 443649-443655 532 443687-443692 call 43ad91 531->532 533 443657-443659 531->533 541 443694-443696 532->541 534 443672-443683 RtlAllocateHeap 533->534 535 44365b-44365c 533->535 537 443685 534->537 538 44365e-443665 call 442a57 534->538 535->534 537->541 538->532 543 443667-443670 call 440480 538->543 543->532 543->534
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                                      • Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
                                      • Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                                      • Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD

                                      Non-executed Functions

                                      Function 00410B5C Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcessId.KERNEL32 ref: 00410B6B
                                        • Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                                        • Part of subcall function 00412268: RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                                        • Part of subcall function 00412268: RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                                      • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
                                      • CloseHandle.KERNEL32(00000000), ref: 00410BBA
                                      • CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                      • String ID: (#G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$!G
                                      • API String ID: 3018269243-1736093966
                                      • Opcode ID: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                                      • Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
                                      • Opcode Fuzzy Hash: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                                      • Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F
                                      Function 00406D28 Relevance: 32.3, APIs: 9, Strings: 9, Instructions: 810fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,?), ref: 00406D4A
                                      • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00406E18
                                      • DeleteFileW.KERNEL32(00000000), ref: 00406E3A
                                        • Part of subcall function 0041A01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                                        • Part of subcall function 0041A01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                                        • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                                        • Part of subcall function 0041A01B: FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                                        • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                        • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                                        • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407228
                                      • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00407309
                                      • DeleteFileA.KERNEL32(?), ref: 0040768E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Find$DeleteDirectoryEventRemove$AttributesCloseDriveExecuteFirstLocalLogicalNextObjectShellSingleStringsTimeWaitsend
                                      • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                                      • API String ID: 1385304114-1507758755
                                      • Opcode ID: 486b9b13a9e0af661d0ec35c4c2a5e664efc39ece2783de0a02d2c3891ac1a86
                                      • Instruction ID: 48d75f04ed6415a86b5419c4bbb4b80b443badeb9edbc79095c7941e671ccbd4
                                      • Opcode Fuzzy Hash: 486b9b13a9e0af661d0ec35c4c2a5e664efc39ece2783de0a02d2c3891ac1a86
                                      • Instruction Fuzzy Hash: EE42A771A043005BC604FB76C86B9AE77A9AF91304F40493FF542671E2EE7D9A09C79B
                                      Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 004056C6
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      • __Init_thread_footer.LIBCMT ref: 00405703
                                      • CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
                                      • CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
                                      • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
                                      • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
                                      • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9
                                        • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
                                      • Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
                                      • TerminateProcess.KERNEL32(00000000), ref: 004059F7
                                      • CloseHandle.KERNEL32 ref: 00405A03
                                      • CloseHandle.KERNEL32 ref: 00405A0B
                                      • CloseHandle.KERNEL32 ref: 00405A1D
                                      • CloseHandle.KERNEL32 ref: 00405A25
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                      • String ID: SystemDrive$cmd.exe
                                      • API String ID: 2994406822-3633465311
                                      • Opcode ID: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
                                      • Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
                                      • Opcode Fuzzy Hash: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
                                      • Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E
                                      Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
                                      • FindClose.KERNEL32(00000000), ref: 0040AB0A
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
                                      • FindClose.KERNEL32(00000000), ref: 0040AC53
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFile$FirstNext
                                      • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                      • API String ID: 1164774033-3681987949
                                      • Opcode ID: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                                      • Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
                                      • Opcode Fuzzy Hash: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                                      • Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A
                                      Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040ACF0
                                      • FindClose.KERNEL32(00000000), ref: 0040AD0A
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040ADCA
                                      • FindClose.KERNEL32(00000000), ref: 0040ADF0
                                      • FindClose.KERNEL32(00000000), ref: 0040AE11
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$Close$File$FirstNext
                                      • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                      • API String ID: 3527384056-432212279
                                      • Opcode ID: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                                      • Instruction ID: fb37dd61a783c7e48c67abb1194b5e9e6d585cff7aa156a37ad31c809035e36e
                                      • Opcode Fuzzy Hash: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                                      • Instruction Fuzzy Hash: 33417E7190021A5ACB14FBB1DC56DEEB729AF11306F50057FF402B21D2EF789A468A9E
                                      Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32 ref: 00414EC2
                                      • EmptyClipboard.USER32 ref: 00414ED0
                                      • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00414EF0
                                      • GlobalLock.KERNEL32(00000000), ref: 00414EF9
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00414F2F
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00414F38
                                      • CloseClipboard.USER32 ref: 00414F55
                                      • OpenClipboard.USER32 ref: 00414F5C
                                      • GetClipboardData.USER32(0000000D), ref: 00414F6C
                                      • GlobalLock.KERNEL32(00000000), ref: 00414F75
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                                      • CloseClipboard.USER32 ref: 00414F84
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                      • String ID:
                                      • API String ID: 3520204547-0
                                      • Opcode ID: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                                      • Instruction ID: 88f859f6ed4527f0268ca0f0dcff7fecf11b3a85ebb64268ee3e6238e9d0ca75
                                      • Opcode Fuzzy Hash: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                                      • Instruction Fuzzy Hash: C32162312043009BD714BF71DC5A9BE76A8AF90746F81093EF906931E3EF3889458A6A
                                      Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 0$1$2$3$4$5$6$7
                                      • API String ID: 0-3177665633
                                      • Opcode ID: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                                      • Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
                                      • Opcode Fuzzy Hash: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                                      • Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6
                                      Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
                                      • GetLastError.KERNEL32 ref: 00418771
                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                      • String ID:
                                      • API String ID: 3587775597-0
                                      • Opcode ID: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                                      • Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
                                      • Opcode Fuzzy Hash: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                                      • Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A
                                      Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B2DC
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0040B3AF
                                      • FindClose.KERNEL32(00000000), ref: 0040B3BE
                                      • FindClose.KERNEL32(00000000), ref: 0040B3E9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFile$FirstNext
                                      • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                      • API String ID: 1164774033-405221262
                                      • Opcode ID: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                                      • Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
                                      • Opcode Fuzzy Hash: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                                      • Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D
                                      Function 0041A01B Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00471E78,?), ref: 0041A118
                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A125
                                        • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                                      • GetLastError.KERNEL32(?,?,?,?,?,00471E78,?), ref: 0041A146
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                                      • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A16C
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                      • String ID:
                                      • API String ID: 2341273852-0
                                      • Opcode ID: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                                      • Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
                                      • Opcode Fuzzy Hash: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                                      • Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19
                                      Function 00410763 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207
                                      • SetLastError.KERNEL32(000000C1,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
                                      • GetNativeSystemInfo.KERNEL32(?,?,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
                                      • SetLastError.KERNEL32(0000000E), ref: 0041082E
                                        • Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,0041084C,?,00000000,00003000,00000004,00000000), ref: 00410718
                                      • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00410875
                                      • HeapAlloc.KERNEL32(00000000), ref: 0041087C
                                      • SetLastError.KERNEL32(0000045A), ref: 0041098F
                                        • Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C), ref: 00410B4C
                                        • Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000), ref: 00410B53
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                      • String ID: $.F
                                      • API String ID: 3950776272-1421728423
                                      • Opcode ID: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                                      • Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
                                      • Opcode Fuzzy Hash: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                                      • Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9
                                      Function 00409340 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
                                      • SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
                                      • GetLastError.KERNEL32 ref: 00409375
                                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
                                      • TranslateMessage.USER32(?), ref: 004093D2
                                      • DispatchMessageA.USER32(?), ref: 004093DD
                                      Strings
                                      • Keylogger initialization failure: error , xrefs: 00409389
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                      • String ID: Keylogger initialization failure: error
                                      • API String ID: 3219506041-952744263
                                      • Opcode ID: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                                      • Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
                                      • Opcode Fuzzy Hash: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                                      • Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A
                                      Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
                                      • GetProcAddress.KERNEL32(00000000), ref: 00412CC1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressCloseCreateLibraryLoadProcsend
                                      • String ID: SHDeleteKeyW$Shlwapi.dll
                                      • API String ID: 2127411465-314212984
                                      • Opcode ID: 3a8f36ea34958f1437b96a761794d04628548da7921348726e3bd1b1d4fd3bc5
                                      • Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
                                      • Opcode Fuzzy Hash: 3a8f36ea34958f1437b96a761794d04628548da7921348726e3bd1b1d4fd3bc5
                                      • Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A
                                      Function 004466BF Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00446741
                                      • _free.LIBCMT ref: 00446765
                                      • _free.LIBCMT ref: 004468EC
                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                                      • _free.LIBCMT ref: 00446AB8
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                      • String ID:
                                      • API String ID: 314583886-0
                                      • Opcode ID: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                                      • Instruction ID: 8b87e38212d70e432f0d45c21c10c2da0ad9042405ab808e013634feac4ff008
                                      • Opcode Fuzzy Hash: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                                      • Instruction Fuzzy Hash: 67C15CB1900245ABFB24AF79DC41AAA7BB8EF03314F16416FE48497341EB788E45C75E
                                      Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00411F34: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00411F54
                                        • Part of subcall function 00411F34: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 00411F72
                                        • Part of subcall function 00411F34: RegCloseKey.ADVAPI32(?), ref: 00411F7D
                                      • Sleep.KERNEL32(00000BB8), ref: 0040E243
                                      • ExitProcess.KERNEL32 ref: 0040E2B4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseExitOpenProcessQuerySleepValue
                                      • String ID: 3.8.0 Pro$override$pth_unenc$!G
                                      • API String ID: 2281282204-1386060931
                                      • Opcode ID: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                                      • Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
                                      • Opcode Fuzzy Hash: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                                      • Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF
                                      Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
                                      • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
                                      • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
                                      • InternetCloseHandle.WININET(00000000), ref: 00419407
                                      • InternetCloseHandle.WININET(00000000), ref: 0041940A
                                      Strings
                                      • http://geoplugin.net/json.gp, xrefs: 004193A2
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleOpen$FileRead
                                      • String ID: http://geoplugin.net/json.gp
                                      • API String ID: 3121278467-91888290
                                      • Opcode ID: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                                      • Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
                                      • Opcode Fuzzy Hash: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                                      • Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9
                                      Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
                                      • GetLastError.KERNEL32 ref: 0040A999
                                      Strings
                                      • UserProfile, xrefs: 0040A95F
                                      • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A
                                      • [Chrome StoredLogins found, cleared!], xrefs: 0040A9BF
                                      • [Chrome StoredLogins not found], xrefs: 0040A9B3
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteErrorFileLast
                                      • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                      • API String ID: 2018770650-1062637481
                                      • Opcode ID: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                                      • Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
                                      • Opcode Fuzzy Hash: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                                      • Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF
                                      Function 00415C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                                      • GetLastError.KERNEL32 ref: 00415CDB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                      • String ID: SeShutdownPrivilege
                                      • API String ID: 3534403312-3733053543
                                      • Opcode ID: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                                      • Instruction ID: ffc0972e6e84a8b4c82c7ff824774f91a9d221977230a9de1ecf93d0fe8dbf87
                                      • Opcode Fuzzy Hash: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                                      • Instruction Fuzzy Hash: 0AF03A71901229ABDB10ABA1ED4DEEF7F7CEF05616F510060B805A2152D6749A04CAB5
                                      Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00408393
                                        • Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
                                      • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC
                                        • Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                                        • Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                                        • Part of subcall function 00404E06: CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                                      • FindClose.KERNEL32(00000000), ref: 004086F4
                                        • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                                        • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                      • String ID:
                                      • API String ID: 1824512719-0
                                      • Opcode ID: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                                      • Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
                                      • Opcode Fuzzy Hash: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                                      • Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98
                                      Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32 ref: 0040949C
                                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                                      • GetKeyboardLayout.USER32(00000000), ref: 004094AE
                                      • GetKeyState.USER32(00000010), ref: 004094B8
                                      • GetKeyboardState.USER32(?), ref: 004094C5
                                      • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                                      • String ID:
                                      • API String ID: 3566172867-0
                                      • Opcode ID: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                                      • Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
                                      • Opcode Fuzzy Hash: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                                      • Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4
                                      Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
                                      • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
                                      • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
                                      • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
                                      • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ManagerStart
                                      • String ID:
                                      • API String ID: 276877138-0
                                      • Opcode ID: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                                      • Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
                                      • Opcode Fuzzy Hash: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                                      • Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9
                                      Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
                                      • FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD
                                        • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Find$CreateFirstNext
                                      • String ID: H"G$`'G$`'G
                                      • API String ID: 341183262-2774397156
                                      • Opcode ID: 753b25ef91f62c10a23852cd7e303c3a05920bb6bbf3c128c8b3a0c8982e454a
                                      • Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
                                      • Opcode Fuzzy Hash: 753b25ef91f62c10a23852cd7e303c3a05920bb6bbf3c128c8b3a0c8982e454a
                                      • Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A
                                      Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00415C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                                        • Part of subcall function 00415C90: OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                                        • Part of subcall function 00415C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                                        • Part of subcall function 00415C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                                        • Part of subcall function 00415C90: GetLastError.KERNEL32 ref: 00415CDB
                                      • ExitWindowsEx.USER32(00000000,00000001), ref: 00414E56
                                      • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00414E6B
                                      • GetProcAddress.KERNEL32(00000000), ref: 00414E72
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                      • String ID: PowrProf.dll$SetSuspendState
                                      • API String ID: 1589313981-1420736420
                                      • Opcode ID: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
                                      • Instruction ID: 748c18e79ee5f9a1fbb6f05bd7ad52209f91b0004c4d1b0055552a3b76c5c1f9
                                      • Opcode Fuzzy Hash: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
                                      • Instruction Fuzzy Hash: 5F214F7070430157CE14FBB19896AAF6359AFD4349F40097FB5026B2D2EE7DCC4986AE
                                      Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6B5
                                      • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6DE
                                      • GetACP.KERNEL32(?,?,0044F93B,?,00000000), ref: 0044F6F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID: ACP$OCP
                                      • API String ID: 2299586839-711371036
                                      • Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                                      • Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
                                      • Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                                      • Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398
                                      Function 0040A0B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                      • wsprintfW.USER32 ref: 0040A13F
                                        • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EventLocalTimewsprintf
                                      • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                      • API String ID: 1497725170-248792730
                                      • Opcode ID: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                                      • Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
                                      • Opcode Fuzzy Hash: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                                      • Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9
                                      Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
                                      • LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
                                      • LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
                                      • SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Resource$FindLoadLockSizeof
                                      • String ID: SETTINGS
                                      • API String ID: 3473537107-594951305
                                      • Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                                      • Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
                                      • Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                                      • Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19
                                      Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 004087A5
                                      • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00408846
                                      • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstH_prologNext
                                      • String ID:
                                      • API String ID: 1157919129-0
                                      • Opcode ID: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                                      • Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
                                      • Opcode Fuzzy Hash: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                                      • Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98
                                      Function 0044F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                      • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044F8FC
                                      • IsValidCodePage.KERNEL32(00000000), ref: 0044F957
                                      • IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
                                      • GetLocaleInfoW.KERNEL32(?,00001001,00441F7E,00000040,?,0044209E,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
                                      • GetLocaleInfoW.KERNEL32(?,00001002,00441FFE,00000040), ref: 0044F9CD
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                      • String ID:
                                      • API String ID: 745075371-0
                                      • Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                                      • Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
                                      • Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                                      • Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769
                                      Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 0040784D
                                      • FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                      • String ID:
                                      • API String ID: 1771804793-0
                                      • Opcode ID: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                                      • Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
                                      • Opcode Fuzzy Hash: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                                      • Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99
                                      Function 0040E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
                                      • CloseHandle.KERNEL32(00000000), ref: 0040E4EF
                                        • Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66
                                        • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 1735047541-0
                                      • Opcode ID: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                                      • Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
                                      • Opcode Fuzzy Hash: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                                      • Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A
                                      Function 00443700 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: A%E$A%E
                                      • API String ID: 0-137320553
                                      • Opcode ID: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                                      • Instruction ID: 1c47d48333aa2aee23a91f6ecd96940ee01f0d1a5fc0d697d822b355cdd05c70
                                      • Opcode Fuzzy Hash: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                                      • Instruction Fuzzy Hash: C4022E71E002199BEF14CFA9C8806AEF7F1EF88715F25816AE819E7341D735AE45CB84
                                      Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861
                                        • Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0041216E
                                        • Part of subcall function 0041215F: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00412385,?,00000000), ref: 00412196
                                        • Part of subcall function 0041215F: RegCloseKey.ADVAPI32(00000000,?,?,?,00412385,?,00000000), ref: 004121A1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateInfoParametersSystemValue
                                      • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                      • API String ID: 4127273184-3576401099
                                      • Opcode ID: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                                      • Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
                                      • Opcode Fuzzy Hash: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                                      • Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF
                                      Function 0044EEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00441F85,?,?,?,?,004419DC,?,00000004), ref: 0044EF9A
                                      • _wcschr.LIBVCRUNTIME ref: 0044F02A
                                      • _wcschr.LIBVCRUNTIME ref: 0044F038
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00441F85,00000000,004420A5), ref: 0044F0DB
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                      • String ID:
                                      • API String ID: 4212172061-0
                                      • Opcode ID: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
                                      • Instruction ID: 651119c321e801f17dd1a7ba429a2dceeb4aa1bed9d5f8a21b6634afb1069130
                                      • Opcode Fuzzy Hash: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
                                      • Instruction Fuzzy Hash: 8E61E935600606AAFB24AB36DC46BB773A8FF44714F14047FF905D7282EB78E9488769
                                      Function 004063C6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222filenetworkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
                                      • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DownloadExecuteFileShell
                                      • String ID: open
                                      • API String ID: 2825088817-2758837156
                                      • Opcode ID: 400a122d183a9112cc7a0cd06a1688c26b37542af8c87b61aae9a43f761ae058
                                      • Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
                                      • Opcode Fuzzy Hash: 400a122d183a9112cc7a0cd06a1688c26b37542af8c87b61aae9a43f761ae058
                                      • Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B
                                      Function 0044F2A3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F2F7
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F348
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F408
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorInfoLastLocale$_free$_abort
                                      • String ID:
                                      • API String ID: 2829624132-0
                                      • Opcode ID: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                                      • Instruction ID: 12c224c4da0c85949021a4ccaa6d586ab513ef91610cb16151a2099a543b2454
                                      • Opcode Fuzzy Hash: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                                      • Instruction Fuzzy Hash: 49617D71600207ABEB289F25CC82B7B77A8EF14314F1041BBED06C6685EB78D949DB58
                                      Function 004398AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32 ref: 004399A4
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004399AE
                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 004399BB
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                      • String ID:
                                      • API String ID: 3906539128-0
                                      • Opcode ID: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                                      • Instruction ID: 77e6618fa9d19f9c50586940e2a7469f5a9d54f298177c93e0bbf68cc30459b4
                                      • Opcode Fuzzy Hash: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                                      • Instruction Fuzzy Hash: 1D31D67591122C9BCB21DF65D9897CDB7B8BF08310F5051EAE40CA72A1E7749F858F48
                                      Function 004315EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431274,00000034,?,?,00000000), ref: 004315FE
                                      • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000), ref: 00431614
                                      • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000,0041C006), ref: 00431626
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Crypt$Context$AcquireRandomRelease
                                      • String ID:
                                      • API String ID: 1815803762-0
                                      • Opcode ID: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                                      • Instruction ID: e2f248fbd61bea3c509e9dcbc4a9d000159a3c4e1760f154dd59208f6820a057
                                      • Opcode Fuzzy Hash: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                                      • Instruction Fuzzy Hash: FDE0923130C310BBEB304F51AC09F172A55EB8DB72FA5063AF112E50F4D6518801855C
                                      Function 0040A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32(00000000), ref: 0040A65D
                                      • GetClipboardData.USER32(0000000D), ref: 0040A669
                                      • CloseClipboard.USER32 ref: 0040A671
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$CloseDataOpen
                                      • String ID:
                                      • API String ID: 2058664381-0
                                      • Opcode ID: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                                      • Instruction ID: 184f8b84181a4a50bd43ef3289a1c1a9f5b779335cc527adffbe090e77bee848
                                      • Opcode Fuzzy Hash: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                                      • Instruction Fuzzy Hash: 6CE08C3064432097D2206F60EC08B8A66649B50B12F064A7AB849AB2D1DA75DC208AAE
                                      Function 004329DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 004329F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FeaturePresentProcessor
                                      • String ID:
                                      • API String ID: 2325560087-3916222277
                                      • Opcode ID: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                                      • Instruction ID: 4a1c44cf8a386737ece403ae0cfd22a47b20ce31fd9c2d8f3958115f99bf9d9d
                                      • Opcode Fuzzy Hash: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                                      • Instruction Fuzzy Hash: E4514A719002099BDB24CFAAD98579ABBF4FF48314F14846BD815EB350E3B9A910CFA5
                                      Function 0044BA59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: .
                                      • API String ID: 0-248832578
                                      • Opcode ID: 0742d3138d3954d6b0adc7bce21f8647b4e5777487e1ab8e88fa8e0c5db588f4
                                      • Instruction ID: 24926096c943187a016d953fe808ce2acf1242cb654f72e39a34338bfc4b4f1c
                                      • Opcode Fuzzy Hash: 0742d3138d3954d6b0adc7bce21f8647b4e5777487e1ab8e88fa8e0c5db588f4
                                      • Instruction Fuzzy Hash: 0E3108719002486FEB248E79CC84EEB7BBDDB45304F14419EF858D7251EB34EE418B94
                                      Function 00445E1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004419DC,?,00000004), ref: 00445E6F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID: GetLocaleInfoEx
                                      • API String ID: 2299586839-2904428671
                                      • Opcode ID: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                                      • Instruction ID: a9bb3d2992a9d1fe8e60343c55b6d981a628f421e7cf107d295b861f9edee2c3
                                      • Opcode Fuzzy Hash: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                                      • Instruction Fuzzy Hash: 6DF0F631600708BBDF016F619C05F6E7B51EB14721F10401BFC051A253CA758D109A9D
                                      Function 004068CD Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004068E8
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004069B0
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$FirstNextsend
                                      • String ID:
                                      • API String ID: 4113138495-0
                                      • Opcode ID: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                                      • Instruction ID: f886cb8170a1cbefaa312452e39d18d6cd017e90ab843946bfd6f4b2f28fefe7
                                      • Opcode Fuzzy Hash: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                                      • Instruction Fuzzy Hash: 9C218F711043015BC314FBA1DC96CEFB7ACAF91358F400A3EF596621E1EF389A09CA5A
                                      Function 0044F4F3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F547
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free$InfoLocale_abort
                                      • String ID:
                                      • API String ID: 1663032902-0
                                      • Opcode ID: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                                      • Instruction ID: 815750de5804ab4a8f75770bcc990d44dba9c2967eca50803adc2dd3443e40da
                                      • Opcode Fuzzy Hash: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                                      • Instruction Fuzzy Hash: 6421B372901206BBEF249F26DC45A7A73A8EB04315F10017BFD01C6242EB78AD59CB59
                                      Function 0044F17B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                      • EnumSystemLocalesW.KERNEL32(0044F2A3,00000001,00000000,?,00441F7E,?,0044F8D0,00000000,?,?,?), ref: 0044F1ED
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID:
                                      • API String ID: 1084509184-0
                                      • Opcode ID: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                                      • Instruction ID: fc4c71b657a69648ba6c32e8c27400de65702582941300ca2eca7bc8fd592fd6
                                      • Opcode Fuzzy Hash: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                                      • Instruction Fuzzy Hash: D811293B6007019FEB189F39D89167BBB91FF80358B14443DE94647B40D776A946C744
                                      Function 0044F723 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044F4C1,00000000,00000000,?), ref: 0044F74F
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$InfoLocale_abort_free
                                      • String ID:
                                      • API String ID: 2692324296-0
                                      • Opcode ID: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                                      • Instruction ID: e4b95bc4a5e1061338a04706472302caa06a68982d3ebb8569a44a178f9f49d5
                                      • Opcode Fuzzy Hash: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                                      • Instruction Fuzzy Hash: 09F02D36600516BBFB245B65DC05BBB7768EF40764F05447AEC19A3240EA7CFD05C6D4
                                      Function 0044F216 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                      • EnumSystemLocalesW.KERNEL32(0044F4F3,00000001,?,?,00441F7E,?,0044F894,00441F7E,?,?,?,?,?,00441F7E,?,?), ref: 0044F262
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID:
                                      • API String ID: 1084509184-0
                                      • Opcode ID: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                                      • Instruction ID: 7c38563944de2097393583401858843e6c2e12a799e64e453201a09b71e8bce8
                                      • Opcode Fuzzy Hash: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                                      • Instruction Fuzzy Hash: 44F0223A2007045FEB145F399881A7B7B94FF8036CB15447EF9458B690DAB6AC068614
                                      Function 004195F8 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetUserNameW.ADVAPI32(?,00000010), ref: 0041962D
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: NameUser
                                      • String ID:
                                      • API String ID: 2645101109-0
                                      • Opcode ID: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                                      • Instruction ID: 5ca8c18713c22ae7facf93a828c8627c995cdb1c7496207664ac88b3b4335c79
                                      • Opcode Fuzzy Hash: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                                      • Instruction Fuzzy Hash: 7C01FF7290011CABCB04EBD5DC45EDEB7BCEF44319F10016AB505B61A5EEB46A89CB98
                                      Function 00445914 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00442D9A: EnterCriticalSection.KERNEL32(?,?,004404DB,00000000,0046B4D8,0000000C,00440496,?,?,?,00443038,?,?,004457DA,00000001,00000364), ref: 00442DA9
                                      • EnumSystemLocalesW.KERNEL32(004458CE,00000001,0046B680,0000000C), ref: 0044594C
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                      • String ID:
                                      • API String ID: 1272433827-0
                                      • Opcode ID: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                                      • Instruction ID: 57fcd2d1ba6fdacad71b84952267562ddc6b8062f8818d57533dd41bf3368d71
                                      • Opcode Fuzzy Hash: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                                      • Instruction Fuzzy Hash: CFF03C72A10700EFEB00EF69D846B5D77F0EB08325F10402AF400DB2A2DAB989448B5E
                                      Function 0044F130 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                      • EnumSystemLocalesW.KERNEL32(0044F087,00000001,?,?,?,0044F8F2,00441F7E,?,?,?,?,?,00441F7E,?,?,?), ref: 0044F167
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID:
                                      • API String ID: 1084509184-0
                                      • Opcode ID: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                                      • Instruction ID: 407cbbfb1d6a14fdc0c4ba4a8479f65f1c0a46e2fba7f2f7bc53bc9e3406d240
                                      • Opcode Fuzzy Hash: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                                      • Instruction Fuzzy Hash: 22F05C3930020597DB049F35D845A7ABFA0EFC1754F060069EA058B651C6359C46C754
                                      Function 0040E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00413F34,00471E78,00472910,00471E78,00000000,00471E78,00000000,00471E78,3.8.0 Pro), ref: 0040E2CF
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID:
                                      • API String ID: 2299586839-0
                                      • Opcode ID: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                                      • Instruction ID: e43a985d938ffd5d313bbeec62feab64fa47c80c67ee5e1720aa7bcbe65aeca7
                                      • Opcode Fuzzy Hash: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                                      • Instruction Fuzzy Hash: 65D05E30B4421C7BEA10D6859C0AEAA7B9CD701B62F0001A6BA08D72D0E9E1AE0487E6
                                      Function 004328FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(Function_00032908,0043262F), ref: 00432901
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                                      • Instruction ID: aee9a4537fe14d989eba5338f3e0e07ed20d0bd3150f914eab3e23255f36ef43
                                      • Opcode Fuzzy Hash: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                                      • Instruction Fuzzy Hash:
                                      Function 00416E7E Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00416E98
                                      • CreateCompatibleDC.GDI32(00000000), ref: 00416EA5
                                        • Part of subcall function 004172DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0041730F
                                      • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00416F1B
                                      • DeleteDC.GDI32(00000000), ref: 00416F32
                                      • DeleteDC.GDI32(00000000), ref: 00416F35
                                      • DeleteObject.GDI32(00000000), ref: 00416F38
                                      • SelectObject.GDI32(00000000,00000000), ref: 00416F59
                                      • DeleteDC.GDI32(00000000), ref: 00416F6A
                                      • DeleteDC.GDI32(00000000), ref: 00416F6D
                                      • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00416F91
                                      • GetIconInfo.USER32(?,?), ref: 00416FC5
                                      • DeleteObject.GDI32(?), ref: 00416FF4
                                      • DeleteObject.GDI32(?), ref: 00417001
                                      • DrawIcon.USER32(00000000,?,?,?), ref: 0041700E
                                      • GetObjectA.GDI32(00000000,00000018,?), ref: 00417026
                                      • LocalAlloc.KERNEL32(00000040,00000001), ref: 00417095
                                      • GlobalAlloc.KERNEL32(00000000,?), ref: 00417104
                                      • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417128
                                      • DeleteDC.GDI32(?), ref: 0041713C
                                      • DeleteDC.GDI32(00000000), ref: 0041713F
                                      • DeleteObject.GDI32(00000000), ref: 00417142
                                      • GlobalFree.KERNEL32(?), ref: 0041714D
                                      • DeleteObject.GDI32(00000000), ref: 00417201
                                      • GlobalFree.KERNEL32(?), ref: 00417208
                                      • DeleteDC.GDI32(?), ref: 00417218
                                      • DeleteDC.GDI32(00000000), ref: 00417223
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                      • String ID: DISPLAY
                                      • API String ID: 479521175-865373369
                                      • Opcode ID: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                                      • Instruction ID: 4ba325f74191387ade15767708145f982ef5b1c7ca4df498548f130554e7309d
                                      • Opcode Fuzzy Hash: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                                      • Instruction Fuzzy Hash: 6FB16A315083009FD720DF24DC44BABBBE9EF88755F41482EF98993291DB38E945CB5A
                                      Function 0041642D Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00416474
                                      • GetProcAddress.KERNEL32(00000000), ref: 00416477
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00416488
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041648B
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041649C
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041649F
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004164B0
                                      • GetProcAddress.KERNEL32(00000000), ref: 004164B3
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00416555
                                      • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041656D
                                      • GetThreadContext.KERNEL32(?,00000000), ref: 00416583
                                      • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004165A9
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041662B
                                      • TerminateProcess.KERNEL32(?,00000000), ref: 0041663F
                                      • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041667F
                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
                                      • SetThreadContext.KERNEL32(?,00000000), ref: 00416766
                                      • ResumeThread.KERNEL32(?), ref: 00416773
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041678A
                                      • GetCurrentProcess.KERNEL32(?), ref: 00416795
                                      • TerminateProcess.KERNEL32(?,00000000), ref: 004167B0
                                      • GetLastError.KERNEL32 ref: 004167B8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                      • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                      • API String ID: 4188446516-3035715614
                                      • Opcode ID: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                                      • Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
                                      • Opcode Fuzzy Hash: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                                      • Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A
                                      Function 0040BFDE Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 281registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                        • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C0D6
                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C0E9
                                      • SetFileAttributesW.KERNEL32(?,00000080), ref: 0040C102
                                      • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040C132
                                        • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                                        • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                                        • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                                        • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C37D
                                      • ExitProcess.KERNEL32 ref: 0040C389
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                      • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$t<F$wend$while fso.FileExists("
                                      • API String ID: 1861856835-1953526029
                                      • Opcode ID: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                                      • Instruction ID: 20f5f97700cb48a3d0b4a42ff25d793d854bdbfc6fb2dd54058f707cc559a17d
                                      • Opcode Fuzzy Hash: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                                      • Instruction Fuzzy Hash: 579180712042405AC314FB62D8929EF77E99F90708F50453FB586B31E3EE789E49C69E
                                      Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,00472200,00471FFC,00000000), ref: 00410EF9
                                      • ExitProcess.KERNEL32(00000000), ref: 00410F05
                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00410F7F
                                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00410F8E
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00410F99
                                      • CloseHandle.KERNEL32(00000000), ref: 00410FA0
                                      • GetCurrentProcessId.KERNEL32 ref: 00410FA6
                                      • PathFileExistsW.SHLWAPI(?), ref: 00410FD7
                                      • GetTempPathW.KERNEL32(00000104,?), ref: 0041103A
                                      • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411054
                                      • lstrcatW.KERNEL32(?,.exe), ref: 00411066
                                        • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                      • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004110A6
                                      • Sleep.KERNEL32(000001F4), ref: 004110E7
                                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004110FC
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411107
                                      • CloseHandle.KERNEL32(00000000), ref: 0041110E
                                      • GetCurrentProcessId.KERNEL32 ref: 00411114
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                      • String ID: (#G$.exe$H"G$WDH$exepath$open$temp_
                                      • API String ID: 2649220323-71629269
                                      • Opcode ID: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                                      • Instruction ID: 69aa2ac3f34532c799e46254488c9bc95b38e37df126af38d98eea17990f3aaa
                                      • Opcode Fuzzy Hash: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                                      • Instruction Fuzzy Hash: 9D51A671A003196BDF10A7A09C59EEE336D9B04715F5041BBF605A31E2EFBC8E86875D
                                      Function 0040B871 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 296fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 0040B882
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
                                      • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
                                      • _wcslen.LIBCMT ref: 0040B968
                                      • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000), ref: 0040B9E0
                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
                                      • _wcslen.LIBCMT ref: 0040BA25
                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
                                      • ExitProcess.KERNEL32 ref: 0040BC36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
                                      • String ID: """, 0$6$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$!G$!G
                                      • API String ID: 2743683619-2376316431
                                      • Opcode ID: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                                      • Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
                                      • Opcode Fuzzy Hash: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                                      • Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E
                                      Function 0040BC59 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 259registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                        • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BD63
                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040BD76
                                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDA6
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDB5
                                        • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                                        • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                                        • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                                        • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BFD0
                                      • ExitProcess.KERNEL32 ref: 0040BFD7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                      • String ID: ")$.vbs$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                      • API String ID: 3797177996-2974882535
                                      • Opcode ID: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                                      • Instruction ID: 6c8f8b33712d81dc7036d24bc004af62d002185c7e194acf753e7914dc64dab3
                                      • Opcode Fuzzy Hash: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                                      • Instruction Fuzzy Hash: DD816E716042405AC714FB62D8929EF77A8AF90708F10443FF586A71E2EF789E49C69E
                                      Function 00418FFD Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004190F2
                                      • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419106
                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00463050), ref: 0041912E
                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00471E78,00000000), ref: 00419144
                                      • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419185
                                      • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041919D
                                      • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004191B2
                                      • SetEvent.KERNEL32 ref: 004191CF
                                      • WaitForSingleObject.KERNEL32(000001F4), ref: 004191E0
                                      • CloseHandle.KERNEL32 ref: 004191F0
                                      • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419212
                                      • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041921C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                      • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                      • API String ID: 738084811-1354618412
                                      • Opcode ID: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                                      • Instruction ID: 6660e32d934ed13bda46fa62e77153e47455c80990ba371f4f5bcee5a70a39dd
                                      • Opcode Fuzzy Hash: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                                      • Instruction Fuzzy Hash: 6C5191712043056BD604FB75DC96EBF369CDB81398F10053FF44A621E2EE789D898A6E
                                      Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                                      • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
                                      • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
                                      • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
                                      • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
                                      • WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
                                      • WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
                                      • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
                                      • WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
                                      • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Write$Create
                                      • String ID: RIFF$WAVE$data$fmt
                                      • API String ID: 1602526932-4212202414
                                      • Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                                      • Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
                                      • Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                                      • Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3
                                      Function 004137DC Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
                                      • LoadLibraryA.KERNEL32(?), ref: 0041386D
                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
                                      • FreeLibrary.KERNEL32(00000000), ref: 00413894
                                      • LoadLibraryA.KERNEL32(?), ref: 004138CC
                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
                                      • FreeLibrary.KERNEL32(00000000), ref: 004138E5
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
                                      • FreeLibrary.KERNEL32(00000000), ref: 0041390B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                      • String ID: \ws2_32$\wship6$`3A$freeaddrinfo$getaddrinfo$getnameinfo
                                      • API String ID: 2490988753-3443138237
                                      • Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                                      • Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
                                      • Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                                      • Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE
                                      Function 0044C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$EnvironmentVariable$_wcschr
                                      • String ID:
                                      • API String ID: 3899193279-0
                                      • Opcode ID: 8f8f6bf8198f661361f87136ecb7ebf93a417bae196628050410ce4dfb3fc85f
                                      • Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
                                      • Opcode Fuzzy Hash: 8f8f6bf8198f661361f87136ecb7ebf93a417bae196628050410ce4dfb3fc85f
                                      • Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D
                                      Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 0044E4EA
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7
                                      • _free.LIBCMT ref: 0044E4DF
                                        • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                        • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                      • _free.LIBCMT ref: 0044E501
                                      • _free.LIBCMT ref: 0044E516
                                      • _free.LIBCMT ref: 0044E521
                                      • _free.LIBCMT ref: 0044E543
                                      • _free.LIBCMT ref: 0044E556
                                      • _free.LIBCMT ref: 0044E564
                                      • _free.LIBCMT ref: 0044E56F
                                      • _free.LIBCMT ref: 0044E5A7
                                      • _free.LIBCMT ref: 0044E5AE
                                      • _free.LIBCMT ref: 0044E5CB
                                      • _free.LIBCMT ref: 0044E5E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID: pF
                                      • API String ID: 161543041-2973420481
                                      • Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                                      • Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
                                      • Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                                      • Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18
                                      Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2
                                        • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                        • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                                        • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                                      • Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
                                      • Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
                                      • Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
                                      • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
                                      • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
                                      • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
                                      • Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
                                      • Sleep.KERNEL32(00000064), ref: 00411C63
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                      • String ID: /stext "$$.F$@#G$@#G
                                      • API String ID: 1223786279-2596709126
                                      • Opcode ID: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                                      • Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
                                      • Opcode Fuzzy Hash: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                                      • Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A
                                      Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID: pF
                                      • API String ID: 269201875-2973420481
                                      • Opcode ID: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
                                      • Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
                                      • Opcode Fuzzy Hash: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
                                      • Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754
                                      Function 0040DE34 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 223processsynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00472248,00471FFC,?,00000001), ref: 0040DE4E
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000001), ref: 0040DE79
                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040DE95
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DF14
                                      • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040DF23
                                        • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0040E047
                                      • CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0040E133
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                                      • String ID: 0"G$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$!G
                                      • API String ID: 193334293-3226144251
                                      • Opcode ID: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                                      • Instruction ID: 8a3cf51a80cb2752f7e3b1027b115d9c77e2b7a511041fa54b012784d9d6af0a
                                      • Opcode Fuzzy Hash: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                                      • Instruction Fuzzy Hash: DB8121305083419BCA54FB61D8919EEB7E4AFA0348F40493FF586631E2EF78994DC75A
                                      Function 0041A419 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041A43B
                                      • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041A47F
                                      • RegCloseKey.ADVAPI32(?), ref: 0041A749
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnumOpen
                                      • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                      • API String ID: 1332880857-3714951968
                                      • Opcode ID: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
                                      • Instruction ID: 699f57f5c891f1d806a7f6c627c3d9f808e7165cae3c76f1f7c8ebce292c0808
                                      • Opcode Fuzzy Hash: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
                                      • Instruction Fuzzy Hash: BC8152311183419BC328EB51D891EEFB7E8EF94348F10493FF586921E2EF749949CA5A
                                      Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
                                      • GetCursorPos.USER32(?), ref: 0041B39E
                                      • SetForegroundWindow.USER32(?), ref: 0041B3A7
                                      • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
                                      • Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
                                      • ExitProcess.KERNEL32 ref: 0041B41A
                                      • CreatePopupMenu.USER32 ref: 0041B420
                                      • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                      • String ID: Close
                                      • API String ID: 1657328048-3535843008
                                      • Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                                      • Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
                                      • Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                                      • Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59
                                      Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$Info
                                      • String ID:
                                      • API String ID: 2509303402-0
                                      • Opcode ID: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
                                      • Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
                                      • Opcode Fuzzy Hash: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
                                      • Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24
                                      Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407D1F
                                      • GetFileSizeEx.KERNEL32(00000000,?), ref: 00407D57
                                      • __aulldiv.LIBCMT ref: 00407D89
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                      • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407EAC
                                      • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407EC7
                                      • CloseHandle.KERNEL32(00000000), ref: 00407FA0
                                      • CloseHandle.KERNEL32(00000000,00000052), ref: 00407FEA
                                      • CloseHandle.KERNEL32(00000000), ref: 00408038
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                      • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                      • API String ID: 3086580692-2596673759
                                      • Opcode ID: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                                      • Instruction ID: 8e1224200a6c450cfdafa1dd663dcbd78fa1a86951e699dbe30fbedc525f5c9c
                                      • Opcode Fuzzy Hash: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                                      • Instruction Fuzzy Hash: 05B191316083409BC354FB65C891AAFB7E9AFD4314F40492FF489622D2EF789D458B8B
                                      Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                        • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                        • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                        • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                        • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
                                      • ExitProcess.KERNEL32 ref: 0040C57D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                      • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$Temp$exepath$open
                                      • API String ID: 1913171305-2600661426
                                      • Opcode ID: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                                      • Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
                                      • Opcode Fuzzy Hash: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                                      • Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99
                                      Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • connect.WS2_32(?,?,?), ref: 004048C0
                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
                                      • WSAGetLastError.WS2_32 ref: 00404A01
                                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                      • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                      • API String ID: 994465650-2151626615
                                      • Opcode ID: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                                      • Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
                                      • Opcode Fuzzy Hash: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                                      • Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF
                                      Function 00452DBB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00452A89: CreateFileW.KERNEL32(?,00000008,00000007,d.E,?,?,00000000,?,00452E64,00000000,0000000C), ref: 00452AA6
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452ECF
                                      • __dosmaperr.LIBCMT ref: 00452ED6
                                      • GetFileType.KERNEL32(00000000), ref: 00452EE2
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452EEC
                                      • __dosmaperr.LIBCMT ref: 00452EF5
                                      • CloseHandle.KERNEL32(00000000), ref: 00452F15
                                      • CloseHandle.KERNEL32(00000000), ref: 0045305F
                                      • GetLastError.KERNEL32 ref: 00453091
                                      • __dosmaperr.LIBCMT ref: 00453098
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                      • String ID: H
                                      • API String ID: 4237864984-2852464175
                                      • Opcode ID: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                                      • Instruction ID: def4621c7e831d5678052e1043e56ea9e2bfce8be848437acb5cac56d61a7e39
                                      • Opcode Fuzzy Hash: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                                      • Instruction Fuzzy Hash: CAA15832A101049FDF19EF68D8417AE7BB1AB0A325F14015FFC419B392DB798D1ACB5A
                                      Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 65535$udp
                                      • API String ID: 0-1267037602
                                      • Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                                      • Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
                                      • Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                                      • Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E
                                      Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 00409C81
                                      • Sleep.KERNEL32(000001F4), ref: 00409C8C
                                      • GetForegroundWindow.USER32 ref: 00409C92
                                      • GetWindowTextLengthW.USER32(00000000), ref: 00409C9B
                                      • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00409CCF
                                      • Sleep.KERNEL32(000003E8), ref: 00409D9D
                                        • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                      • String ID: [${ User has been idle for $ minutes }$]
                                      • API String ID: 911427763-3954389425
                                      • Opcode ID: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                                      • Instruction ID: 7a62ae1493acfbf190be1d0992f15f5c774c3bdccfea44e4f2dca48363f02a21
                                      • Opcode Fuzzy Hash: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                                      • Instruction Fuzzy Hash: 7C5193716043405BD304FB61D855A6EB795AF84308F50093FF486A62E3DF7CAE45C69A
                                      Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040C753
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LongNamePath
                                      • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                      • API String ID: 82841172-425784914
                                      • Opcode ID: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                                      • Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
                                      • Opcode Fuzzy Hash: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                                      • Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F
                                      Function 004385DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438632
                                      • GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043863F
                                      • __dosmaperr.LIBCMT ref: 00438646
                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438672
                                      • GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043867C
                                      • __dosmaperr.LIBCMT ref: 00438683
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 004386C6
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004386D0
                                      • __dosmaperr.LIBCMT ref: 004386D7
                                      • _free.LIBCMT ref: 004386E3
                                      • _free.LIBCMT ref: 004386EA
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                      • String ID:
                                      • API String ID: 2441525078-0
                                      • Opcode ID: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                                      • Instruction ID: 210192a7601cd99409c426d56dfac4e8df60f1af96207b6eb293af60208c7bc2
                                      • Opcode Fuzzy Hash: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                                      • Instruction Fuzzy Hash: 4E31B17280030ABBDF11AFA5DC469AF7B69AF08325F10425EF81056291DF39CD11DB69
                                      Function 0044DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID: pF$tF
                                      • API String ID: 269201875-2954683558
                                      • Opcode ID: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
                                      • Instruction ID: 6443803da38cddfc03973e112e1470be20db66c409a4168417c9ccfa39c85508
                                      • Opcode Fuzzy Hash: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
                                      • Instruction Fuzzy Hash: 1261D5B5D00205AFEB20CF69C841BAABBF4EF05B14F15416BE944EB381E7749D41DB58
                                      Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,?), ref: 0040549F
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
                                      • TranslateMessage.USER32(?), ref: 0040555E
                                      • DispatchMessageA.USER32(?), ref: 00405569
                                      • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
                                      • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                      • String ID: CloseChat$DisplayMessage$GetMessage
                                      • API String ID: 2956720200-749203953
                                      • Opcode ID: 38da9913c1d94b4fc4e25114756b75ad617155bf13c772cc5ff9b28bcc7bf55c
                                      • Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
                                      • Opcode Fuzzy Hash: 38da9913c1d94b4fc4e25114756b75ad617155bf13c772cc5ff9b28bcc7bf55c
                                      • Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A
                                      Function 0041601D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
                                      • CloseHandle.KERNEL32(00000000), ref: 00416123
                                      • DeleteFileA.KERNEL32(00000000), ref: 00416132
                                      • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                      • String ID: <$@$@%G$@%G$Temp
                                      • API String ID: 1704390241-4139030828
                                      • Opcode ID: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                                      • Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
                                      • Opcode Fuzzy Hash: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                                      • Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99
                                      Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
                                      • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                                      • Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
                                      • Opcode Fuzzy Hash: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                                      • Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5
                                      Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00445645
                                        • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                        • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                      • _free.LIBCMT ref: 00445651
                                      • _free.LIBCMT ref: 0044565C
                                      • _free.LIBCMT ref: 00445667
                                      • _free.LIBCMT ref: 00445672
                                      • _free.LIBCMT ref: 0044567D
                                      • _free.LIBCMT ref: 00445688
                                      • _free.LIBCMT ref: 00445693
                                      • _free.LIBCMT ref: 0044569E
                                      • _free.LIBCMT ref: 004456AC
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                                      • Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
                                      • Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                                      • Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88
                                      Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00417F6F
                                      • GdiplusStartup.GDIPLUS(00471668,?,00000000), ref: 00417FA1
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041802D
                                      • Sleep.KERNEL32(000003E8), ref: 004180B3
                                      • GetLocalTime.KERNEL32(?), ref: 004180BB
                                      • Sleep.KERNEL32(00000000,00000018,00000000), ref: 004181AA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                      • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                      • API String ID: 489098229-3790400642
                                      • Opcode ID: 27953ccb73c7935c50ce76e498ac53549bd0f641fbc99231dbf637836dbf8ac1
                                      • Instruction ID: ff50de85f816598f14f139fcbfe24147e98e2bb745fd097185ef2e944e73ca26
                                      • Opcode Fuzzy Hash: 27953ccb73c7935c50ce76e498ac53549bd0f641fbc99231dbf637836dbf8ac1
                                      • Instruction Fuzzy Hash: 98516071A001549BCB04BBB5C8529FD76A8AF55308F04403FF805A71E2EF7C5E85C799
                                      Function 0040971E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00001388), ref: 00409738
                                        • Part of subcall function 0040966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                                        • Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                                        • Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                                        • Part of subcall function 0040966D: CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409774
                                      • GetFileAttributesW.KERNEL32(00000000), ref: 00409785
                                      • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040979C
                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409816
                                        • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                      • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,00000000,00000000,00000000), ref: 0040991F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                      • String ID: H"G$H"G
                                      • API String ID: 3795512280-1424798214
                                      • Opcode ID: 13e2dbf3d5e885c0786faa6bc9ba80587d0ab8a2a4bc2c59858fca73f58dbc4d
                                      • Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
                                      • Opcode Fuzzy Hash: 13e2dbf3d5e885c0786faa6bc9ba80587d0ab8a2a4bc2c59858fca73f58dbc4d
                                      • Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A
                                      Function 004530E4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004541DF), ref: 00453107
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DecodePointer
                                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                                      • API String ID: 3527080286-3064271455
                                      • Opcode ID: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                                      • Instruction ID: 9333e61b372fbf41addd7e909d3efe481a8fa84217f9852f3907f1ba123c2b47
                                      • Opcode Fuzzy Hash: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                                      • Instruction Fuzzy Hash: CC518F30900909DBCF10DFA8E9480ADBBB0FF0A347F644196EC81A7216CB799A1DDB1D
                                      Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A
                                        • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                      • Sleep.KERNEL32(00000064), ref: 00415A46
                                      • DeleteFileW.KERNEL32(00000000), ref: 00415A7A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CreateDeleteExecuteShellSleep
                                      • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                      • API String ID: 1462127192-2001430897
                                      • Opcode ID: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                                      • Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
                                      • Opcode Fuzzy Hash: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                                      • Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99
                                      Function 004066A6 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
                                      • ExitProcess.KERNEL32 ref: 00406782
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteExitProcessShell
                                      • String ID: H"G$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                                      • API String ID: 1124553745-1488154373
                                      • Opcode ID: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                                      • Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
                                      • Opcode Fuzzy Hash: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                                      • Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE
                                      Function 0041AA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • AllocConsole.KERNEL32(00000001), ref: 0041AA5D
                                      • ShowWindow.USER32(00000000,00000000), ref: 0041AA76
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocConsoleShowWindow
                                      • String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
                                      • API String ID: 4118500197-4025029772
                                      • Opcode ID: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                                      • Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
                                      • Opcode Fuzzy Hash: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                                      • Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D
                                      Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B
                                        • Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
                                        • Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                                        • Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335
                                      • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
                                      • lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
                                      • Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
                                      • TranslateMessage.USER32(?), ref: 0041B29E
                                      • DispatchMessageA.USER32(?), ref: 0041B2A8
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                      • String ID: Remcos
                                      • API String ID: 1970332568-165870891
                                      • Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                                      • Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
                                      • Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                                      • Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68
                                      Function 00449F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                                      • Instruction ID: 53180985ac70b1d9c95f382170f9691aec8243d5c40cf1d2be039b65846bfc46
                                      • Opcode Fuzzy Hash: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                                      • Instruction Fuzzy Hash: 2DC12970D44245AFEB11DFA8D841BEEBBB0BF19304F04419AE844A7392C7798D51DB6B
                                      Function 00450F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045123C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0045100F
                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451092
                                      • __alloca_probe_16.LIBCMT ref: 004510CA
                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0045123C,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451125
                                      • __alloca_probe_16.LIBCMT ref: 00451174
                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 0045113C
                                        • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 004511B8
                                      • __freea.LIBCMT ref: 004511E3
                                      • __freea.LIBCMT ref: 004511EF
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                      • String ID:
                                      • API String ID: 201697637-0
                                      • Opcode ID: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
                                      • Instruction ID: 005ec385ace484c3041e352596739c7debf7d66643145b34d09858c349e559c3
                                      • Opcode Fuzzy Hash: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
                                      • Instruction Fuzzy Hash: C191D632E002169BDB209EA5C881BAF7BB59F09716F14025BED00E7292D72DDD89C768
                                      Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                      • _memcmp.LIBVCRUNTIME ref: 00442935
                                      • _free.LIBCMT ref: 004429A6
                                      • _free.LIBCMT ref: 004429BF
                                      • _free.LIBCMT ref: 004429F1
                                      • _free.LIBCMT ref: 004429FA
                                      • _free.LIBCMT ref: 00442A06
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorLast$_abort_memcmp
                                      • String ID: C
                                      • API String ID: 1679612858-1037565863
                                      • Opcode ID: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                                      • Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
                                      • Opcode Fuzzy Hash: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                                      • Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44
                                      Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: tcp$udp
                                      • API String ID: 0-3725065008
                                      • Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                                      • Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
                                      • Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                                      • Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A
                                      Function 0040FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Eventinet_ntoa
                                      • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                      • API String ID: 3578746661-168337528
                                      • Opcode ID: c3d225834e3254adb17b52a5ed13ece1e9c6b305f91900c89a6b7ea0c4643d74
                                      • Instruction ID: 6b7c77c2de925f44c7fd0444b04eaa142d1c015a05a303cede5520b91582e870
                                      • Opcode Fuzzy Hash: c3d225834e3254adb17b52a5ed13ece1e9c6b305f91900c89a6b7ea0c4643d74
                                      • Instruction Fuzzy Hash: 1B51C671A043005BC704FB35E81AAAE36A56B85304F50453FF942972E2EFBD998987CF
                                      Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
                                      • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      • CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
                                      • MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
                                      • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
                                      • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36
                                        • Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,00404C29,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404B85
                                        • Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                      • String ID: .part
                                      • API String ID: 1303771098-3499674018
                                      • Opcode ID: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                                      • Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
                                      • Opcode Fuzzy Hash: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                                      • Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A
                                      Function 00446FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043E2F6,0043E2F6,?,?,?,00447215,00000001,00000001,80E85006), ref: 0044701E
                                      • __alloca_probe_16.LIBCMT ref: 00447056
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00447215,00000001,00000001,80E85006,?,?,?), ref: 004470A4
                                      • __alloca_probe_16.LIBCMT ref: 0044713B
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,80E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044719E
                                      • __freea.LIBCMT ref: 004471AB
                                        • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                      • __freea.LIBCMT ref: 004471B4
                                      • __freea.LIBCMT ref: 004471D9
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                      • String ID:
                                      • API String ID: 3864826663-0
                                      • Opcode ID: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                                      • Instruction ID: 54c76e5b98bc3e662f405ec50a570bffd16f8396d3d33e450f7b83ec1f761fab
                                      • Opcode Fuzzy Hash: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                                      • Instruction Fuzzy Hash: C051F372604216AFFB258F65CC81EAF77A9EB44754F19422EFC04D6340EB38DC4296A8
                                      Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
                                      • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InputSend
                                      • String ID:
                                      • API String ID: 3431551938-0
                                      • Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                                      • Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
                                      • Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                                      • Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7
                                      Function 00414F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32 ref: 00414F41
                                      • EmptyClipboard.USER32 ref: 00414F4F
                                      • CloseClipboard.USER32 ref: 00414F55
                                      • OpenClipboard.USER32 ref: 00414F5C
                                      • GetClipboardData.USER32(0000000D), ref: 00414F6C
                                      • GlobalLock.KERNEL32(00000000), ref: 00414F75
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                                      • CloseClipboard.USER32 ref: 00414F84
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                      • String ID:
                                      • API String ID: 2172192267-0
                                      • Opcode ID: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                                      • Instruction ID: b342c93700c1c5b5557293b3c64df63ecfc3f94f93ee8c928ebb46f035b43356
                                      • Opcode Fuzzy Hash: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                                      • Instruction Fuzzy Hash: 7C015E312443009BD314BF71DC596AA76A8EBE0346F81057EB94A931A3DF3899498A9A
                                      Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
                                      • __fassign.LIBCMT ref: 00447814
                                      • __fassign.LIBCMT ref: 0044782F
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
                                      • WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
                                      • WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID:
                                      • API String ID: 1324828854-0
                                      • Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                                      • Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
                                      • Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                                      • Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69
                                      Function 00453DF4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID: $-E$$-E
                                      • API String ID: 269201875-3140958853
                                      • Opcode ID: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
                                      • Instruction ID: 9707d98a659f88f98630b1874925085f47dfd26ea07d7c57405a666b90b138a8
                                      • Opcode Fuzzy Hash: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
                                      • Instruction Fuzzy Hash: 69412C32A041006BDB21AFBA8C4666F3BA5DF453B7F10461FFC18D6293DB3C8E15466A
                                      Function 00401CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      • _strftime.LIBCMT ref: 00401D30
                                        • Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                                      • waveInUnprepareHeader.WINMM(0046FA78,00000020,00000000,?), ref: 00401DE2
                                      • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401E20
                                      • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401E2F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                      • String ID: %Y-%m-%d %H.%M$.wav
                                      • API String ID: 3809562944-3597965672
                                      • Opcode ID: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                                      • Instruction ID: eb6f517cf981021e41f9baa65c06222081641aa24e02a1e4c78245b08a68fc14
                                      • Opcode Fuzzy Hash: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                                      • Instruction Fuzzy Hash: 743150315043009BC314EBA1EC56A9E77E8FB54318F50893EF599A21F2EFB49909CB5E
                                      Function 0040AE2A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                        • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                        • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                                      • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040AEAC
                                      • PathFileExistsA.SHLWAPI(?), ref: 0040AEB9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                      • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                      • API String ID: 1133728706-4073444585
                                      • Opcode ID: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                                      • Instruction ID: 9e227284a7a69f00510d3be81dd7cde1580ac9a58a9ca8fbd928e09bf644cbd9
                                      • Opcode Fuzzy Hash: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                                      • Instruction Fuzzy Hash: CF21B170A4020556CB00FBE2CC97DEE7368AF51348F80013FB901772D2EB795A45C6DA
                                      Function 00453D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                                      • Instruction ID: 106e2cecea33a690a52cc41c1271e31c3df1f85e8271d36c5dacef07d135bc52
                                      • Opcode Fuzzy Hash: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                                      • Instruction Fuzzy Hash: 2C113232504214BBCB213F769C0596B7B7CDF857A7F11062BFC1583292DA38C9089269
                                      Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A
                                      • _free.LIBCMT ref: 0044E128
                                        • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                        • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                      • _free.LIBCMT ref: 0044E133
                                      • _free.LIBCMT ref: 0044E13E
                                      • _free.LIBCMT ref: 0044E192
                                      • _free.LIBCMT ref: 0044E19D
                                      • _free.LIBCMT ref: 0044E1A8
                                      • _free.LIBCMT ref: 0044E1B3
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                      • Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
                                      • Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                      • Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654
                                      Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                        • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                        • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                        • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                                      • StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCurrentOpenProcessQueryValue
                                      • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                      • API String ID: 1866151309-2070987746
                                      • Opcode ID: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                                      • Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
                                      • Opcode Fuzzy Hash: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                                      • Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA
                                      Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
                                      • SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
                                      • Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
                                      • Opcode Fuzzy Hash: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
                                      • Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C
                                      Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
                                      • GetLastError.KERNEL32 ref: 0040AA28
                                      Strings
                                      • [Chrome Cookies found, cleared!], xrefs: 0040AA4E
                                      • UserProfile, xrefs: 0040A9EE
                                      • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
                                      • [Chrome Cookies not found], xrefs: 0040AA42
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteErrorFileLast
                                      • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                      • API String ID: 2018770650-304995407
                                      • Opcode ID: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                                      • Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
                                      • Opcode Fuzzy Hash: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                                      • Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F
                                      Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                      Download Yara Rule
                                      APIs
                                      • __allrem.LIBCMT ref: 00438A09
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
                                      • __allrem.LIBCMT ref: 00438A3C
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
                                      • __allrem.LIBCMT ref: 00438A71
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                      • String ID:
                                      • API String ID: 1992179935-0
                                      • Opcode ID: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                                      • Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
                                      • Opcode Fuzzy Hash: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                                      • Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D
                                      Function 00442E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __cftoe
                                      • String ID:
                                      • API String ID: 4189289331-0
                                      • Opcode ID: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
                                      • Instruction ID: 4563a9c63fae0d6d7f7aa9a83d474a3ec136fb2d14012502de5dff0b8c27d610
                                      • Opcode Fuzzy Hash: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
                                      • Instruction Fuzzy Hash: CB510C32500205ABFB209F598E45EAF77B8EF48334FE0421FF415D6282EB79D941966C
                                      Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __freea$__alloca_probe_16_free
                                      • String ID: a/p$am/pm
                                      • API String ID: 2936374016-3206640213
                                      • Opcode ID: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                                      • Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
                                      • Opcode Fuzzy Hash: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                                      • Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59
                                      Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
                                      • int.LIBCPMT ref: 0040F8D7
                                        • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                                        • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                                      • std::_Facet_Register.LIBCPMT ref: 0040F917
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
                                      • __Init_thread_footer.LIBCMT ref: 0040F97F
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                      • String ID:
                                      • API String ID: 3815856325-0
                                      • Opcode ID: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                                      • Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
                                      • Opcode Fuzzy Hash: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                                      • Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9
                                      Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C3E
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418344,00000000), ref: 00418C52
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418C5F
                                      • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C94
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA6
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA9
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                      • String ID:
                                      • API String ID: 493672254-0
                                      • Opcode ID: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                                      • Instruction ID: 151ede47f5a01f66990efdacd58a0b59027112db6305451f0336687f4909308b
                                      • Opcode Fuzzy Hash: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                                      • Instruction Fuzzy Hash: A20149711862183AE6108B389C4EEBB3A6CDB42771F14032FF925A32D1EE68CD4185F9
                                      Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                      • _free.LIBCMT ref: 0044575C
                                      • _free.LIBCMT ref: 00445784
                                      • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                      • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                      • _abort.LIBCMT ref: 004457A3
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free$_abort
                                      • String ID:
                                      • API String ID: 3160817290-0
                                      • Opcode ID: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
                                      • Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
                                      • Opcode Fuzzy Hash: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
                                      • Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D
                                      Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                                      • Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
                                      • Opcode Fuzzy Hash: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                                      • Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9
                                      Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00418559,00000000), ref: 00418B6F
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00418559,00000000), ref: 00418B83
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418B90
                                      • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00418559,00000000), ref: 00418B9F
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB1
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB4
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                                      • Instruction ID: 20460b91a854b5e3c53015269073f2e928c2deccd9acf6b4d89527a320d4dccf
                                      • Opcode Fuzzy Hash: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                                      • Instruction Fuzzy Hash: 22F0C2715402186BD210EB65DC89EBF3BACDB45B52B81006AFE09A3192DE38DD4589E9
                                      Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004184D9,00000000), ref: 00418BD6
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004184D9,00000000), ref: 00418BEA
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418BF7
                                      • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004184D9,00000000), ref: 00418C06
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C18
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C1B
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                                      • Instruction ID: 1da220ff3ffe1d32b0df5c47a21bcd1adf2661b27de4fa42f8fed5365a22baa8
                                      • Opcode Fuzzy Hash: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                                      • Instruction Fuzzy Hash: 32F0C2715012186BD210EB65EC89DBF3BACDB45B51B41002AFE0993192DF38CD4589F9
                                      Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                                      • Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                                      • CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleSizeSleep
                                      • String ID: h G
                                      • API String ID: 1958988193-3300504347
                                      • Opcode ID: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                                      • Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
                                      • Opcode Fuzzy Hash: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                                      • Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E
                                      Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegisterClassExA.USER32(00000030), ref: 0041B310
                                      • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                                      • GetLastError.KERNEL32 ref: 0041B335
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ClassCreateErrorLastRegisterWindow
                                      • String ID: 0$MsgWindowClass
                                      • API String ID: 2877667751-2410386613
                                      • Opcode ID: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                                      • Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
                                      • Opcode Fuzzy Hash: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                                      • Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4
                                      Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 0043761A
                                        • Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C
                                      • _UnwindNestedFrames.LIBCMT ref: 00437631
                                      • ___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
                                      • CallCatchBlock.LIBVCRUNTIME ref: 00437667
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                      • String ID: /zC
                                      • API String ID: 2633735394-4132788633
                                      • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                      • Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
                                      • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                      • Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98
                                      Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemMetrics.USER32(0000004C), ref: 004173AA
                                      • GetSystemMetrics.USER32(0000004D), ref: 004173B0
                                      • GetSystemMetrics.USER32(0000004E), ref: 004173B6
                                      • GetSystemMetrics.USER32(0000004F), ref: 004173BC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: MetricsSystem
                                      • String ID: ]tA
                                      • API String ID: 4116985748-3517819141
                                      • Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                                      • Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
                                      • Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                                      • Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94
                                      Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
                                      • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
                                      • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B
                                      Strings
                                      • C:\Windows\System32\cmd.exe, xrefs: 0040E542
                                      • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$CreateProcess
                                      • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                      • API String ID: 2922976086-4183131282
                                      • Opcode ID: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                                      • Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
                                      • Opcode Fuzzy Hash: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                                      • Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5
                                      Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 0044085A
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 00440890
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                                      • Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
                                      • Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                                      • Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98
                                      Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00471E90,00404E5A,00000001,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405100
                                      • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 0040510C
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405117
                                      • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405120
                                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                      Strings
                                      • Connection KeepAlive | Disabled, xrefs: 004050D9
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                      • String ID: Connection KeepAlive | Disabled
                                      • API String ID: 2993684571-3818284553
                                      • Opcode ID: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                                      • Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
                                      • Opcode Fuzzy Hash: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                                      • Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A
                                      Function 00418D76 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                      • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00418DA8
                                      • PlaySoundW.WINMM(00000000,00000000), ref: 00418DB6
                                      • Sleep.KERNEL32(00002710), ref: 00418DBD
                                      • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00418DC6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: PlaySound$HandleLocalModuleSleepTime
                                      • String ID: Alarm triggered
                                      • API String ID: 614609389-2816303416
                                      • Opcode ID: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                                      • Instruction ID: 312fa8acbc24107594bc9953998d05cc744500d2263fe9839a2dc32143519282
                                      • Opcode Fuzzy Hash: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                                      • Instruction Fuzzy Hash: 9EE01226E4026037A510376A6D0FC6F2D2DDBD3B6274501AFFA04571D2D9A4080186FF
                                      Function 0043BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                                      • Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
                                      • Opcode Fuzzy Hash: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                                      • Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9
                                      Function 00404351 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000000,?), ref: 004044A4
                                        • Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: H_prologSleep
                                      • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                      • API String ID: 3469354165-3547787478
                                      • Opcode ID: 2596316b9bbcd228594034146af270f3e01bd3c3610974548e797489da08f636
                                      • Instruction ID: 7794b0ea9bf29785644917a3a4e5658b539d561772896ef264e5995737b90c85
                                      • Opcode Fuzzy Hash: 2596316b9bbcd228594034146af270f3e01bd3c3610974548e797489da08f636
                                      • Instruction Fuzzy Hash: 5951E8B1B0420167C614BB769D5AA6E3795ABC0744F00053FFA45A77E2EF7C8D09C29E
                                      Function 0044220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                      • _free.LIBCMT ref: 00442318
                                      • _free.LIBCMT ref: 0044232F
                                      • _free.LIBCMT ref: 0044234E
                                      • _free.LIBCMT ref: 00442369
                                      • _free.LIBCMT ref: 00442380
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$AllocateHeap
                                      • String ID:
                                      • API String ID: 3033488037-0
                                      • Opcode ID: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                                      • Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
                                      • Opcode Fuzzy Hash: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                                      • Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48
                                      Function 00446894 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                                      • _free.LIBCMT ref: 004468EC
                                        • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                        • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                      • _free.LIBCMT ref: 00446AB8
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                      • String ID:
                                      • API String ID: 1286116820-0
                                      • Opcode ID: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                                      • Instruction ID: 7fd05a225221f517daf6149bd07272def0d2f8fc9e30777fa7538f83a84e5ba5
                                      • Opcode Fuzzy Hash: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                                      • Instruction Fuzzy Hash: 63511DB1900205ABEB10EF65DC8196A77BCEF42714B12027FE454A7291EBB89E44CB5E
                                      Function 004412F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                                      • Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
                                      • Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                                      • Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84
                                      Function 0044E30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00439ED1,?,00000000,?,00000001,?,?,00000001,00439ED1,?), ref: 0044E359
                                      • __alloca_probe_16.LIBCMT ref: 0044E391
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044E3E2
                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00438C3F,?), ref: 0044E3F4
                                      • __freea.LIBCMT ref: 0044E3FD
                                        • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                      • String ID:
                                      • API String ID: 313313983-0
                                      • Opcode ID: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                                      • Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
                                      • Opcode Fuzzy Hash: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                                      • Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98
                                      Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
                                      • waveInOpen.WINMM(0046FAB0,000000FF,0046FA98,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
                                      • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401CC3
                                      • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401CD2
                                      • waveInStart.WINMM ref: 00401CDE
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                      • String ID:
                                      • API String ID: 1356121797-0
                                      • Opcode ID: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
                                      • Instruction ID: fb7f9cdbf736b3995f9a1dd050f0e4013ef0d97c015e7d4644af59ef24d86031
                                      • Opcode Fuzzy Hash: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
                                      • Instruction Fuzzy Hash: 77212C326242019BC7049FEABD0591A7BA9FB89714740943BF58DD7AB1FBF844098B0E
                                      Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 0044C543
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566
                                        • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
                                      • _free.LIBCMT ref: 0044C59F
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                      • String ID:
                                      • API String ID: 336800556-0
                                      • Opcode ID: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                                      • Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
                                      • Opcode Fuzzy Hash: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                                      • Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8
                                      Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1D7
                                      • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1E3
                                      • WriteFile.KERNEL32(00000000,00000000,00000000,0040649B,00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1F4
                                      • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A201
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreatePointerWrite
                                      • String ID:
                                      • API String ID: 1852769593-0
                                      • Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                                      • Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
                                      • Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                                      • Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B
                                      Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBD5
                                      • int.LIBCPMT ref: 0040FBE8
                                        • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                                        • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                                      • std::_Facet_Register.LIBCPMT ref: 0040FC28
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC31
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC4F
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                      • String ID:
                                      • API String ID: 2536120697-0
                                      • Opcode ID: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                                      • Instruction ID: 5713401f36b8bb0c26d90e6cd89a0375aabf3697ea4116ccadb9116029d1f595
                                      • Opcode Fuzzy Hash: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                                      • Instruction Fuzzy Hash: 9811C172904118A7CB24EFA5D80289FB778EF44325F10417FFD44B7291DA389E4A87D8
                                      Function 0044DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 0044DBB4
                                        • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                        • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                      • _free.LIBCMT ref: 0044DBC6
                                      • _free.LIBCMT ref: 0044DBD8
                                      • _free.LIBCMT ref: 0044DBEA
                                      • _free.LIBCMT ref: 0044DBFC
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                                      • Instruction ID: 294e589d6328203d0d12509a579114aacc3179ef351d8ef0a61016021d4f39e6
                                      • Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                                      • Instruction Fuzzy Hash: DDF04F339002146BA620EF6AE9C6C5773D9EE01B15355880AF085E7600EA78FC80965C
                                      Function 00441548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00441566
                                        • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                        • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                      • _free.LIBCMT ref: 00441578
                                      • _free.LIBCMT ref: 0044158B
                                      • _free.LIBCMT ref: 0044159C
                                      • _free.LIBCMT ref: 004415AD
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                                      • Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
                                      • Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                                      • Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E
                                      Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
                                      • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Enum$InfoQueryValue
                                      • String ID: [regsplt]
                                      • API String ID: 3554306468-4262303796
                                      • Opcode ID: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                                      • Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
                                      • Opcode Fuzzy Hash: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                                      • Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8
                                      Function 0044B8C9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      • _strpbrk.LIBCMT ref: 0044B918
                                      • _free.LIBCMT ref: 0044BA35
                                        • Part of subcall function 00439AA3: IsProcessorFeaturePresent.KERNEL32(00000017,00439A75,?,?,?,?,?,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000), ref: 00439AA5
                                        • Part of subcall function 00439AA3: GetCurrentProcess.KERNEL32(C0000417), ref: 00439AC7
                                        • Part of subcall function 00439AA3: TerminateProcess.KERNEL32(00000000), ref: 00439ACE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                      • String ID: *?$.
                                      • API String ID: 2812119850-3972193922
                                      • Opcode ID: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                                      • Instruction ID: d7c010aeaec7a8a897f36992f2f7f2874d2ac4fe7d304ea8792e53e8e447d7e7
                                      • Opcode Fuzzy Hash: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                                      • Instruction Fuzzy Hash: 9C51C371E002099FEF14DFA9C881AAEB7B5EF48314F24816EE954E7301E779DE018B94
                                      Function 00442B2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __alloca_probe_16__freea
                                      • String ID: H"G$H"GH"G
                                      • API String ID: 1635606685-3036711414
                                      • Opcode ID: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
                                      • Instruction ID: 3c870ea2fb57449e7c992ce38f4d69c2eab2d9a05dd359c3c94aeedaa7d51697
                                      • Opcode Fuzzy Hash: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
                                      • Instruction Fuzzy Hash: F0411931A00212ABEB219F65CD82A5FB7A1EF45714F54056FF804DB291EBBCDD40879E
                                      Function 0040184A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 0040189E
                                      • ExitThread.KERNEL32 ref: 004018D6
                                      • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4
                                        • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                      • String ID: 8:G
                                      • API String ID: 1649129571-405301104
                                      • Opcode ID: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                                      • Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
                                      • Opcode Fuzzy Hash: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                                      • Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E
                                      Function 00440935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\XyLTxdgHV.exe,00000104), ref: 00440975
                                      • _free.LIBCMT ref: 00440A40
                                      • _free.LIBCMT ref: 00440A4A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$FileModuleName
                                      • String ID: C:\Users\user\AppData\Roaming\XyLTxdgHV.exe
                                      • API String ID: 2506810119-2386955059
                                      • Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                                      • Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
                                      • Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                                      • Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59
                                      Function 00419675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                                        • Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                                        • Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054
                                        • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                      • _wcslen.LIBCMT ref: 00419744
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                      • String ID: .exe$program files (x86)\$program files\
                                      • API String ID: 37874593-1203593143
                                      • Opcode ID: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                                      • Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
                                      • Opcode Fuzzy Hash: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                                      • Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9
                                      Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNEL32(00000000,00000000,00409305,00472008,00000000,00000000), ref: 0040928B
                                      • CreateThread.KERNEL32(00000000,00000000,004092EF,00472008,00000000,00000000), ref: 0040929B
                                      • CreateThread.KERNEL32(00000000,00000000,00409311,00472008,00000000,00000000), ref: 004092A7
                                        • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                        • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread$LocalTimewsprintf
                                      • String ID: Offline Keylogger Started
                                      • API String ID: 465354869-4114347211
                                      • Opcode ID: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                                      • Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
                                      • Opcode Fuzzy Hash: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                                      • Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF
                                      Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                        • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                      • CreateThread.KERNEL32(00000000,00000000,004092EF,?,00000000,00000000), ref: 00409EB7
                                      • CreateThread.KERNEL32(00000000,00000000,00409311,?,00000000,00000000), ref: 00409EC3
                                      • CreateThread.KERNEL32(00000000,00000000,0040931D,?,00000000,00000000), ref: 00409ECF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread$LocalTime$wsprintf
                                      • String ID: Online Keylogger Started
                                      • API String ID: 112202259-1258561607
                                      • Opcode ID: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                                      • Instruction ID: 28bbfba120e67fe9302c314101e9d6be38f8a9d2e5fa49f3fb55d6307d966583
                                      • Opcode Fuzzy Hash: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                                      • Instruction Fuzzy Hash: 7F01C4A0A042083AE62076768CD6DBF7A6CCA92398B40047FFA45221C3D9B85C5586FE
                                      Function 00404F31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?), ref: 00404F61
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FAD
                                      • CreateThread.KERNEL32(00000000,00000000,00405130,?,00000000,00000000), ref: 00404FC0
                                      Strings
                                      • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404F74
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$EventLocalThreadTime
                                      • String ID: Connection KeepAlive | Enabled | Timeout:
                                      • API String ID: 2532271599-507513762
                                      • Opcode ID: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                                      • Instruction ID: 3880ceca910d84d0b9b3d3001f949c19a9d90d4f91ad2e0c59d2668d569340f7
                                      • Opcode Fuzzy Hash: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                                      • Instruction Fuzzy Hash: 4F1127719002806AC720BB769C0DE9B7FA89BD2714F44056FF44123281D6B89445CBBA
                                      Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?), ref: 00406090
                                      • GetProcAddress.KERNEL32(00000000), ref: 00406097
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: CryptUnprotectData$crypt32
                                      • API String ID: 2574300362-2380590389
                                      • Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                                      • Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
                                      • Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                                      • Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794
                                      Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
                                      • CloseHandle.KERNEL32(?), ref: 004051AA
                                      • SetEvent.KERNEL32(?), ref: 004051B9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandleObjectSingleWait
                                      • String ID: Connection Timeout
                                      • API String ID: 2055531096-499159329
                                      • Opcode ID: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                                      • Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
                                      • Opcode Fuzzy Hash: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                                      • Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49
                                      Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                      • API String ID: 2005118841-1866435925
                                      • Opcode ID: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                                      • Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
                                      • Opcode Fuzzy Hash: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                                      • Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F
                                      Function 004120E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                      • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID: origmsc
                                      • API String ID: 3677997916-68016026
                                      • Opcode ID: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                                      • Instruction ID: 61f3e32b1c93232b19bf4a4cc48abe95026028d342b1827e6ec6edb2467bbf34
                                      • Opcode Fuzzy Hash: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                                      • Instruction Fuzzy Hash: 4C014B31800229BBCF219F91DC49DEB7F29EF05761F0141A5BE08A2161D63589BADBA4
                                      Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteShell
                                      • String ID: /C $cmd.exe$open
                                      • API String ID: 587946157-3896048727
                                      • Opcode ID: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                                      • Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
                                      • Opcode Fuzzy Hash: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                                      • Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A
                                      Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                                      • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00412054
                                      Strings
                                      • http\shell\open\command, xrefs: 00412026
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID: http\shell\open\command
                                      • API String ID: 3677997916-1487954565
                                      • Opcode ID: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                                      • Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
                                      • Opcode Fuzzy Hash: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                                      • Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5
                                      Function 00412204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,0046FB08), ref: 0041220F
                                      • RegSetValueExW.ADVAPI32(0046FB08,00469654,00000000,00000000,00000000,00000000,00469654,?,80000001,?,0040674F,00469654,0046FB08), ref: 0041223E
                                      • RegCloseKey.ADVAPI32(0046FB08,?,80000001,?,0040674F,00469654,0046FB08), ref: 00412249
                                      Strings
                                      • Software\Classes\mscfile\shell\open\command, xrefs: 0041220D
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID: Software\Classes\mscfile\shell\open\command
                                      • API String ID: 1818849710-505396733
                                      • Opcode ID: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                                      • Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
                                      • Opcode Fuzzy Hash: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                                      • Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94
                                      Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18
                                        • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
                                        • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                      • String ID: bad locale name
                                      • API String ID: 3628047217-1405518554
                                      • Opcode ID: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                                      • Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
                                      • Opcode Fuzzy Hash: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                                      • Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699
                                      Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                                      • RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                                      • RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID: P0F
                                      • API String ID: 1818849710-3540264436
                                      • Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                                      • Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
                                      • Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                                      • Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8
                                      Function 004013F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
                                      • GetProcAddress.KERNEL32(00000000), ref: 00401403
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: GetCursorInfo$User32.dll
                                      • API String ID: 1646373207-2714051624
                                      • Opcode ID: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                                      • Instruction ID: b28a71f0ab0cd05a0e9183a6667f806437ada0decc35e30242c3667109896680
                                      • Opcode Fuzzy Hash: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                                      • Instruction Fuzzy Hash: 8BB09BB5741301BB8A017B705E0D905357C550470375102A3B00386161F7F44500C61E
                                      Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
                                      • GetProcAddress.KERNEL32(00000000), ref: 004014A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetLastInputInfo$User32.dll
                                      • API String ID: 2574300362-1519888992
                                      • Opcode ID: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                                      • Instruction ID: 9c97512ccc3e9dae7fbe55962af9901819d65f6a69b3e33b2a0b565c767961ff
                                      • Opcode Fuzzy Hash: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                                      • Instruction Fuzzy Hash: 51B092B1980302AB8E006FB1AE0DE043AB8A604703B5102B6B00292161EAF99440CF2E
                                      Function 00448C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __alldvrm$_strrchr
                                      • String ID:
                                      • API String ID: 1036877536-0
                                      • Opcode ID: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                                      • Instruction ID: 8a3f88530d83194aa24a517e4ef6e15a272d99a70002873db7a8ab856bdac54d
                                      • Opcode Fuzzy Hash: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                                      • Instruction Fuzzy Hash: 18A12572A012869FFB21CE18C8817AEBBA1EF65314F24416FE5859B382CA3C8941C759
                                      Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                                      • Instruction ID: c1abd53b49e6a7723cad7358b49d7c046164203d86e3a19123cc85c40c5f12b7
                                      • Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                                      • Instruction Fuzzy Hash: 93412871E00704AFD7249F79CC46B5A7BA9EB8C714F10523FF142DB681D37999498788
                                      Function 00404CA3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00471EE8), ref: 00404D93
                                      • CreateThread.KERNEL32(00000000,00000000,?,00471E90,00000000,00000000), ref: 00404DA7
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
                                      • CloseHandle.KERNEL32(?,?,00000000), ref: 00404DBB
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                      • String ID:
                                      • API String ID: 3360349984-0
                                      • Opcode ID: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                                      • Instruction ID: 0d5bef4af40d9751d8a4c840d6feadb85822b330c50e1cee3accc81e25362d00
                                      • Opcode Fuzzy Hash: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                                      • Instruction Fuzzy Hash: DA4194712083016FCB11FB61CD55D6FB7EDAFD4314F400A3EB982A32E2DB7899098666
                                      Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • [Cleared browsers logins and cookies.], xrefs: 0040B025
                                      • Cleared browsers logins and cookies., xrefs: 0040B036
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                      • API String ID: 3472027048-1236744412
                                      • Opcode ID: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                                      • Instruction ID: 9e673e540e653d5dfc9c41bfd33b173fe745421aa21f598ea7623546fa890e2b
                                      • Opcode Fuzzy Hash: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                                      • Instruction Fuzzy Hash: EE31A24074C3826EDA11BBB555267EF6B924A53758F0844BFF8C42B3C3D9BA4818936F
                                      Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                        • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                        • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                      • Sleep.KERNEL32(00000BB8), ref: 004111DF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQuerySleepValue
                                      • String ID: H"G$exepath$!G
                                      • API String ID: 4119054056-2148977334
                                      • Opcode ID: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                                      • Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
                                      • Opcode Fuzzy Hash: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                                      • Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD
                                      Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
                                        • Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
                                        • Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E
                                      • Sleep.KERNEL32(000001F4), ref: 0040955A
                                      • Sleep.KERNEL32(00000064), ref: 004095F5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$SleepText$ForegroundLength
                                      • String ID: [ $ ]
                                      • API String ID: 3309952895-93608704
                                      • Opcode ID: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                                      • Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
                                      • Opcode Fuzzy Hash: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                                      • Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F
                                      Function 00440F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
                                      • Instruction ID: cddd12244c82da27d8fba5a3cfb3b4b8374ea1530061808fe1103b2c2b1f06f2
                                      • Opcode Fuzzy Hash: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
                                      • Instruction Fuzzy Hash: 46018FB26092163EF6302E796CC1F67271CDF517B9B21033BF625622D2EAB8CD254568
                                      Function 00440FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
                                      • Instruction ID: ded37596ea74bb71ca552df42b40a6491f306b500b676c7390fdbb9d5d89f826
                                      • Opcode Fuzzy Hash: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
                                      • Instruction Fuzzy Hash: E801D1B220A2163EB6202E796CC9D27631DEF513BE725033BF521522E6EF7DCC855168
                                      Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                      • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A23C
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A261
                                      • CloseHandle.KERNEL32(00000000,?,00000000,0040410F,00462E24), ref: 0041A26F
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 3919263394-0
                                      • Opcode ID: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                                      • Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
                                      • Opcode Fuzzy Hash: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                                      • Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536
                                      Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00436CD1
                                      • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00436CD6
                                      • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00436CDB
                                        • Part of subcall function 004381DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004381EB
                                      • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00436CF0
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                      • String ID:
                                      • API String ID: 1761009282-0
                                      • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                      • Instruction ID: fe0629a2579d5eb29aad24ff52ac89f8c4d28ee3f0e2161d733d9faf058f7893
                                      • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                      • Instruction Fuzzy Hash: 12C00254040342742C5077B622062AEA350A8AE38DFA7B4CFB892171038D0D440B953F
                                      Function 0044015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                      Download Yara Rule
                                      APIs
                                      • __startOneArgErrorHandling.LIBCMT ref: 004401ED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorHandling__start
                                      • String ID: pow
                                      • API String ID: 3213639722-2276729525
                                      • Opcode ID: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                                      • Instruction ID: 9a83a7e01686381b8a8ce0b853cf5bc52d75b03c70b61edc7fb1f4b11142e615
                                      • Opcode Fuzzy Hash: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                                      • Instruction Fuzzy Hash: 21518A60A842018AFB117714CA4137B3B90EB40701F248DABE5D2563EAEB7D8CB5DA4F
                                      Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046
                                        • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                        • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                                        • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                                        • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                      • Sleep.KERNEL32(000000FA,00462E24), ref: 00404118
                                      Strings
                                      • /sort "Visit Time" /stext ", xrefs: 00404092
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                      • String ID: /sort "Visit Time" /stext "
                                      • API String ID: 368326130-1573945896
                                      • Opcode ID: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                                      • Instruction ID: 7f8942f24ccac46b0034012f494d3192eca769648d2eef92b07e1d28e9d76a7f
                                      • Opcode Fuzzy Hash: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                                      • Instruction Fuzzy Hash: B5316431A0021556CB14FBB6DC969EE73B9AF90308F40017FF506B71E2EE38594ACA99
                                      Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                      • __Init_thread_footer.LIBCMT ref: 0040A6E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Init_thread_footer__onexit
                                      • String ID: [End of clipboard]$[Text copied to clipboard]
                                      • API String ID: 1881088180-3686566968
                                      • Opcode ID: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                                      • Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
                                      • Opcode Fuzzy Hash: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                                      • Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D
                                      Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0044EF72,?,00000050,?,?,?,?,?), ref: 0044EDF2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: ACP$OCP
                                      • API String ID: 0-711371036
                                      • Opcode ID: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                                      • Instruction ID: ce4b6ecbf16ce97eee8671cf775368e41a8ae942868fb71505acbacd33d5bec2
                                      • Opcode Fuzzy Hash: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                                      • Instruction Fuzzy Hash: 4F21F1E2E00102A2FB348B67CC01BAB72A6FF54B51F568426E90AD7300EB3ADD41C35C
                                      Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowTextW.USER32(?,?,0000012C), ref: 00415B2E
                                      • IsWindowVisible.USER32(?), ref: 00415B37
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$TextVisible
                                      • String ID: (%G
                                      • API String ID: 1670992164-3377777310
                                      • Opcode ID: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                                      • Instruction ID: 7bdbcb6602ffb42e5ce2137d58ff1a132c15f169860b2e192372582f8912ca7a
                                      • Opcode Fuzzy Hash: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                                      • Instruction Fuzzy Hash: E42166315182019BC314FB61D891EEFB7E9AF94304F50493FF49A920E2FF349A49CA5A
                                      Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405010
                                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                      • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405067
                                      Strings
                                      • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404FFF
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: Connection KeepAlive | Enabled | Timeout:
                                      • API String ID: 481472006-507513762
                                      • Opcode ID: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                                      • Instruction ID: 0beb7a88d254a358a963561f9d97893b624dd36ca90e96b80d49a5b3b1f878f3
                                      • Opcode Fuzzy Hash: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                                      • Instruction Fuzzy Hash: 092137719042406BD304B7219D2976F7794A745308F04047EF845132E2DBBD5988CB9F
                                      Function 00432D4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00432D8F
                                      • ___raise_securityfailure.LIBCMT ref: 00432E76
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FeaturePresentProcessor___raise_securityfailure
                                      • String ID: (F
                                      • API String ID: 3761405300-3109638091
                                      • Opcode ID: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                                      • Instruction ID: 494dc9d0fce29d31cb3ef34e393fed80e8221b4646dfbf54f91bf1ae82b1ca01
                                      • Opcode Fuzzy Hash: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                                      • Instruction Fuzzy Hash: 8C21F0BD500205DEE700DF16E9856403BE4BB49314F20943AE9088B3A1F3F669918F9F
                                      Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: | $%02i:%02i:%02i:%03i
                                      • API String ID: 481472006-2430845779
                                      • Opcode ID: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                                      • Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
                                      • Opcode Fuzzy Hash: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                                      • Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A
                                      Function 00418CCD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415594,00000000), ref: 00418CF2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: alarm.wav$x(G
                                      • API String ID: 1174141254-2413638199
                                      • Opcode ID: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                                      • Instruction ID: fe962266bcbe9b481af3baecc2186877703bd5259ecc619923a55b1e0e4c82aa
                                      • Opcode Fuzzy Hash: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                                      • Instruction Fuzzy Hash: 40019270B0430056C604F7A6E9566EE37958BA1358F00857FA849672E2EEBD4D45C6CF
                                      Function 00409F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                        • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                      • CloseHandle.KERNEL32(?), ref: 00409FFD
                                      • UnhookWindowsHookEx.USER32 ref: 0040A010
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                      • String ID: Online Keylogger Stopped
                                      • API String ID: 1623830855-1496645233
                                      • Opcode ID: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                                      • Instruction ID: de94d33b988dbd75262e40483fa5bc1fa77a380ea8b62c1163629748a83ca489
                                      • Opcode Fuzzy Hash: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                                      • Instruction Fuzzy Hash: 2601F530A003045BD7257F24C81BBBE7BB59B82304F40056FE541225D2EAB91866E7DF
                                      Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1), ref: 0040B49A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                      • API String ID: 1174141254-2800177040
                                      • Opcode ID: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                                      • Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
                                      • Opcode Fuzzy Hash: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                                      • Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9
                                      Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E), ref: 0040B437
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                      • API String ID: 1174141254-4188645398
                                      • Opcode ID: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                                      • Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
                                      • Opcode Fuzzy Hash: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                                      • Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD
                                      Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604), ref: 0040B4FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: AppData$\Opera Software\Opera Stable\
                                      • API String ID: 1174141254-1629609700
                                      • Opcode ID: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                                      • Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
                                      • Opcode Fuzzy Hash: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                                      • Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD
                                      Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000011), ref: 0040A597
                                        • Part of subcall function 00409468: GetForegroundWindow.USER32 ref: 0040949C
                                        • Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                                        • Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
                                        • Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
                                        • Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
                                        • Part of subcall function 00409468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                                        • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
                                      • String ID: [AltL]$[AltR]
                                      • API String ID: 3195419117-2658077756
                                      • Opcode ID: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                                      • Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
                                      • Opcode Fuzzy Hash: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                                      • Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF
                                      Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000012), ref: 0040A5F1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: State
                                      • String ID: [CtrlL]$[CtrlR]
                                      • API String ID: 1649606143-2446555240
                                      • Opcode ID: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                                      • Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
                                      • Opcode Fuzzy Hash: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                                      • Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF
                                      Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000002,00000000,80000001,6h@,004123E9,00000000,00000000,6h@,origmsc,00000000), ref: 00412422
                                      • RegDeleteValueW.ADVAPI32(?,?), ref: 00412436
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteOpenValue
                                      • String ID: 6h@
                                      • API String ID: 2654517830-73392143
                                      • Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                                      • Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
                                      • Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                                      • Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664
                                      Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
                                      • GetLastError.KERNEL32 ref: 0043B4E9
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$ErrorLast
                                      • String ID:
                                      • API String ID: 1717984340-0
                                      • Opcode ID: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                                      • Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
                                      • Opcode Fuzzy Hash: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                                      • Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799
                                      Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 004105F1
                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 004106BD
                                      • SetLastError.KERNEL32(0000007F), ref: 004106DF
                                      • SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.2104824544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_400000_XyLTxdgHV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastRead
                                      • String ID:
                                      • API String ID: 4100373531-0
                                      • Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                                      • Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
                                      • Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                                      • Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19